Efficiency and Effectiveness in a CSOC: A perspective for SOAR (Security Orchestration Automation and Response) technology
Wednesday, October 25, 2020,
While I was generating documents for a big cybersecurity project, something reverberated in my mind. A situation that many security teams (commonly known as Blue Teams) face frequently.
For said project, we had several interactions with the Blue Team to whom we requested certain information about the infrastructure. Their answers always had the same characteristics: they always confirmed their support, with a proactive attitude of listening to our requests and needs and agreed to share information. However, in most cases, delivery times were not met.
The point is that Blue Teams are always burdened with a large number of security incidents to deal with and follow up on. This is normal for them; they are in charge of several cybersecurity technologies within the organizations, and the majority of their tasks are repetitive, such as receiving the alert regarding the occurrence of an event, investigating on false positives and reporting the event, validating that it is not an incident, validating through certain tools, getting information related to the event, blocking certain source or destination IPs, making adjustments to security platforms, as well as confirming the effectiveness of the actions carried out, completing the reporting and making the relating notifications.
From this point of view, it seems to be something in common in a CSOC, however, as the team is absorbed by said tasks, they lose sight of the cyberattacks targets relevant for the business, leaving aside activities such as threat hunting or intelligence. This is where the technology known as SOAR (Security Orquestration Automation and Response) comes into play. This technology allows automating flows or routine processes in the operations which will help to reduce service time by up to 85% without need for any intervention of specialists.
This technology takes the control from the occurrence of an event and deals with notifications, reporting, validation of scenarios through several tools, and the required adjustments in the defined platform, and concludes with more notifications and documentation. Said tools support Blue Team in terms of possibility to focus on more relevant tasks for the business and proactively strengthen the defense of company’s assets.
Personally, I am convinced that the evolution of security operations will lead many cybersecurity teams to use said technology, which benefits directly the business of the organizations where it is adopted.
At Ikusi we can accompany you to improve the effectiveness and efficiency of cybersecurity operations in order to achieve a positive impact on the business of your organization, learn more here.