Skip to main content

Security Automation and Orchestration (SOAR) success and Best Practice

What is security automation and orchestration? 

Gartner defines SOAR solutions as "technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow." It adds, "SOAR tools allow an organization to define incident analysis and response procedures (aka plays in a security operations playbook) in a digital workflow format, such that a range of machine-driven activities can be automated."

Security automation – the use of information technology in place of manual processes for cyber incident response and security event management. 

Security orchestration – the integration of security and information technology tools designed to streamline processes and drive security automation.

Measuring automation success 

The goal for any security operations center automation efforts is to reduce Mean Time to Detect and Mean Time to Remediate while not having a linear growth in headcount with the growth in business. The key is to not only measure automation results and SOC efficiency but to also gain insights to determine where automation efforts need to be spent to improve the security posture of your organization. Some fundamentals to measure include:

 Noise Reduction: 

Most Security Operations Centers struggle with the signal-to-noise ratio. A key measure for this is the stacking ratio that measures the compression from alerts to cases and is an indicator of reduction in triage activity needed. 

Automate High Fidelity Signals: 

It is critical to ensure that automation efforts are spent on high fidelity alerts and the right response processes. Measuring detection efficacy by determining true positive and false positive alerts enables a continuous feedback loop and improvement in detection signals. Understanding false negatives identify monitoring and security response gaps. 

Address Top Offenders: 

It is common for security response teams to be drowned in repetitive signals and the same tasks repeatedly. Identifying and tracking top offenders over time provides insights on what needs to be further automated or prevented through better monitoring, controls and engineering solutions. 

Automation Outcomes: 

Validating the outcomes for automation efforts is essential to right size efforts. With increased automation teams seeing that their TTx (Time to Detect, Triage, Remediate and others) goes down and the SOC investigator efficiency increases, as the number of cases each defender can successfully resolve goes up.

Security automation and orchestration best practices

Move as much of the work as possible to your detectors.

Select and deploy sensors that automate, correlate, and interlink their findings prior to sending them to an analyst. 

Automate alert collection 

The SOC analyst should have everything they need to triage and respond to an alert without performing any additional information collection, such as querying systems that may or may not be offline or collecting information from additional sources such as asset management systems or network devices. 

Automate alert prioritization 

Real-time analytics should be leveraged to prioritize events based on threat intelligence feeds, asset information, and attack indicators. Analysts and incident responders should be focused on the highest severity alerts. 

Automate tasks and processes

Target common, repetitive, and time-consuming administrative processes first and standardize response procedures. Once the response is standardized, automate the SOC analyst workflow to remove any human intervention where possible. 

Continuous Improvement 

Monitor the key metrics we discussed earlier in this article and tune your sensors and workflows to drive incremental changes.


Popular posts from this blog

My Life as Information security engineer Chapter 1: Tools

  Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP  Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: CURL and WGET curl   is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget   using to download files directly instead of opening and surfing the brow

AquaSec Container Security Solution ( DevSecOps ) - A quickView

  What is AquaSec?      The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed.    Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail  Sign In | Aqua (   How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub  Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The

What is IP Obfuscation ? How it's working ? how to use Cuteit tool ?

  What is IP  Obfuscation?     Which is a method to hide or convert a doted format IP address  (e.g.   into an Integer or Hexadecimal value or Octal form by using some mathematical formula. It’s a kind of method to spoof the human eyes and web security services. dot format to Decimal Conversion 👉  [] to translate (172 x256 3 )+(67×256 2 )+(129×256 1 )+(3×256 0 ) =  2890105091 Now you can use  https://2890105091  to access This is one of the ways to do IP  Obfuscation.  The tool  ‘ Cuteit ‘ is  A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command-line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload. HOW TO USE CUTEIT ? Download & Install Cuteit from the below link git :   git clone Direct link: usage: Cu