#Absolutely… quite a lot.#
Whilst I’m not new to SOC/API/Coding/Integrations, I am slightly new to the concept of SOAR.
So in my first few weeks and months what what potential VALUE have I identified? (I will talk about specific detailed use cases in future posts, today I’m just looking at high level concepts).
In no specific order:
- Reduce alert volume – automation closing trivial tasks
- Reduce alert overhead – automated manual labour of more complex tasks
- Quicker to act – With fewer alerts in the first place, and with the remaining alerts having the donkey work done analysts can get to the meat of an incident quicker.
- Standardise your workflow – same work process fires every time, no deviation by junior/tired analysts
- Standardise approvals – An incident can mandate direct formal involvement and sign off from HR, business owners etc (non repudiation)
- Standardise your playbook – use a playbook that maps to a framework (e.g. NIST)
- Coach new tier 1 analysts – An interactive log of all tickets, and a playbook helping hand for them to get up to speed.
- Automation of boring/simple/repetitive – reduce eye and brain strain by removing the tasks that you have to do every day
- Revitalise legacy/simple tools – Things you can’t afford to replace (mission critical, expenseive..), and hook them into your modern security stack using SOAR
- Aid Incident Response – Have your IR team review your playbooks so that the right information is collected for post breach analysis.
- Reduce risk – Some remote selling services have moved to DTFM Payments to remove risk and scope of internal abuse. I see SOAR having a similar benifit to SOCs.
I have no doubt I will revise and restructure this list as time goes on, and add specific real world use cases.
Andy