More Than Just SOAR: How to Automate Security With Intelligence
January 28, 2020 • The Recorded Future Team
Why work harder when you can work smarter? It’s a question many threat actors are asking themselves as they embrace automation to scale efforts and unleash a new wave of attacks — from password stuffing to software bot attacks and extortion. With the ability to multiply and spread rapidly, these automated attacks put even the best protected companies at risk. Staying one step ahead of them requires more time and resources than ever before, and organizations are feeling the pain.
Automated Intelligence Versus Automated Threats
The most effective way to combat automation is by taking a similar approach — fighting automation with automation. Recognizing this, some organizations already use security orchestration, automation, and response (SOAR) technology to streamline repeatable incident response tasks. Many of these early adopters use SOAR to augment existing SIEM systems and empower their security teams to drive down their mean time to detection (MTTD) and mean time to response (MTTR). But creating efficiencies with SOAR is just one piece of a comprehensive automation strategy.
There are several ways every organization can automate security with intelligence to better defend against and respond to emerging attacks, while also empowering their security teams to focus on higher-value tasks.
Real-Time, Automated Security Alerts to Focus Efforts and Prioritize Risk
For many organizations, it’s difficult to break through the noise to identify specific threats targeting their company — such as a new, industry-specific malware strain, a vulnerability in their tech stack being exploited, or a suspicious new domain name that could be impersonating the organization.
By using a tool that enables automatic alerting based on customized watch lists for groups of people, places, and organizations of interest, security teams can find out immediately when their company, subsidiary, and product names are mentioned online. With full context and transparency of sources, teams can investigate further when needed, and respond faster and more effectively than ever before.
Automated Security Intelligence Amplifies Existing Tools
Security teams spend a ton of time aggregating data generated by their SIEM, SOAR, firewalls, and other security systems. Pivoting from one workflow to another system to access intelligence can waste valuable time. By integrating security intelligence directly into existing tools, security teams can automatically access the rich context required to make better, faster decisions — without disrupting workflow.
A great place to start extending the value of your security tools is with your SOAR. To work effectively, SOAR solutions require a series of defined playbooks designed to describe threats and how to handle them using repeatable, automated security workflows. However, these playbooks are only as smart and effective as the data used to construct them. Like SIEMs, SOARs can suffer from problems like an overload of data, a lack of context from internal systems, and a limited view of external threats.
Quality security intelligence can amplify SOAR platforms. Automating contextualized, evidence-based intelligence to act as an initial decision point eliminates most of the required human research. From aggregated, analyzed data and risk scores across the internet, organizations can create playbooks that act on real-time, contextual information so the SOAR can automate responses intelligently — from implementing security controls to finding related indicators. This powerful combination ensures security teams work together more efficiently so that they can identify threats earlier, reduce false positives, respond faster, and make more confident decisions.
Benefits and Examples of Security Intelligence Automation
Ready to learn more and supercharge your security processes through automation? Check out our new e-book, “Beyond SOAR: 5 Ways to Automate Security With Intelligence.”