Threat Intelligence Best Practices for Your SOAR Integration
August 14, 2019 • Zane Pokorny
The name of the game in incident response these days is SOAR: security orchestration, automation, and response. Organizations struggling with an overwhelming amount of security event data and not enough human resources to deal with them are turning to solutions that automatically take care of tasks like data aggregation, enrichment, correlation, and even some stages of investigation.
But the foundation of it all is good data. Relying on data that’s redundant, irrelevant, or full of false positives will leave SOAR users in the same place they were before (namely, overworked and unable to effectively triage alerts). Integrating real-time, high-fidelity threat intelligence with your SOAR solution is essential for getting the most out of it.
Here, we’re rounding up many of our most accessible resources on getting started with threat intelligence for SOAR. But first, we’ll go over a quick definition.
Security Orchestration, Automation, and Response
What’s meant by “orchestration” and “automation” in SOAR?
Orchestration means using a series of defined playbooks that describe threats and explain how to handle them. These repeatable, automated workflows integrate multiple security technologies together in order to respond to threats, but they are only as smart and effective as the data used to construct them.
Automation, in general, is about machines taking over tasks usually done by humans. In this specific context, SOAR solutions aim to automate decision-making to free up time for humans to tackle more complex goals, like properly triaging alerts. This requires a full, integrated view of external threat information so the SOAR can have the full picture of what is happening and take the right steps to remediate threats.
Threat Intelligence for SOAR
Getting the most out of any security solution often comes down to understanding your organization’s unique needs and use cases. We’ve compiled a helpful list of resources here to help you better understand how to start integrating threat intelligence with your SOAR for faster investigation and response.
- 2 Common SOAR Problems Threat Intelligence Can Solve: Learn about how integrating threat intelligence with SOAR solutions helps with information overload and a lack of context, two of the most common problems SOAR users face.
- Making Your Incident Response Program SOAR With Threat Intelligence (Part 1): Read about how SOAR solutions build on the functions of security incident and event management (SIEM) solutions and help improve mean time to detection (MTTD) and mean time to response (MTTR).
- 9 SOAR Use Cases for Effectively Mitigating Cyber Threats (Part 2): Explore the different use cases for SOAR, including dealing with phishing attacks, endpoint attacks, failed user logins or unusual logins, malware analysis, and more.
- The Role of Threat Intelligence in SOAR Performance (Part 3): Understand better how automated threat intelligence helps security teams detect threats earlier, increase efficiency, and resolve threats faster.
- Public Safety, Digital Forensics, and SOAR: Listen to this podcast episode to see how DFLabs incorporates Recorded Future threat intelligence into their SOAR solution.
SOAR Needs Threat Intelligence to Fly High
In short, SOAR is a step toward the idealized “single pane of glass” security solution, where security incidents can be easily seen, correlated, triaged, dealt with, documented, and reviewed, all in one place.
Automation and orchestration are essential for getting what’s going on in your own internal network under control. But what’s going on in the threat landscape outside your network? Properly correlating and enriching internal network data with information on threats requires external context.
And if automation is necessary for dealing with huge amounts of internal network data, it’s even more a requirement for sorting through the truly fathomless amount of data on the internet. To be actionable, threat intelligence needs to be updated in real time, and to be updated in real time, its production needs to be automated as much as possible.
This short video further explains the value of running SOAR playbooks correctly and automating security processes:
If you want to dive a little deeper into the benefits that SOAR users see from incorporating threat intelligence into their solutions, check out our new solution brief, “Supercharging SOAR Solutions With Threat Intelligence.”
It breaks down how threat intelligence helps with enrichment, correlation, monitoring, and threat hunting to help security practitioners achieve faster investigation and response and make decisions more confidently.