A security analyst is the most valuable asset in any Security Operations Center (SOC). An analyst has the knowledge and experience needed for identifying threats and recommending the fastest and most effective course of action for mitigating threats once they have been detected. Without the hard-earned wisdom of analysts, even SOCs filled with state-of-the-art equipment will find themselves losing to hackers and their increasingly subtle and constantly changing attacks.

But too often, the tools and workflows in a SOC stifle a security analyst’s ability to put their knowledge to work. In most SOCS, there are too many false positive alerts, too many outstanding tickets or open cases that end up not requiring attention after all, and too many “point solution” tools to use and to consult. To reduce time-consuming work and mental clutter, SOCs need to apply integration and automation.

SOAR Platforms to the Rescue

A relatively new type of security platform called SOAR (Security Orchestration, Automation, and Response) provides the integration and automation that SOCs have been missing. Gartner identified this product category in 2017, and since then SOAR platforms have emerged as a promising direction for SOC technology, centralizing information, streamlining information flows, and providing basic automation for making a security analyst’s life easier.

Most SOAR platforms do some or all of the following:

  • Aggregate alerts from multiple systemsincluding SIEM systems Part of orchestration is bringing all alert data into one location for analysis.
  • Enrich data to make alerts more meaningfulIf an alert has been raised about an IP address, what’s the reputation of that IP address? By enriching data with this kind of contextual information, SOAR platforms save security analysts the time and hassle of looking up this information themselves. Analysts can take action more quickly because they more quickly understand the context of the situation that generated the alert.
  • Provide workflows for incident response and threat remediation SOAR platforms provide the structured workflows that until recently have existed only as sometimes poorly maintained documented processes in most SOCs. In contrast, SOAR platforms provide a digital framework for tracking threats and security incidents and workflows for responding to threats.
  • Provide basic robotic automation in response to threats Many SOAR platforms automate basic responses to threats, such as blacklisting an IP address or closing a port. This automation helps provide timely, accurate responses to threats
  • Provide basic case management features Some SOCs have dedicated case management systems for tracking alerts, alert triage, and other activities, but many SOCs do not. SOAR platforms feature built-in case management tools so that security analysts can track and manage threat detection and threat remediation work directly in their SOAR platform.

Gartner estimates that about 5 percent of SOCs with five or more security analysts have already adopted some kind of SOAR platform, but the benefits of SOAR platforms are so compelling, the firm expects 30% of these SOCs to be using SOAR platforms by 2022.

Evolution’s Next Phase: SOAR+

Gartner is rightfully bullish about the future of SOAR platforms. These platforms are addressing critical needs in SOCs, and SOCs are responding with their checkbooks.

SOAR platforms help overworked analysts cull through alerts to find the threats that really matter. And if an analyst decides that a threat is genuine, a SOAR platform can help automate the response and then produce a report on what was done.

What most of today’s platforms fail to do, though, is automate the most critical and time-consuming aspect of a security analyst’s work: namely, threat analysis and decision-making itself. While SOAR platforms decidedly improve upon traditional SOC technology by aggregating alerts, enriching data, and automatic simple tasks as part of threat remediation they fail to automate high-stakes, time-consuming work such as:

  • Threat analysis
  • Proactive threat hunting not in response to alerts

The next evolution of SOAR is called SOAR+, and it addresses these shortcomings.

A SOAR+ platform helps SOCs make the most of their security analysts by automating more critical work. A SOAR+ platform provides:

  • Machine learning Applies machine learning to build highly nuanced and accurate models of IT environments, so that alerts can more accurately be scored as anomalous threats or unusual but benign events
  • Autonomous threat detection Automatically analyzes alerts and IT activity for indications of threats, based on contextual models, intelligence feeds, and other diverse criteria.
  • Greater accuracy Provides context-appropriate recommendations to help analysts build highly sophisticated, accurate analytical workflows, and machine learning models.
  • Continuous fine-tuning based on analysts’ expertise and machine learning Enables analysts to fine-tune workflows and analytical models, so that automated threat detection always draws on analysts’ expertise and increasingly accurate machine learning models.
  • Focus Provides case management and reporting that reduces analyst workloads by focusing on events that are genuine threats. SOAR+ platforms create cases only for events that are determined to be suspicious, rather than opening cases for every event analyzed.

SOAR+ technology delivers the next acceleration in threat hunting, threat detection, and threat remediation. It automatically eliminates most false positives, automatically performs threat analysis, and gives analysts the freedom to decide how much or how little they want to automate threat analysis and threat remediation.

The LogicHub SOAR+ Security Automation Platform

The most advanced platform in the evolution of SOAR, the LogicHub SOAR+ Security Automation Platform arms security analysts with an expert system that virtualizes analyst knowledge and expertise in automated playbooks. With its powerful machine-learning-powered decision engine, LogicHub eliminates false positives and detects hard-to-find threats with minimal programming or analysts’ time. Automating both data enrichment and decision-making helps SOCs expedite case resolutions. Using LogicHub’s SOAR+ technology, SOCs can turn the information locked in security playbooks into fast, effective threat remediations that dramatically improve an organization’s security posture.

Even as SOAR evolves, a SOC’s most precious resource remains its security analysts. With the LogicHub SOAR+ platform, SOCs can empower their analysts with both cognitive and robotic automation, so that analyst time and knowledge go further than ever before.

You can contact us here and try the LogicHub Free Edition


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More