Time to End the Manual Security Operations: QAX has Launched the Security Orchestration Automation and Response (SOAR) Product
Date:Mar 02,2020 Author:QAX
Background:
During the RSAC 2020, QAX has proved its practical security operations capabilities, and launched the first security orchestration automation and response (SOAR) products in China, helping customers to greatly improve the efficiency of security detection and response, and enables security operations manually to automatically.
SOAR: A Necessary Capability for a New Generation Security Operations Centers
The new generation security operations center has formed the loop of the security operations process. From the perspective of adaptive security architecture, the new generation security operations center must monitor and assess continuously in protection, detection, response, and prediction four stages, and to ensure that problems can be discovered and solved in a timely manner.
In recent years, people have drawn more attention to detection technology and other platform technology, which includes the new generation security operations platform; these tools have greatly enhanced the detection capabilities. With the new detection products and technologies, users have obtained a lower MTTD (mean detection time) and can detect attacks and intrusions faster and more accurately. However, detecting threats faster is only the first step. How to quickly respond to these threats and reduce the MTTR (mean response time) is more important, and this is what the new generation security operations center system must do for this problem.
In the responding stage, security operations and response personnel are facing huge challenges. On the one hand, the response process involves a large number of scattered devices and systems, and the threat managing requires the coordination of different security devices, which is time-consuming and laborious to rely on manual operations; on the other hand, the resource of response personnel is scarce, and the skill level is trapped by repetitiveness. Labor is difficult to improve, and the experience of excellent operations personnel is also difficult to form standardized processes and actions, which limits the overall response and disposal efficiency.
SOAR is the collective term for a set of new security capabilities developed in response to this trend, aiming to quickly detect threats, reduce investment in security manual analysis, and achieve rapid response to improve the efficiency of security operations.
By implementing SOAR in the security operations center, not only can the security response capabilities of the security operations center be improved, especially the orchestration automation and response management capabilities, but also the effectiveness of the security operations center can be improved as a whole, including security incident investigation and analysis (including the speed of MTTD), the speed of security response (MTTR), the ability to integrate decentralized security systems, and the efficiency of security operations personnel.
No "Manual Transmission", Four Major Features Greatly Improve Response Efficiency
QAX SOAR has the following key features:
◇Alert Response Automation
The intelligent diagnose of complex alert can automatically trigger the corresponding process, which is also the key point that is different from the alert management function of the traditional SIEM/SOC platform.
On the one hand, alert diagnose can automatically aggregate alerts, automatically calculate the credibility and priority of alerts, and help administrators focus on key alerts;
On the other hand, alert investigation can also conduct supplementary investigation and analysis of alert, turn low-quality alerts into high-quality, valuable alerts, and eliminate false positive alerts. At the same time, during the alert investigation, the operations personnel can also enhance the alert, and present the relevant information of the alert as clearly and accurately as possible, so as to facilitate the administrator's research and judgment.
◇Whole-course Case Management
QAX SOAR can help users conduct process-based and continuous investigation, analysis, and respond of a set of related alerts, and continuously accumulate indicator of compromises (IOCs) related to the case and tactics, techniques and procedures(TTP).
◇Open System Architecture
With an open programmable architecture design, built-in workflow engine and application development framework, users can customize playbooks, applications, automatic response to trigger conditions and case handling procedures, and seamlessly integrate into the existing security system.
Based on the above four characteristics, QAX SOAR can help customers focus on solving the inefficiency of security operations caused by lack of operations personnel, untimely response to security incidents, heavy repetitive operations workload, lack of coordination between security devices, and poor linkage. The real integration of security teams, tools, and processes makes security operations more coordinated.
Meanwhile, QAX SOAR can also help customers formulate plans beforehand, respond automatically and quickly during the accident, summarize and accumulate lessons afterwards, and improve the level of practical operations roundly.