REPETITIVE INVESTIGATION & RESPONSE ACTIVITIES
Security orchestration and automation response (SOAR) is a technology that helps organization to collect alerts and threat feeds in a central place and response and remediate incidents.
In today’s world there is a huge volume of alerts or threat data that needs to be taken care and the solution to handle this problem comes with using machine driven automated activities. In a typical organization there are different number of security solutions used in daily processes. To create a running process using different solutions is always a constraint because some products uses the other products’ output as an input. This is obvious that we do not have enough man power to handle all activities in today’s environments. So what an organization need is the ability to coordinate and formalize the actions and automate responses based on the defined risks of the environment.
Organizations needs orchestration to provide enough information to understand, review and decide if there is any suspicious activity is going on. After the required investigation completed and if results confirm that there is an incident there is a need for responding to the incident. To use orchestration effectively the main need is number of integrations with different systems in the environment. So by using orchestration SOAR can shrink the investigation times from hours to minutes and automated actions can be on board for responding faster or at machine speed. SOC teams can create some cases and pass all to the platform so automating the action it will improve the response accuracy.
ATAR® features a full-blown automation engine.Using the ATAR® robot, one can define arbitrary automation scenarios. Typically, SOCs generate investigation and response of their most frequent alerts, treating them according to the completely robotized playbooks. ATAR®’s rich library of integrations allows automated playbooks to fetch data, look up intelligence and even interrogate endpoints before running one or more actions designed to block or contain ongoing incidents.
By considering all above ATAR® helps organization to manage the automated actions for less response time and accurate approach. By using ATAR®, SOC teams can pass all repetitive activities to platform and whenever an incident occurs ATAR® will handle it without human interaction. ATAR® also allows to bring the incident up to a certain point that human analyst can take over from that point and continue to work on incident. When a new hire arrives at the SOC, (s)he is given playbooks describing what to do in the occurency of a particular type of incident.
Playbooks defines a precise list of activities along with preconditions resembling a flowchart. SOCs consolidate detection activities on a SIEM; all alerts from other detection systems are generally consolidated on the SIEM. Additional SIEM works as a detection system itself through analysis of the collected logs and traffic. Incidents do occur on other channels as well, channels such as e-mails, phone calls, etc., but a great majority comes through alerts generated by the SIEM in charge. ATAR® can also receive and manage alerts coming from systems not connected.
Volume & Speed
A typical organization gets more than 300 cyber alerts per day and investigating just one takes around 8 full hours. No SOC has enough staff to sift through all. Also, today’s malware driven attacks can start and end in less than 15 mere minutes; no SOC analyst can match this speed. SOCs need automation to match the volume and speed of modern times. ATAR® automation helps SOCs scale for good.
There are just so many repetitive and manual investigation tasks in a typical SOC today. Malware alerts come in dozens, as is multiple failed logins etc. SOC analysts hate such mundane activities; at the end of the day, mundane is not exciting. Offload such repetitive manual processes to ATAR®, so your precious analysts can focus on more interesting, more out of ordinary cases and keep them excited.
AUTOMATE THE BULKY PART
If one tallies up all the incidents handled at a SOC by monthly frequency, the top-5 most frequently reported incident types account for 50% of all the incidents that happened during the mentioned timeframe. Keeping this in mind, ATAR®’s goal is to automate the most frequent 3-5 playbooks if possible, offloading 30-40% of all incidents to automation.
SEMI-AUTOMATION IS POSSIBLE
When full automation is not possible because the SOC needs human intelligence for certain analysis, etc., defining semi-automation with ATAR® still stands. When a particular incident is triggered, ATAR® can start an automated investigation, collect some data, some evidence and can even stop there, when handing the case over to an analyst. Automation can still help, even when you can not fully automate a playbook.
APPROVE CRITICAL ACTIONS
ATAR® has ready-made integrations with over 85 different technologies from some 20+ different IT vendors. These integrations allow ATAR® to reach out to different platforms and collect additional data and evidence, as well as connect to a particular device to change configurations or take specific actions. In this respect, ATAR® allows Software Defined Security; it is possible to change security posture by triggering certain automation playbooks.
ATAR® automation can be completely autonomous, running a playbook from end to end. When full automation is not desirable, ATAR® has an option to ask for approvals before critical activities. For example, ATAR®r can run an investigation in a mostly automated manner, but would ask for approvals before blocking a particular IP address on the border firewall. Most SOCs start using the ATAR® automation with as many approval points, but they remove such approvals as soon as they start building their confidence in the automated playbooks.