How AlgoSec and SOAR tools help your SOC fly through alerts

Enterprises are turning to a relatively new category of security technology: security orchestration, automation and response (SOAR) solutions to help manage the overwhelming volume of security alerts

With the threat landscape constantly evolving and expanding, staff in security operations centers (SOCs) are under pressure to identify and deal with critical threats as quickly and effectively as possible. But they are being deluged by security alerts from their various systems – leading to serious concerns that a threat may be missed, and cause a damaging breach while staff are looking elsewhere. 

According to a recent survey, 44% of security operations managers say they can only realistically analyze a quarter of the 5,000-plus security alerts they receive every day. This isn’t surprising when analysts have to collate information from multiple disparate systems and tools to investigate and respond appropriately to each incident. As a result, 79% of security teams feel overwhelmed by the sheer volume of alerts they face daily.

To help address this growing problem, enterprises are turning to a relatively new category of security technology: security orchestration, automation and response (SOAR) solutions.  These complement and work alongside SIEM products:  while SIEMs aggregate log data from a variety of sources and provide real-time alerts, SOAR solutions integrate a wider range of internal and external applications.

SOAR enables organizations to collect threat data and alerts from multiple different sources, triage them with a combination of automated processing and human input, and drive standardized incident response actions according to defined workflows.  According to Gartner, 70% of enterprises with a dedicated SOC will adopt SOAR tools by 2021, up from less than 5% in 2018. 

We’ve blogged previously about how AlgoSec’s solutions plug gaps in many organizations’ incident response processes, by integrating with SIEM products to enrich the technical aspects of an incident with the details of exactly which business applications are impacted.  And our solutions also integrate with SOAR tools to further enhance and optimize IR processes, by shortening response times and ensuring incidents are properly prioritized and handled.  Let’s look at how they do this.

SOAR at a higher level

As touched on above, a key benefit of AlgoSec’s integration with SOAR tools is helping security teams to understand the potential business context and impact of incidents, so that they can be prioritized accordingly. For example, several servers on your network might be targeted by hackers. AlgoSec provides the critical detail about exactly where on the network those servers sit and what business applications they support, directly to the SOC team’s SOAR console.

As a result, security teams can weigh up the security risks versus the operational risks of potential downtime, and focus on fixing the business-critical servers – such as those which support payment processing in the network’s PCI zone – and leave fixing any servers that don’t store or process sensitive data until later.  It also helps to guide teams on the appropriate response measures to incidents (for example, isolating servers or blocking connectivity), to limit the impact and the remediation costs of attacks.

Further, SOC teams can implement changes and updates to network connectivity and security policies directly from their SOAR console, and the integration with AlgoSec means that they can be processed automatically, with a complete audit trail of the changes. This not only saves valuable time by enabling staff to respond faster, but also eliminates the risks of manual errors that are all too easily made in the heat of dealing with a critical incident. 

Addressing the skills shortage

As well as streamlining IR processes and reducing ‘alert fatigue’, the integration of SOAR tools with AlgoSec also helps to address the ongoing cybersecurity skills shortage.  A recent IBM and Ponemon study found that a lack of experienced staff is hindering organizations’ ability to properly manage resources and respond effectively to incidents. Just 30% of respondents reported that their security staffing was sufficient to achieve a high level of resilience.  

With the network-wide visibility and automation that AlgoSec makes possible, existing teams are able to process many times more alerts than would otherwise be possible. This dramatically improves the organization’s IR processes, and elevates its cyber-security posture.  Find out more about how AlgoSec enhances incident response, and our integrations with leading SOAR solutions such as IBM Resilient and Palo Alto Networks’ Demisto here.