Last updated at Wed, 30 Jan 2019 14:00:00 GMT
Speed and accuracy are two words on every security team’s mind in 2019. How can you work more efficiently with the resources you already have? It may seem like an impossible scenario, but thanks to advancements in security orchestration and automation (SOAR) technology, it is possible.
If you have funds available in your 2019 security budget and want to see if SOAR can deliver immediate value (or if you proactively built a SOAR solution into your budget), then the webcast recording below, led by Rapid7 Senior Vice President of Product Delivery Rick Perkett and Senior Director of Orchestration and Automation Jen Andre, will be a great resource for understanding what SOAR can do and how you can show its value.
Short on time? Grab the on-demand webcast to watch later and check out the highlights below:
We’re all in this together
As a security professional, you’ve felt the pain of too much work, not enough time, operational silos, and unintegrated tools and systems. Even if you have a large and well-funded team, manual and repetitive tasks can often bog down operations. And even if you do have some integrations set up, they’re often point-to-point and not full integrations.
In an ideal world, security orchestration and automation tools would not only help you eliminate mundane, low-level tasks, but would also help unite infosec through a practice we at Rapid7 like to call SecOps. With this, teams would actually have time to focus on strategic and value-add tasks. Not making it any simpler is the security talent gap. A recent report by Frost & Sullivan estimated a shortage of 1.8 million security personnel by 2022. With security unemployment rates close to zero, hiring more isn’t an option.
However, even if you have the budget and talent pool, the solution isn’t to throw more people at the problem, since that would just mean more people working on mundane, repetitive tasks.
Finding a better solution with security automation and orchestration
The solution to these pain points lies in orchestrating and automating tasks and workflows so teams can elevate their focus and leverage their expertise in more useful ways.
Security orchestration is about connecting the tools you use in your security and IT environment to perform a set of tasks. Security automation is then about making tasks like log searching, IP domain lookups, malware containment, and creating tickets happen automatically with limited human intervention.
How to get started with security orchestration and automation
If you’re just getting started with SOAR, we have a three-step process you can follow:
Step 1: Define your pain points
- Does your security team get too many alerts to handle effectively and efficiently?
- Is your team suffering from burnout?
- Do you have trouble hiring and/or retaining security talent?
- Does your team spend an inordinate amount of time gathering and analyzing data?
- Is your mean time to respond to a threat getting worse?
Step 2: Define your common use cases
Knowing your top use cases can help you prioritize the ones that will bring the most value to your team. Common use cases include email phishing investigations, malware containment, threat hunting, automation-assisted patching, security alert data enrichment, provisioning and deprovisioning users, privilege escalation investigations, and much more.
Step 3: Understand your people, processes, and tools
Knowing the key players on your security, IT, and development teams who understand the current processes and problems is key. Find out which tasks consume much of their day that could be automated. Next, get everyone in the same room and create a list of common, repetitive, and time-consuming tasks. This will be the basis of your SOAR program. Last, list out the critical tools you use for monitoring, investigating, assessing, ticketing, etc. that you can hook into your workflows and automate. Understand which ones have a robust API, as those will be the ones best suited for SOAR.
How to choose a SOAR solution with immediate ROI
Most orchestration and automation solutions can take days, weeks, or even months to configure and begin getting value. Here’s how to find a solution that will deliver immediate value:
Little to no coding required
This is key to getting value fast. Look for a solution with pre-built plugins and workflows so that all you need to do is authenticate the tools you want to use and hook them into the workflows. With no code to write, that also means no code to maintain.
Easy integration with your technology stack
A good SOAR system will have many out-of-the-box, point-and-click connections so that you can quickly set it up and get it running.
The solution should be extensible beyond what comes out of the box. Being able to create custom integrations if needed is key.
Even if you can set up one or two critical workflows right away that will save your analysts an hour a day, this will be a value-add. Over time, you can build on that.
Human decision points
There are often points in a workflow where a human needs to make a decision, so the SOAR solution should allow a workflow to pause and reach out to a team member, letting them make a decision before the automation can continue.
Flexibility and control
Your SOAR solution should work for your use cases, not the other way around. Look for the pre-built workflows you need, but also the option to custom code and build to meet your team’s requirements.
To keep costs within budget, you need to know what the upfront cost will be, plus any ongoing costs. Clarify that with your vendor before moving forward.
Pace of innovation
Look into how quickly the vendor keeps pace with innovations in automation and the overall security and IT landscape. This is important in ensuring the solution will have long-term viability for your team.
A SOAR solution build for small SOCs
Automation and orchestration have traditionally only been an option for teams with massive budgets. But that’s not who we designed InsightConnect, Rapid7’s security orchestration and automation solution, for. No matter your team size or developer resources, you can leverage the full benefits of InsightConnect. Even more, you can get up and running with no code required.
To us, SOAR is about making humans more efficient, not obsolete. Watch the full webcast recording for a demo of InsightConnect.