August 7, 2019 • Zane Pokorny
To deal with the growing amount of security event data that every organization must contend with, many security practitioners are turning to security orchestration, automation, and response (SOAR) solutions.
In many ways, SOAR solutions are a natural complement to security information and event management (SIEM) platforms. SIEMs are effective at aggregating security data from across an internal network, but usually lack features that allow them to provide context to all that data. The result is that SIEM users still have to spend a lot of time performing manual triage and research — a task that is becoming increasingly difficult in the face of countless alerts and floods of data.
Reducing the amount of manual work needed requires orchestration and automation, and SOAR solutions are able to gather together threat data and then automate repeatable incident response tasks, taking the burden away from personnel. But for SOAR solutions to work effectively, they need playbooks — repeatable, automated security workflows designed to describe threats and how to handle them.
The problem is, these playbooks are only as good as the data used to construct them. And like SIEMs, SOARs can suffer from problems like an overload of data, a lack of context from internal systems, and a limited view of external threats. Without the context provided by threat intelligence, SOAR solutions often can’t accurately assess whether an alert is malicious, resulting in alerts that need manual review piling up. That means delays and the possibility of malicious activity going unresolved for too long.
In this blog, we’ll look at each of these problems in turn and see how threat intelligence can mitigate them.
Like SIEMs, SOARs are meant to gather together a lot of security data in one place. The problem is, there’s just so much of it that typically is not delivered in a way that’s contextual or actionable. One study found that security teams face an average of 174,000 alerts in a week and only have time to investigate 12,000 of them — that’s less than 15%. With so many alerts going completely uninvestigated, security breaches may go undiscovered for months, causing untold damage.
Threat intelligence significantly reduces the time needed to manually research and triage alerts by supplying SOAR solutions with automated intelligence in real time. Traditionally, being comprehensive and being quick are competing goals, but through machine learning and natural language processing, Recorded Future is able to gather data from across the internet, including technical sources, the open web, and the dark web, and aggregate it into intelligence in time for it to make a difference. This dramatically reduces mean time to detection and remediation.
Recorded Future in particular supports high-throughput threat detection, prevention, and hunting use cases for SOAR with a new API, developed to address exactly this challenge of information overload.
When faced with 174,000 alerts a week, security teams have to make a choice: Which alerts do I need to deal with now, and which can I choose to ignore? But beyond the bare problem of volume covered above, the data that feeds into SOAR solutions also often lacks the context needed to make these evaluations simple, or includes numerous false positives.
For a SOAR to successfully orchestrate and automate security tasks, it requires an in-depth view of the external threat landscape that can match up with internal security data. Is an indicator of compromise (IOC) like a suspicious IP address actually something that needs to be looked at right away, or has the risk associated with that IP gone down in the past few weeks? It’s impossible to know without further research.
Threat intelligence needs to be high fidelity to truly reduce this burden. Threat feeds, for example, which are sometimes passed off as threat intelligence, similarly lack context and will only add to the problem. Threat intelligence from Recorded Future is transparent about its sourcing and provides all the context needed in one place — real-time risk scores present in Intelligence Cards, for example, are based on clear risk rules and sources you can immediately investigate further. With high-fidelity data feeding into your SOAR, automated processes can more easily rank IOCs by threat severity, and incident response teams can quickly identify high-risk security events.
There’s no question that orchestration and automation are necessary processes for dealing with the cybersecurity problems of today. With a growing threat landscape and increasingly interconnected systems and processes, dealing with security incidents manually is simply infeasible. But for SOAR solutions to function at their best, they need to be augmented by real-time, automated threat intelligence.
To learn more about how threat intelligence brings out the best in SOAR solutions, check out our new solution brief, “Supercharging SOAR Solutions With Threat Intelligence.”