Security threats are increasing, and security analysts have more data and devices to keep their eyes on than ever before. There are more devices, more types of devices, more cloud services, and subtler threats—take, for example, the rising popularity of fileless malware, which makes ransomware and other types of attacks harder to detect.
Faced with an ever-growing volume of alerts to triage, threats to investigate, and devices to screen, overworked security analysts are turning to automation for help. Security Orchestration, Automation and Response (SOAR) platforms are now delivering some of the automation that security analysts need. These platforms collect alerts and other data from SIEM platforms and other local tools, enrich the data with basic contextual information such as IP address reputations, and present the alerts for consideration to analysts. If analysts decide to take action in response to an alert, the SOAR platform can help there, too, by performing some basic automated tasks, such as blacklisting an IP address or closing a port.
SOAR platforms are decidedly an improvement over relying entirely or primarily on manual processes for alert triage and threat detection. But SOAR platforms leave many time-consuming tasks unautomated. Most importantly, SOAR platforms still require analysts to perform the analysis of the enriched data. Analysis takes time, and time is what Security Operations Center (SOC) teams are trying to save.
SOAR+ is a new category of security technology that builds on SOAR platforms but takes automation further by automating threat analysis itself. SOAR+ applies the expertise of security analysts in a fast, repeatable way to dramatically reduce SOC workloads.
Flows and Playbooks for Threat Detection
To automate threat analysis, a SOAR+ runs a flow, which is an ordered series of steps that processes data, makes decisions, renders a judgement, and potentially takes action to remediate a threat. Flows are collected in playbooks, which are digital versions of the printed directions found in physical playbooks in many SOCs. Instead of a security analysts following all the steps in a printed playbook, a SOAR+ playbook performs them automatically at split-second speed.
To build a SOAR+ flow, an analyst uses a drag-and-drop interface to place nodes into a connected series representing the steps in the flow. One node might be set up to collect a certain type of data from a source. Another might be to perform a common task, such as checking the reputation of any IP addresses in the data from the previous step.
By connecting these nodes, including nodes for decision-making steps and risk scoring, and fine tuning settings to suit an organization’s particular environment and security policies, an analyst can build a flow in a matter of minutes that automates analytical tasks that if performed manually might require an hour or more if performed even once. Now the flow can be automated to run in minutes or even seconds.
Once built, any flow can be scheduled to be repeated at fixed intervals. For example, a SOC might have a flow designed to evaluate suspicious message flagged as possible phishing attacks. The SOC might decide to run this flow every 15 minutes, so that messages quarantined as suspicious can be processed quickly and safe messages routed to their recipients’ inboxes.
Automated Recommendations for Building Flows
SOAR+ flows clearly represent a huge improvement over the status quo in many SOCs. Flows enable analysts to automate routine tasks, clearing away tens, hundreds, or even thousands of security alerts every day.
What would make flow-building even easier? A SOAR+ platform which can guide analysts through the construction of flows by offering recommendations for useful components at every step.
On the LogicHub SOAR+ security automation platform, when an analyst drags a node onto the design pane for building flows, the platform automatically offers recommendations for possible actions or next steps that could follow the selected node.
For example, if a flow collects email data for phishing triage, the platform might recommend that the flow load new unprocessed emails from the data it collects. And once the load unprocessed emails step has been added to the flow, the platform might recommend that the flow run an analysis of the reputation of the sender, attachments, and URLs by using threat intelligence services.
Sample recommendation and newly added recommended node
The platform doesn’t suggest every possible next step or component, only the ones that would be appropriate for the component the analyst has just added or selected.
Benefits of Recommendations for SOAR+ Platforms
Automated recommendations provide two chief benefits for security analysts:
BreadthRecommendations offer helpful ideas for flows, ensuring that critical steps for data enrichments and threat analysis aren’t omitted or overlooked.
SpeedRecommendations accelerate the construction of flows by making it easy for analysts to find the right component for any step in a flow.
Flows accelerate work. Recommendations accelerate the creation of flows. They’re part of what distinguishes a SOAR platform, which still leaves time-consuming analysis to analysts themselves, from a SOAR+ platform that automates alert triage and threat analysis, improving the speed and accuracy of the overall work of a SOC.
The LogicHub SOAR+ Platform and Recommendations
Developed by security industry veterans, the LogicHub SOAR+ platform is the only security platform that automates alert triage, threat detection, and threat mitigation effectively. By allowing security analysts to apply their expertise in carefully designed flows and playbooks, LogicHub automates alert triage and threat analysis and enables SOC teams to find and remediate threats more quickly.