5 Reasons CISOs Need Security Operations, Automation, and Orchestration (SOAR)

At ThreatConnect, we are out to change the way security works by making cybersecurity software that reduces complexity for everyone, makes decision making easy and unifies processes and technology to constantly drive down risk. To make good on this core idea, we’ve evolved from our heritage as a leading Threat Intelligence Platform (TIP) to deliver a full suite of intelligence-driven SOAR capabilities. As a result, we are quickly becoming the CISO’s best friend. We’re solving some of the most burning issues confronting you and your peers today.

Gartner defines SOAR (Security Orchestration, Automation, and Response) as the fusion of three technology markets — security orchestration and automation, security incident response platforms, and threat intelligence platforms — allowing organizations to define and manage incident analysis and response procedures in a digital workflow.

But adopting SOAR is more than adopting new technology: it impacts the training, effectiveness, and morale of your security team, and it’s meaningful in how you work with the business.  For CISOs especially, SOARs provide the foundation for accountable, intelligence-based security decisions and collaboration, enabling you  to achieve improved defense and reduced risk, enhanced infrastructure utilization, employee optimization, and security program cost reduction.

Below are five reasons CISOs like you need a SOAR platform:

  1. Predictability and Prioritization

Adversaries are increasing the volume, velocity, and complexity of threats at the same time that the complexity of your environment and consequently your attack surface is increasing. As threats diversify, so must your tools and infrastructure to protect your assets, increasing the attack surface yet again.

A byproduct of complexity is rarely predictability, but as ex-Navy SEAL Jeff Boss says: “If I understand mission intent, the decision-making boundaries that enable autonomy, the available resources at my disposal, the character and competence of each operator and how their personalities fit into their job roles … I can immediately dispatch myself, my teammate or another asset to deal with unknown factor ‘x’ when it emerges.”

SOARs act as a collection and analysis hub for threat intelligence, security operations, and incident response data and processes.  Intelligence and operations are built on a mutually beneficial, cyclical relationship. As intelligence dynamically changes, it should affect the decision-making process for actions as a result.  It should drive prioritization of your response.

The automation and orchestration informed by threat intelligence make an organization’s pre-existing technology investments and security team more efficient and effective. Threat intelligence housed in a SOAR influences decisions related to security operations, tactics, and strategy.  SOARs help security teams prioritize response, standardize processes and gain instant access to relevant threat intelligence to improve the speed and accuracy of their detection and response.

As an example, one of the world’s  largest financial institutions was able to reduce a few hundred million SIEM events per month to a dozen using ThreatConnect’s intelligence-driven SOAR. Leveraging a SOAR to correlate, synthesize and track internal and external data across an organization’s tools and infrastructure cultivates predictability. “Having a complete understanding of your operating environment is what allows you to move with the depth and breadth of a larger force and the agility and speed of a small team. It’s a force multiplier,” Boss said.

2. Force multiplication

Force multiplication is the principle that the collective effort multiplies the results.  If you are anything like your peers, you’re experiencing staffing shortages as well as trouble hiring and retaining talent. The team you have is facing more alerts, cases and event data then ever. SOARs create and memorialize playbooks, automated processes, and structured workflows encompassing those processes. Parts of these workflows can be completely automated or configured to trigger based on human input. Once an action is triggered, applications within each playbook or workflow coordinate those actions, such as data enrichment, triaging an event, correlating vulnerabilities with intelligence, quarantining a host, conducting phishing email and malware analysis, or blocking in the firewall. These processes are tied back to intelligence, reducing the time it takes to uncover relevant threat intelligence when working a case or investigation and mitigating the risk of spending time on false positives.

A large entertainment company offers an example of this. “As a one-man threat intelligence team, ThreatConnect is my force multiplier, allowing me to operate as a multi-person team. ThreatConnect easily integrates with all the products in my security stack and allows me to provide immediate ROI with threat intelligence. Through features like Playbooks and community sharing, I am better able to provide automation to the Incident Response team’s workflow and show long-lasting value through my threat intelligence services. ThreatConnect helps me prioritize my security efforts, make organizational change, and drive security throughout our company.”

