SOAR Functional Components (Part 2)

Incident Management and Collaboration

Incident Management and Collaboration is another of Security Orchestration, Automation and Response (SOAR) platforms’ essential practice whereby security teams can manage security incidents, collaborate, and share information to deal with the incident efficiently and effectively. The best incident management and collaboration plan answer the following questions:

  • How should I reduce the effort in an incident management and collaboration work to be done to get the problems solved?
  • How cost-effective incident management and collaboration is performed?
  • What are the best strategies for incident management and collaboration?
  • Has the fully trained security team been formed, supported, and committed to working on the incident management and collaboration enhancements?
  • How incident management and collaboration can be performed efficiently with limited resources in hand?

SOAR security team works diligently to address all the above questions by using the SOAR’s Incident Management and Collaboration component.

Alert Processing and Triage:  The SOAR solution in this scenario gleans data from SIEM system for analysis purposes. When an incident is found during data analysis, analysts further investigate that incident to resolve it immediately before it becomes a really big nightmare.

In addition, alert triage validates and prioritize incoming alerts in order to eliminate false positive alerts. Doing so prevent the unwanted and pesky noise as well.

Journaling and Evidentiary Support: Security incident leaves some artifacts in the exploited systems. SOAR tools are used to provide an investigation timeline to gather and store these artifacts, which are also invaluable for current and future analysis. Using these artifacts, analysts are able to discover threat actors’ activities.

Case Management Modules: SOAR platforms offer Case Management modules that support communication, collaboration, and task management within a SOC and even beyond.

Threat Intelligence Management: Traditional security defenses are not enough to prevent more sophisticated attacks. Getting information about the threat you face is indispensable. Even more is required. You must have resources to understand, analyze and relate this information to your enterprise and to the assets and processes that you are trying to safeguard.

Keeping the above information into consideration, the threat intelligence management system helps in performing the following tasks:

  • Processing threat information and turn it into intelligence upon which security professionals can take action.
  • Helping security professionals by making their jobs more efficient and easier and assisting them to interact more effectively with other teams who also implement security mechanisms.

Dashboard and Reporting

SOAR tools feature dashboards and reporting capabilities for numerous stakeholders from day to day SOC managers, analysts, and other security professionals associated with the SOAR. This feature provides great security intelligence and helps analysts to learn from the previous reports. The following section will take a deep dive into the critical components of the Dashboard and Reporting:

SOC Managers Reports: These reports incorporate the number of analysts and the incidents handled per analysts. Also, it includes the meantime for particular stages of the incident response process to recognize bottlenecks.

Analysts-level Reporting: This involves the activities by each analyst such as types or number of incidents and the mean time to detect and respond per analysts and so forth.

References

https://www.goodreads.com/book/show/42584539-incident-management-and-collaboration-second-edition

https://www.securityweek.com/evolution-soar-platforms

https://www.baesystems.com/en/cybersecurity/download-csai/resource/uploadFile/1434557136661

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s