Imagine you’re out at sea, enjoying a peaceful sail, when all of a sudden, you notice water seeping into your ship. In this unexpected situation, you find yourself in need of extra hands and a fair share of buckets to bail out the intruding water. The reality is, though, you’re short on both. The question then becomes: How do you prevent your ship from meeting a watery demise? The answer lies in your preparedness for such an incident – this is precisely the moment when your incident response capability comes into play.
In the IT Cybersecurity industry, a familiar scenario often unfolds – the occurrence of what is commonly referred to as a “cyber attack”. Cyber attacks consist of four distinct phases, each encompassing its own unique timeline, from the initial incident to the eventual recovery.
Stage 1: In this initial phase, bad actors are actively seeking system vulnerabilities.
Stage 2: In this stage, the cyber attack has commenced and is in motion.
Stage 3: When IT Administrators detect and confirm the occurrence of a cyber attack, often referred to as the Mean Time to Detect (MTTD). According to the “Cost of Data Breach” Report from the Ponemon Institute, the average MTTD stands at approximately 200 days.
Stage 4: From the moment the incident is detected until full restoration takes place, characterised by the Mean Time to Recover (MTTR) averaging around 70 days.
From the beginning of the cyber attack, we’ve endured a setback of around 270 days, spanning from the initial attack to the complete recovery of our system.
How to reduce your Mean Time to Detect (MTTD)
To reduce the stage 3 time i.e. MTTD, cyber security teams can use threat hunting. Threat hunting is a proactive measure to reduce the lag between the initial attack and when the attack is detected and the alarm raised. Threat hunting plays a crucial role in identifying unusual transactions that may precede a cyber attack. When such detections occur, they are promptly replayed to seasoned SOC (Security Operations Centre) analysts for in-depth analysis, potentially aiding in preemptive measures to thwart the impending attack.
How to reduce your Mean time to Restore (MTTR)
To reduce MTTR, cyber security analysts can use a technology known as SOAR.
SOAR stands for “Security Orchestration, Automation, and Response”.
Here, we encounter a pertinent question: Why do we opt for orchestration instead of full automation?
We can automate familiar processes, but when it comes to unforeseen “black swan” incidents, ones we’ve never encountered before or that lack historical precedent, that’s where Security Orchestration comes into play.
Orchestration finds its place in the middle ground, bridging the gap between full manual work and complete automation. It involves human guidance, making it a semi-automatic process. On the other hand, SOAR (Security Orchestration, Automation, and Response) strives to minimise human intervention and move as close to full automation as feasible.
Imagine a scenario where a database experiences a breach, triggering an alert that is sent to a Security Information and Event Management (SIEM) system. The SIEM system then forwards the alert in real time to an Extended Detection and Response (XDR) system, which in turn communicates with a Security Orchestration, Automation, and Response (SOAR) platform to initiate a case.
The case serves as a central repository for managing the incident from start to finish, allowing for the comprehensive tracking of every activity and progress made. The SOAR platform captures relevant artefacts and information pertaining to the attack, including the attachment of indicators of compromise (IOCs) to the case.
Subsequently, the case is assigned to a Security Operations Centre (SOC) analyst who assumes the responsibility of following through and taking further actions. Upon conducting an initial analysis, the analyst leverages predefined playbooks, which are scripts or code designed to automate specific actions based on the requirements of the situation.
An efficient SOAR platform enables the creation of playbooks through a user-friendly graphical interface, allowing analysts to design workflows using drag-and-drop functionality. This streamlined approach empowers analysts to take prompt action, similar to having a fire extinguisher readily available before a fire spreads throughout a house. The predefined procedures within the SOAR system equip analysts with advanced knowledge of the actions to be taken.
Moreover, the SOAR system may feature real-time dashboards that provide up-to-date information. These dashboards can present various metrics, such as the number of transactions, open cases, time taken to resolve cases, and the workload distribution among analysts.
Conclusion
In the security and risk management realm, SOAR technology has emerged as a crucial tool for cyber security analysts. It’s ushering in a new age of risk and security management strategy for businesses by streamlining threat detection and response.
With the right cyber security training, analysts can harness the power of SOAR to stay ahead of evolving threats. This synergy between human expertise and automated assistance is shaping the future of risk and security management. SOAR stands as a practical solution bridging the gap between cyber threats and effective defence.
Skillfield is a leading cyber security company, specialising in providing a comprehensive range of cyber security services and solutions. Our expert team of cyber security engineers can assist and advise you in developing and deploying your SOAR solution.
FAQ
How is SOAR different from SIEM?
SOAR focuses on automating incident response and security processes, while SIEM primarily collects and analyses security data for monitoring and detection.
What is a threat actor in cyber security?
A threat actor in cybersecurity refers to an individual, group, or entity that seeks to compromise or exploit computer systems, networks, or data for malicious purposes such as hacking, stealing information, or causing damage.
What is a CISO as a Service (CISOaaS)?
A CISO as a Service is a cybersecurity model where organisations hire a virtual or external CISO temporarily or part-time to oversee their information security strategy and operations, providing expertise and guidance with a full-time employment commitment.
References
How SOC Superheroes Win | SANS Institute
Further Reading
Author:
About Skillfield:
Skillfield is a Melbourne-based Cyber Security and Data Services consultancy and professional services company. We provide solutions that help our customers discover, protect and optimise big data in a way that works for them.