3. Process management

When you lack the people, you have to rely on strong processes. You’re likely faced with this  need to strengthen your process management and SOARs help automate processes in an intel-driven way. Not only do SOARs optimize workflow and time by automating and prioritizing tasks, but they assist with succession planning by acting as a process management system, bringing us to the next reason CISOs need SOARs.

“Success, in anything, is a process, and in order to get from A to Z, you have to endure B through Y,” says Boss, the former Navy SEAL. B through Y are  difficult when shortages of time and staff are some of the biggest problems security teams face. SOARs create best practices for standardized and repeatable processes across multiple domains and business units, enabling CISOs to measure effectiveness and quality.

“To reduce the load of our security and IT staff, we introduced over 60 workflow automations with ThreatConnect Playbooks, saving over $1.3 million per year in labor costs,” a large healthcare organization says. SOARs are only as strong as the teams, their data and the processes that fuel them. The more processes SOARs house, the more of a force multiplier, and the more predictive and adaptable security teams become, because their awareness and visibility increase.

4. Efficiency

As Forrester’s VP of Security, Risk, Infrastructure & Operations Research, Stephanie Balaouras, states in MIT Technology Review’s Cybersecurity 2020: Rise of the CISO, “Right now, a lot of what we do is very manual. The detection’s manual, like security teams are often, like if you look at a typical SOC, I mean they’re flooded with thousands of alerts. Trying to make sense of which alerts are more important than others is difficult. So again, it’s kind of the prioritization. Like understanding immediately which ones are truly nefarious and dangerous is critical. And you could hire as many people as you want. You would never be able to keep up with it.”

She goes on to say, “In the future, all of that would happen automatically. You would need the  business to work with you to say, ‘OK, from now on if it meets a certain threshold, if we’re 90% confident that this is malicious, then the security team, all the processes are automated.’” Everything from resetting passwords to isolating devices can happen automatically, she says.

SOARs do exactly that by focusing on intel-driven automation and orchestration, effectuating prioritization, predictability, force multiplication, and process management, which in turn, foster efficiency.

5. Common language

A big challenge for many CISOs is translating security into business value because the languages of business and security are pretty far apart.

SOARs help bridge this gap because they help identify and reduce risk — a core and fundamental business concern. As Balaouras states, “I think taking a much more risk-based approach where you’re helping the business understand future risks and helping them just understand both probability and impact and advising them on making the right decisions, like moving from that ‘department of no’ to more of that consultative role I think helps. The more you become that consultative subject matter expert, I think you can bring along the rest of the organization with you.” SOARs enable a common language between business and security because CISOs can now leverage actionable intelligence to pinpoint what the risks to the business are and where they are coming from, and can define them in terms of dollars, time, and probable fallout.

The challenges CISOs face aren’t going away anytime soon. As  the role and importance of CISOs in the business increases, so must their knowledge of their organization’s security footprint, threat landscape and risk profile. By choosing an intelligence-driven SOAR, CISOs gain deeper insight and more clearly communicate that knowledge to stakeholders, positively influencing business outcomes.

References:

https://searchsecurity.techtarget.com/feature/CISOs-face-a-range-of-cybersecurity-challenges-in-2020

https://www.darkreading.com/cloud/5-cybersecurity-ciso-priorities-for-the-future–/a/d-id/1336325

https://medium.com/@jeffboss9/how-to-be-a-force-multiplier-in-any-industry-4cab2337deff

https://www.technologyreview.com/2020/02/24/276013/cybersecurity-in-2020-the-rise-of-the-ciso/

 

About the Author
David Hopland

David is the Sr. Director of North American Commercial Sales at ThreatConnect. He’s been with ThreatConnect since 2015 and leads a team that specializes in working with customers to understand what matters to them, and then working to implement those solutions. David holds a B.S. in marketing management from Virginia Tech, with a double minor in psychology and international business. Cybersecurity is his passion but love of food is what fuels him.