Time to End the Manual Security Operations: QI-ANXIN has Launched the Security Orchestration Automation and Response (SOAR) Product
Date：Mar 02,2020 Author：QI-ANXIN
During the RSAC 2020, QI-ANXIN has proved its practical security operations capabilities, and launched the first security orchestration automation and response (SOAR) products in China, helping customers to greatly improve the efficiency of security detection and response, and enables security operations manually to automatically.
SOAR: A Necessary Capability for a New Generation Security Operations Centers
The new generation security operations center has formed the loop of the security operations process. From the perspective of adaptive security architecture, the new generation security operations center must monitor and assess continuously in protection, detection, response, and prediction four stages, and to ensure that problems can be discovered and solved in a timely manner.
In recent years, people have drawn more attention to detection technology and other platform technology, which includes the new generation security operations platform; these tools have greatly enhanced the detection capabilities. With the new detection products and technologies, users have obtained a lower MTTD (mean detection time) and can detect attacks and intrusions faster and more accurately. However, detecting threats faster is only the first step. How to quickly respond to these threats and reduce the MTTR (mean response time) is more important, and this is what the new generation security operations center system must do for this problem.
In the responding stage, security operations and response personnel are facing huge challenges. On the one hand, the response process involves a large number of scattered devices and systems, and the threat managing requires the coordination of different security devices, which is time-consuming and laborious to rely on manual operations; on the other hand, the resource of response personnel is scarce, and the skill level is trapped by repetitiveness. Labor is difficult to improve, and the experience of excellent operations personnel is also difficult to form standardized processes and actions, which limits the overall response and disposal efficiency.
SOAR is the collective term for a set of new security capabilities developed in response to this trend, aiming to quickly detect threats, reduce investment in security manual analysis, and achieve rapid response to improve the efficiency of security operations.
By implementing SOAR in the security operations center, not only can the security response capabilities of the security operations center be improved, especially the orchestration automation and response management capabilities, but also the effectiveness of the security operations center can be improved as a whole, including security incident investigation and analysis (including the speed of MTTD), the speed of security response (MTTR), the ability to integrate decentralized security systems, and the efficiency of security operations personnel.
No "Manual Transmission", Four Major Features Greatly Improve Response EfficiencyQI-ANXIN SOAR is based on practical security operations and mainly provides customers with four major functions: security orchestration and automation, alert management, case management, and ticket management. It can help companies and organizations to sort out complex security operations (especially incidents response) processes into tasks and playbooks, transform decentralized security tools and functions into programmable applications and actions, and use orchestration and automation technology to integrate teams, tools and processes.
QI-ANXIN SOAR has the following key features:◇Security Capabilities Orchestration
By utilizing playbook management, application management and other functions, QI-ANXIN SOAR standardizes the customers' dispersed security capabilities and the process of security operations and response, and forms a playbook library and application library (action library) to achieve the integration and collaboration of teams, tools, and processes. These standardized processes can be used at any time, reducing manual intervention and greatly improving the efficiency of emergency response.
◇Alert Response Automation
The intelligent diagnose of complex alert can automatically trigger the corresponding process, which is also the key point that is different from the alert management function of the traditional SIEM/SOC platform.
On the one hand, alert diagnose can automatically aggregate alerts, automatically calculate the credibility and priority of alerts, and help administrators focus on key alerts;
On the other hand, alert investigation can also conduct supplementary investigation and analysis of alert, turn low-quality alerts into high-quality, valuable alerts, and eliminate false positive alerts. At the same time, during the alert investigation, the operations personnel can also enhance the alert, and present the relevant information of the alert as clearly and accurately as possible, so as to facilitate the administrator's research and judgment.
◇Whole-course Case Management
QI-ANXIN SOAR can help users conduct process-based and continuous investigation, analysis, and respond of a set of related alerts, and continuously accumulate indicator of compromises (IOCs) related to the case and tactics, techniques and procedures（TTP）.
◇Open System Architecture
With an open programmable architecture design, built-in workflow engine and application development framework, users can customize playbooks, applications, automatic response to trigger conditions and case handling procedures, and seamlessly integrate into the existing security system.
Based on the above four characteristics, QI-ANXIN SOAR can help customers focus on solving the inefficiency of security operations caused by lack of operations personnel, untimely response to security incidents, heavy repetitive operations workload, lack of coordination between security devices, and poor linkage. The real integration of security teams, tools, and processes makes security operations more coordinated.
Meanwhile, Q-ANXIN SOAR can also help customers formulate plans beforehand, respond automatically and quickly during the accident, summarize and accumulate lessons afterwards, and improve the level of practical operations roundly.
The Human Factor Plays a Big Role in SOAROn February 25, RSA Chairman Rohit Ghai re-narrated the story of "human" in cybersecurity to more than 40,000 attendees. Ghai believes that if we do not rethink the cybersecurity culture and focus on human like technology, we will ultimately be unable to overcome cyber threats.
As far as SOAR is concerned, the human factor is also very important. It is impossible to one-sidedly believe that automation (such as SOAR) can significantly reduce the skill level and number of security operations personnel required by enterprises and organizations. In fact, according to a survey report made by Ponemon in April 2019, in the mid-term stage, security automation will not only reduce the demand for security personnel, but will require more and higher-level people.
Human are always the most critical factor for security, they are not only the biggest vulnerability, but also the most important productivity. Automation is not to replace people, but to make security personnel stronger and more efficient.