As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Charles Kenney, the Regional Director of Logpoint, shares some expert insights on using SOAR and SIEM solutions to democratize your cybersecurity strategies.
What do American football and cybersecurity have in common? In both disciplines, it’s a good idea to work according to a playbook when the opposing team attacks. A playbook is a structured way of handling observations when responding to an attack. An example is when a cyber event in the form of a phishing attack occurs because an employee has opened a virus-infected attached file. For most companies, investigating cyber events is a huge challenge because many questions need to be asked in a specific order to handle the event optimally.
By adding SOAR technology to a company’s SIEM security platform, organizations of all sizes can better manage cyber events and automate much of the investigation and remediation.
Investigating and Handling
A Security Information Event Management (SIEM) is a cybersecurity solution that collects and analyses all log files—the company’s digital DNA—in real-time. These tools detect irregular data traffic patterns and raise the alarm for any deliberate or unintentional inappropriate user behavior detrimental to the company.
SOAR is an abbreviation for Security Orchestration Automation and Response. While SIEM is the system that collects data and enables the company to discover the attacks, such as a phishing email, SOAR ensures the ability to structure how the company investigates and handles the incident.
The combination of SIEM and SOAR makes it easy to manage various security technologies. For example, the ability to quickly turn off a user while investigating an incident. These converged solutions help automate finding out how many people have received the phishing email in question and automate its deletion from the inboxes in question. This technology doesn’t just want to investigate a cyber event but prevent it from happening again.
The Tangible Business Benefits
By streamlining and automating security measures, SIEM and SOAR technologies address the significant challenges companies face today as the threat landscape is constantly evolving amidst the cybersecurity skills shortage.
SIEM, together with SOAR, also makes security measures visible and measurable, making IT security a value-creating strategic area in its own right and a competition parameter among companies. Further, SOAR technology enables the ability to capture threat management data to evaluate efficiencies and offer customers useful industry benchmarks.
Traditionally, companies worked with IT security from a firefighting approach. For example, when an incident occurred, security teams had to drop everything else and run. Today, automation makes it possible to work strategically with cybersecurity, which has many derived effects. The question remains, is it good enough that a company’s phishing playbook was successful with only 80 percent of the events? What would it take for this to be even better?
Suddenly, with SIEM and SOAR technology, a CISO can discuss IT security at the level of their executive board and board of directors, who might otherwise quickly become uncertain as to whether the company is secure enough. Many organizations measure themselves against more mature companies that suffer very public cyber-attacks.
Previously, the answer from the CISO to the executive board was perhaps that 28 phishing emails a day were blocked or that the company had now implemented the most expensive firewall available. However, these aren’t particular messages and don’t make much sense for the business. CISOs must now refocus this language and board members’ mindsets – it’s not about the shiny, expensive tools but the solutions that offer the most value and security overall.
Bridging the Gap with Data-Driven Insights
SIEM and SOAR can help bridge the gap that might otherwise arise between cybersecurity and enterprise risk management. This visible and actionable data allows an organization to use the right technology and implement the right processes.
When a company can benchmark itself against other traditionally more successful companies, a dialogue begins between the CISO and the risk owners. Is the security budget too small, and are more staff needed? Companies can measure improvements and data and use it as evidence to base new strategic decisions on. This is when new knowledge emerges because CISOs are no longer just measuring log data but instead measuring how well the organization can handle the incidents to which it is exposed.
Addressing the Achilles Heel of Business-Critical Applications
Business-critical applications (BCA) are an Achilles heel in many organizations, which can come as a surprise. The IT security area is relatively mature, and they are likely ready to automate and take in playbooks to BCAs have not yet come as far as they should in terms of maturity. Companies are digitalizing on a large scale, with business-critical systems at the center of attention, and the hackers are intensely aware of this, which has been the cause of many recent cutting-edge attacks that have occurred. Understanding the Achilles heel of an organization can help a business better protect itself in the long term.
Unfortunately, few companies find it relevant to look for divergent user behavior in BCAs such as SAP, ServiceNow, or Salesforce. The BCAs are a blind corner, and many CFOs and managers are unsure where the ownership of the business-critical applications lies. Introducing a converged SIEM and SOAR solution can help lessen that confusion and secure that weak spot where hackers tend to lean towards.
Optimize in Parallel
Cyber-criminals are becoming more professional within the hacker ecosystem, making ransomware and phishing more frequent and precise cyber-attacks. The structure of economic cyber-crime is beginning to resemble the network of ordinary tech companies. This means that organizations must keep up with this optimization, securing data at every corner and monitoring threats as efficiently as possible.
With SIEM and SOAR technology, threat detection and response automation helps short-staffed security teams prioritize their tasks and enables CISOs to share actionable data about their cybersecurity posture with board members. These technologies can help organizations prioritize cybersecurity without breaking the bank.
Charles (Charlie) Kenney is responsible for driving strategic growth and overseeing the expanding Logpoint sales, marketing, and technical team in the US, working out of Boston. He brings a deep understanding of the complex and fast-evolving threat landscape challenging all companies today. Kenney is CISSP certified and joins LogPoint with over 25 years of cybersecurity experience. Before joining Logpoint, he held leadership positions at various technology companies, most recently Chief Revenue Officer at SEWORKS, and before that in companies such as BitSight Technologies, IBM/Qradar, and Cisco.
Latest posts by Charles Kenney (see all)