It is obvious that management of the increasing number and progress of the incidents show how efficient your SOC Team is running. A SOAR platform needs to have an ability to allow collaborative work within SOC Team. But this is not an easy process to manage.
An analyst efficiency is also depending on how the platform helps for incident management. Starting from the initial alert processed and triage is taken on board an analyst needs efficient way to gather info for a not false positive incident. Regulations also need to take care while working on evidences. Analyst have different ways to work on incidents and also different scripting capabilities.
So if there is no single place to manage the operation steps analyst may continue the processes in his own head. So ATAR® allows analysts for collaborative work on the same incidents. ATAR® also have the ability for the auditing purposes. By using ATAR® an analyst also has the full accountability. It is becoming less complicated to manage the incidents by using ATAR® Platform.
ATAR® comes with a pack of functions meant to improve analyst efficiency by using automation in various forms.Using ATAR® automation, SOCs observe that 30-40% of their incidents have been taken care of. Still, there is a large volume of attacks to be investigated, lacking response from analysts in a SOC. ATAR® provides an investigations console and several associated tools to help analysts streamline their work and handle incidents far more efficiently.ATAR® delivers a specialized service desk for incident investigations. SIEMs, other technological sources, analysts can create incidents on ATAR®. Using dispatch rules, SOCs can direct incidents to specific analysts based on roles, groups, shifts, etc.
Typical SOC analyst uses 15-20 different investigations and response tools. Instead of switching screens and logging in/out of these tools, ATAR® provides a unified investigations interface to command & control them from a single console. ATAR® investigation console’s one-click evidence collection and one-click actions help decrease individual investigations from several hours to several minutes.
ATAR® investigations platform provides the notion of investigation scopes. ATAR® extracts lists of relevant IPs, URLs, domains, usernames etc. about a particular incident as the investigation goes and puts them into an incident scope. Analysts are only allowed to further investigate and take actions on elements in scope. This stops many practical analyst errors like typos in entering IP addresses, URLs etc.
The investigation platform provides a collaborative working environment. An analyst to jump into a case later can review all previous activities, all data/evidence gathered and all actions taken. By fostering teamwork, ATAR®’s investigation interface allows analysts to help one another to close more cases just faster.
ATAR® records all analysts activities into an incident timeline. The timeline provides traceability to SOC processes. Any and all activities by either the ATAR® robot or the analysts go into timelines and post-mortem reviews of cases can be run. This not only provides accountability and performance data but also helps internal and external auditors to review SOC processes. Most tools require admin privileges only a trusted group of SOC analyst are allowed access to them all.
Speed up investigations
When using the ATAR® service desk, analysts can see their assigned incidents, with all the details, SLAs, including the incident timeline, among others. ATAR®’s interface works as an investigation cockpit; ATAR®’s main functionality lies in the set of buttons on the user interface. Therefore, without switching between applications and logging on and off, analysts can click certain buttons, making ATAR® fetch in additional data or evidence, and they can even trigger counteractions with the click of one single button. These one click data collection and counteractions speed up investigation 10 to 15-fold.
Incident timeline is particularly important, as it allows collaborative investigations. When one analyst either hands over the incident to a colleague or asks his team to jump in, incident timeline steps in as activity coordinator. As all the investigative activities are listed along with all the data collected in chronological order, the incident timeline allows collaborative work.
Optimize Available Skillsets
Most SOCs employ more Tier-1 and less Tier-2 analysts. In most cases, Tier-1 analysts are nothing more than expensive human filters; they review the alert and only and uniquely try to eliminate false positives. Empowering Tier-1s would have been possible if there wouldn’t be any risk of them causing faults. Giving them admin access to Active Directory or the border firewall for their investigation would only be advised if the risks of them making a mistake and crashing the whole infrastructure could be prevented. ATAR® addresses this problem and allows Tier-1s to handle a bigger portion of investigative activities. The one-click evidence collection and one-click action buttons seem to ease the technical complexity of a particular activity; the junior analyst could look up particular data on a particular system by hitting only one button, without necessarily knowing how the system looks under the hood. Such abstraction of investigative data requests and the technical data gathering mechanisms, combined with extremely strong and granular access control, allows Tier-1s to do a lot of investigative activities without any risk of wrongdoings and perhaps typos. Such junior analyst activities can still handle action approvals by device owners.