Security teams are seen to invest a lot of time in analyzing alerts that may not actually be “real” attacks. When a normal or non-threatening activity is accidentally identified as malicious, it is termed as a false positive. This can result in thousands of alerts that need to be investigated.
If your security analysts are constantly evaluating false alerts, a lot of their time is wasted before they can even begin with the legitimate threats. In addition to that, when there is no ‘extra’ information available about the incoming alerts, a lot of time is spent on their classification.
Security analysts spend their day in either one of the above two circumstances. Both of which lead to one thing, i.e delayed response time.
Response Time Matters a Lot — Why?
Time is not always on your side, especially when threats move fast. However, when analysts are seen to repeatedly prolong the response time, it gives rise to the following possibilities:
- A security breach might slip by unnoticed.
- Dwell time for an attacker might be increased — Dwell time is the window of time that attackers need, to seed a secondary malware, RATs, backdoors and other APTs. This can be considered as their major attempt to compromise data and network security. This type of lateral movement enables a host of damaging activities.
Time to Assess — 00:30:04
The following image depicts a typical day of a security analyst:
We now have a clear picture of the activities involved to analyse a single alert and the approximate time required to perform each one of them. By the end of the day, security analysts are still not able to meet the finish line i.e responding to alerts. After all, this is what they set out to do.
The absence of security automation and orchestration leads to prolonged response time.
For instance, where a traditional SIEM can take about 30 minutes to investigate an alert, with Security orchestration, automation and response (SOAR) this time can be reduced to a matter of few seconds. Here’s how:
Can you see a streamlined method of detecting and responding to cyber threats? SOAR made that happen. Needless to say the current landscape of cyber security definitely calls for security orchestration and automation, a lot of it.
Make way for SOAR in your organisation if you believe in Shorter Investigations and Accurate Decisions.
How does SOAR help?
According to the latest RSA Threat Detection Effectiveness Survey:
- 90% organisations say they are unsatisfied with their response speed.
- 75% organisations say they are unsatisfied with their current ability to detect and investigate threats.
SOAR reduces the response time by 60% by making the best use of threat intelligence and playbooks.
Threat Intelligence: It quickly brings attacks from a variety of sources into full view by delivering relevant event context to security analysts. Most security checks in your organisation can be easily automated. For example, when an alert is received by security analysts, a basic validation check can be performed with VirusTotal (it inspects items using over 70 antivirus scanners and URL / domain blacklisting services) to verify if it’s a known bad actor.
Playbooks: They outline the steps to successfully respond to an incident. Through playbooks and pre-defined workflows, SOAR helps any security team to quickly investigate, triage and remediate security incidents based on best practices. Every automated step saves time, making it possible to address more alerts in the same amount of time eliminating the need to scale your team.
Introducing SOAR capabilities into your business is the beginning of quick decision making and response. Security orchestration and automation significantly improves incident response management, by not only reducing mean time to resolution (MTTR), but also freeing up more time for security teams to concentrate on more critical tasks. DNIF presents a factsheet which explains the working of SOAR through the cyber security pipeline and also reveals proven strategies which speed up response.