There’s something big brewing in the world of security operations, but what exactly is it? We’re regularly inundated with various descriptions of useful tools and capabilities – think Security Orchestration, Automation and Response (SOAR), Threat Intelligence Platforms (TIPs), Security Incident Response (SIR), threat hunting and more. Unfortunately, many of us are equally confused about the fundamental capabilities of these technologies, and more pointedly perhaps, what problems they aim to solve. Perhaps, observes John Czupak, we need to refresh the way in which we look at this space – turn it upside down a bit and start from a different perspective.
Heading right to the point, there are many inefficiencies in processes which result in delayed detection and response times. There are, of course, many contributing factors, including but not limited to teams working in silos, applications and data that are not integrated, alert overload and fatigue as well as staff and talent shortages.
The industry’s response has been to add more tools such as IR/ticketing systems, orchestration and automation and TIPs. In fact, if you look back at Gartner’s earliest definition of SOAR, it fundamentally aligns with these technology stacks.
More common use cases
What’s different today, then? The conversation has clearly shifted to a discussion around the specific problem (ie use cases) coupled with the way in which technology can help. This concept of a use case approach makes a lot of sense as it focuses the discussion on the problem at hand versus attempting to shoehorn a “silver bullet” technology for every situation. Some of the more common use cases we see include things such as:
Incident Response: an organised approach to the process by which an organisation handles the aftermath of a cyber attack or data breach with the goal of limiting damage and reducing recovery time and cost
Threat Hunting: the practice of proactively and iteratively searching for abnormal activity within networks and systems for signs of compromise
Threat Intelligence Management: the practice of aggregating, analysing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment
Alert Triage: the process of efficiently and accurately going through alerts and investigating them to determine the severity of the threat and whether or not the alert should be escalated to incident response
Vulnerability Management: the practice of continuously discovering, classifying, prioritising and responding to software, hardware and network vulnerabilities
Spear Phishing: the practice of sending fraudulent e-mails that targets specific individuals or organisations for the purpose of gaining unauthorised access to confidential information
Investigations and Collaboration: The industry’s first cyber security situation room designed for collaborative threat analysis, shared understanding and co-ordinated response
Shift in conversation
In Gartner’s latest SOAR Market Guide, published on Thursday 27 June this year, the evolution of SOAR moves towards what we have believed all along – the need for a ‘full-featured’ security operations solution designed to support multiple activities for security operations (eg prioritising activities, formalising triage and IR, automating response, enabling investigations, facilitating collaboration and more). This can simply be interpreted as a platform designed for multiple users and use cases.
While SOAR used to mean simply orchestration to many, and TIPs were solely used for threat intelligence programs and SIRs for incident response, the definitions and use of these technologies is clearly evolving rapidly.
Ultimately, the market most certainly needs a security operations platform to improve efficiencies and effectiveness of the Security Operations Centre.
John Czupak is CEO of ThreatQuotient