SOAR In Your Pocket

Hi, 

Let's take a look behind the scenes and find out how Security Orchestration Automation and Response (SOAR) solutions can have a positive impact on your security investigation and response efficiency. In this article, I'll also highlight how Phantom-mobile makes your life as the “officer on duty” a lot easier.

Outcome

Improve your efficiency and productivity by 49% on average by using a security orchestration and automation platform like Splunk Phantom.

Credit: Confession of security professionals – EMA Research report, by David Monahan – October 2019

The Current Situation

Nearly every SOC team is suffering from alert overload. A significant percentage of all recurring and repeatable tasks are still manually processed, which is due to a combination of disparate tools and a shortage of people in the SOC. The cause for the latter is either because of a lack of budget for headcounts or talent shortage in the region.

The Impact

The SOC team is not able to execute its actual work. Instead, it is analyzing security incidents and wasting time and resources on activities that can also be performed automatically.

As a result, security incidents are not always detected right away or incident responses not conducted immediately. According to this article by Cybersecurity Watch blog – Crowe “limiting dwell time can reduce a breach’s impact on a business by up to 96%. For example, an attack persisting for more than 100 days can cost upwards of $3.86 million dollars. If that same attack were detected within a day of its entry into the system, it might cost $144,000 – only a fraction of the amount had the attack persisted.“ This has a negative impact on the company's value chain and results in revenue loss. 

When we break these challenges down into three aspects, the KPIs could be defined as:

A SOC’s worst enemy is waiting on other teams to deliver additional information. Especially since a SOC needs to act on facts in order to be successful.

The Resolution

Security Orchestration Automation and Response (SOAR) platforms like Splunk Phantom enable digitization and automation of manual processes.

Application of SOAR increases the speed of security incident treatment by up to 3 to 10 times. 

Scenario:

A simple phishing email use case typically takes up to 45 minutes if investigated manually. This includes several repeatable steps:

• Has the email been sent to other users?
• Checking of the user profile
• Hunting of the file
• Checking File reputation

All of these tasks can be completed within 40 seconds by conducting an automated malware investigation.

When we get back to our initial assumption that waiting is a SOC’s worst enemy, we realize that it is actually a game-changer that helps to accelerate the process.

Thinking about more complex investigations with a couple of more IOCs that need to be checked. The pre-analytical part which is the collection of information is a time consuming and error-prone task. From an audit perspective, there is a lack of traceability due to missing auditing of the investigation process.

Orchestrating and automating the security investigation process ensures that every step during an investigation is comprehensible. And that it includes all mandatory tasks – no matter how many indicators of compromise need to be checked.

SOAR in the pocket

In the report “Confessions of Security Professionals” you can find a section with the topic “SOAR and Staffing” and talks about doing more with the same staff.

Credit: Confession of security professionals – EMA Research report, by David Monahan – October 2019

 Due to the heavy workload, access to a SOAR via a mobile device is a minimum requirement. A mobile analysis, assessment of the situation, triggering automated processing or assigning the incident to a specific person should be possible from any location.

Experience it for yourself and visit one of our Phantom 4 Rookies Hands-On Workshops. It provides you with a “touch & feel” for a SOAR system. At the workshops, you will learn how to investigate using orchestration and automation, and you will find inspiration on how to adapt and apply the SOAR philosophy to your company.

Thanks for reading, 

Andreas