Connect with us

Hi, what are you looking for?


Network Security

Five Strategies for Extending Automation and Orchestration Beyond the SOC

Automation and Orchestration Are More Than Just the Latest Security Buzzwords

Automation and Orchestration Are More Than Just the Latest Security Buzzwords

Until recently, the benefits of automation and orchestration have largely been limited to the Security Operations Center (SOC), but today the capabilities extend far beyond. Today, security, orchestration, automation and response (SOAR) technology makes it possible for maturing cyber security programs to find effective workarounds to the ever-present cybersecurity skills and resource shortage. 

These organizations leverage automation and orchestration for critical security operations tasks, such as gathering threat intelligence, executing response playbooks, and triggering actions across multiple security solutions as part of an incident response process. The technology also supports the streamlining and automating of important investigation and case management functions that historically have taken a lot of time and manual effort – all actions that take place outside of the SOC.

In this article, I’ve outlined five areas in which SOAR platforms are successfully helping to replace manual techniques with streamlined or even fully automated processes.

Scheduled Reporting

Reporting is one of the many tasks that take skilled security personnel away from what they do best. SOAR platforms can reduce the time that is commonly wasted on manually gathering and entering data into forms by streamlining and automating reporting.

Reports can include SOC metrics, such as:

Advertisement. Scroll to continue reading.

– Time from detection to containment to eradication

– Percentage of incidents escalated to Tier-2 analysts

– Number of false positives trending

As well as threat metrics, such as:

– Most common or emerging exploits

– Top attackers by source

– Most frequently attacked destinations

For the greatest possible benefit, reports should not only be generated automatically, but shared with necessary parties automatically. Some SOAR platforms can distribute reports to predetermined stakeholders as part of a weekly report, or based on a threshold, such as when the percentage of recurring incidents is deemed too high.

Automation and Orchestration for Security Operations

Good metrics tell a story, and they are best received when that story is about something that the stakeholders care about and adds value. Many SMB cybersecurity programs are built without proper planning on how progress will be communicated to stakeholders. Value added key metrics like mean time to detect (MTTD) and mean time to respond (MTTR) speak directly to security operations process efficiency and facilitate cybersecurity program maturity. 

Rule-Based Notifications

Reporting isn’t the only information that can be automatically distributed. SOAR technology can generate notifications triggered by predetermined conditions within a specific case. For example, if a senior employee who has access to sensitive data becomes the subject of an investigation, a notification will be automatically sent to authorized personnel. By automating this investigative policy, an organization reduces human error (e.g. forgetting to carry out the policy) and investigation time, while demonstrating its commitment to credible, well managed investigations. 

Organizations using SOAR technology can provide added value with internal and external cyber security threat intelligence feeds.  By integrating threat intel, SOC analysts are able to generate rules or signatures and create rule-based notifications based on that intelligence. 

Rule-based notifications can also be leveraged to protect “crown jewels”, meaning assets that have been determined through risk assessments to be critical to the organization. For example, the presence of any crown jewel in an incident can be set as a trigger for automatic notifications to senior security personnel to ensure the incident gets appropriate attention.

Automated Link Analysis

Link analysis is another important part of an investigation. By connecting entities within a case, investigators can uncover linked incidents, evidence, and other commonalities that can help expand the scope of a case while establishing and confirming relationships. 

One of the most effective uses of link analysis is an advanced form of remediation. The incident handling team reviews linked incidents and evidence, identifies common patterns, and works on mitigation at a strategic level. These changes may be massive shifts in technology or even complete re-architecture. 

In the past, this type of examination required investigators to manually enter evidence or entities into the link analysis tool, taking up a lot of time. Today, link analysis can be done on the fly through the proper orchestration and automation tools. When an incident responder or investigator is processing a case, their SOAR platform can create links between entities in the background, so that the relationships can be viewed immediately. Integration with relevant platforms, like an Active Directory, can contribute to this process by automatically enriching the entities with additional data.

Automated Task & SLA Generation

When an incident hits, it’s not realistic to expect an analyst to manually create all of the downstream tasks that might be needed. That’s why SOAR platforms are increasingly touting automated task generation, task assignment, and SLA-based alert capabilities. These features help codify repeatable processes, so that teams aren’t left scrambling to develop a plan when an incident strikes.

For example, when a malware playbook is triggered, it will automatically generate and assign tasks with SLA deadlines to all the implicated groups, such as the forensics team. Alerts can be automatically triggered whenever the SLA deadlines are in danger of being missed.

Audit Trail

As I mentioned earlier, the automation and orchestration of security actions are intended to help solve the cybersecurity skills and resource shortage, but they don’t necessarily help with compliance documentation. That’s why the most comprehensive SOAR platforms are designed to support journaling and evidence management by documenting every action in an audit trail —including those that are automated.

Virtually all compliance regulations are based upon documentation, so without a strong audit trail, one cannot prove compliance. By tracking every incident, action and outcome, organizations can ensure a foundation of data that can be used to meet their compliance requirements, be they PCI DSS, HIPAA, NERC/FERC, 23 NYCRR 500, or any other.

Robust SOAR platforms can record information about actions taken, including details of the action, the assigned resource, and the time it occurred. Journalin
g is pivotal in complex incidents where the incident takes place over an extended period and records of the activity become a reliable source of corporate information. 

Automation and orchestration are more than just the latest security buzzwords. Their value is being recognized as essential capabilities in the SOC, and as you can see, this is only just the beginning. The principles of automation and orchestration are necessary to counter the skills and resource gap, and their impact is amplified when applied across the broader picture of cybersecurity, compliance, risk and case management. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...