The Claroty Blog

Can Your SOC 'SOAR'?

| Katherine Brocklehurst

3 Values Customers Gain from Simplifying and Automating Security in the SOC

 

CORPORATE IT RESPONSIBILITY FOR ICS/OT NETWORKS

Executive leadership teams and corporate boards within industrial and critical infrastructure organizations are becoming more aware of operational technology (OT) network cyber risks and the impact to safety, products, and profits.  As a result, the C-suite is increasingly turning to their CIO or CISOs to take full responsibility for OT networks, and the security of their plants and production. Unfortunately for corporate IT, this new executive imperative comes laden with complexity and threat impacts, but not always with added budget and personnel.

 

WHAT IS SOAR AND HOW DOES IT HELP?

Security orchestration, automation and response (SOAR) is the term used for a blend of technologies that enable security information and event management [SIEM] systems (mostly), and apply workflows aligned to processes and procedures.

SOAR has evolved in recent years from bringing together security incident response platforms (SIRPs), threat intelligence platforms (TIPs), and security operations and automation (SOA). These can all be orchestrated and automated via integrations with other technologies to achieve expedited outcomes and greater visibility.

image-34

 

 

 

 

 

 

 

 

 

 

 

 

 

 

“Speed is of the essence in today’s threat landscape,” and organizations that can react quickly in a consistent manner will be best equipped to reduce their time to detect and respond to threats.”

- Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, 27 June 2019

Figure 1. From Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, 27 June 2019)

Gartner says[1] SOAR adoption is growing due to increased awareness of the solutions that exist and the continued pressure on security operations teams to meet security challenges for the whole organization with limited resources, high alert volume across disparate security tools, and additional manual labor and research by humans which cause delayed response.


[1] Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, 27 June 2019

 

THE GOOD NEWS

SOAR capabilities in FireEye Helix brings together threat intelligence and orchestration to automate detection, triage, response and remediation of threats. This improves staff efficiencies by automating human tasks and decreasing response times.

The FireEye Managed Defense Services for OT team needed a way to extend the automation capabilities to cover industrial and critical infrastructure OT-IoT environments. Claroty is the market leader and the FireEye team worked with us to create a Claroty plug-in to deliver rapid, efficient response. The Claroty plug-in is now available for joint customers.

 

“One of the largest challenges in a security operations center is simply keeping up with the volume of incoming alerts and executing prompt response protocols. With our customers now taking responsibility for securing both IT and OT environments, the challenge has grown exponentially. Integrating the rich, contextual OT data from the Claroty platform into FireEye Helix makes this challenge much easier to manage and automate, increasing the ROI of both technologies.” 

  • Phani Modali, Vice President, Engineering at FireEye

 

3 CUSTOMER VALUES

“An evolution is underway in cybersecurity to shift some of the cognitive load [and ultimate decision-making] from human security experts to machines. When is a machine an appropriate solution, and when do you really need a human expert?”
FireEye Security Orchestration: Best Practices for Any Organization Whitepaper


1 – Collaborate and Reduce Incident Response Time with Automation

Joint customers using FireEye Helix and the Claroty plug-in can automate incident response with built-in playbooks that standardize the investigation and response process, eliminating errors and improving analyst’ efficiency. Analysts can design and implement custom playbooks or use pre-built plays taken from actual incident response. Collection of investigation artifacts allows analysts to collaborate and shrink the time from detection to resolution. FireEye Helix and Claroty reduce demands on already stretched SOC teams by maintaining process consistency.

 

2 – Optimize the Value of Your Security Tools

Bring disparate cybersecurity tools together so your SOC has greater control over the investigation and incident response process. FireEye Helix and Claroty together can enable you to rapidly examine system state, context of what is happening and where within IT, OT or IoT environments, obtain information and push commands to faster mitigate the impact of security incidents. By saving time and resources through SOC orchestration, your organization can increase the value and ROI of your existing security investments.

 

FireEye Blog Image 2

Figure 2. Common areas of manual research required to determine alert origin, needed technical information and whether the alert is a threat or not. Security Orchestration: Best Practices for Any Organization Whitepaper,  FireEye, 2017

 

3 – Customized Playbooks and Automated Workflows for Repeatable Human Tasks

Now SOCs who need to protect industrial OT-IoT networks, assets and production can automate repeatable human tasks to improve analyst speed and efficiency. You can easily create and assign granular policies, build workflows with libraries of pre-canned playbooks, and develop custom playbooks with pre-built scripts. FireEye Helix decreases the mean time it takes teams to respond to threats by enabling security tools to automatically perform analysis.

 

SUMMARY

“By bringing this knowledge together, it becomes easier to identify high-priority tasks that you can easily automate. This automation generates high-value outcomes such as reclaiming time for your security experts and reducing the dwell time of dangerous cyber attacks. And as you get better at selecting your outcomes strategically, aligned with your unique organizational requirements so that you can simplify and optimize your security program to improve your overall security maturity.”[1]

A properly deployed orchestration solution paired with OT-IoT context and visibility buys time for your OT security defenders to focus on higher priority tasks, speeds response, reduces risk exposure, and maintains process consistency across a security program for the entire organization.
[1] Security Orchestration: Best Practices for Any Organization Whitepaper,  FireEye, 2017

 

Download the Claroty – FireEye Data Sheet 

Email us at contact@claroty.com for more information or a demo

 

 

 

 

 

 

Subscribe to the Blog