In the last twenty years, more technology has been produced since the beginning of human history. And while we have talked about industrial automation since 1952, the complexity of today’s cybersecurity analyst activities makes the need to embrace automation paramount.
Cybersecurity is not just a technology issue—processes are key
The most crucial factor in the security operation center (SOC) is having a plan to respond to incidents. Cybersecurity serves the business and it is important to take its mandates into account when creating standard operating procedures (SOPs) for business continuity. Often legacy SOCs fail to assess alerts promptly because there are too many processes to follow and too many tools to manage.
Sumo Logic Cloud SOAR (security orchestration, automation and response) accelerates incident response time by operationalizing SOPs and maximizing overall SOC efficiency.
The one thing SOC teams need to avoid when facing a potential cyberattack is improvisation.
This blog discusses core features of SOAR to enhance collaboration and speed the incident response process, including the new War Room feature that helps capture and detail the specificities of each incident.
Cloud SOAR improves SOPs by boosting automation
Over the years, the types of attacks have increased significantly. Many different technologies are necessary to prevent and respond to threats. SOAR leverages automation in response processes, ingesting alerts generated by different technologies used in the SOC, such as those from SIEM (security information and event management) solutions.
SOAR starts where SIEM ends
SOAR receives alerts and insights from SIEM, suggesting to analysts the right processes to activate based on the type of threat. This allows the cyber team to leverage automation for alert enrichment by collecting and organizing data from many different technologies in the case manager. Furthermore, it facilitates analysts' work by assigning only those tasks where human intervention is essential, leaving the rest to automation.
The SecOps dashboard—all analyst tasks in one place
The Cloud SOAR SecOps dashboard helps analysts when human interaction is needed. Analysts have all tasks in one place where they can choose whether to complete, assign, close, reassign or decline their automatically assigned actions, user choices and tasks. They can review playbook suggestions and use the search query bar to optimize workflow processes, easily customize the viewing perspective and choose which data they want to see.
The Cloud SOAR SecOps dashboard puts analyst tasks in one place
Implementing automation in SecOps, especially for time-consuming and low-risk tasks can dramatically improve analyst effectiveness and productivity. At the same time, it is critical to have full visibility into what has been done until the analyst took action. This is why the newly introduced War Room is such an important feature.
The role of War Room in day-to-day activities
The goal of Cloud SOAR War Room is to provide a complete and detailed picture of a specific incident process in one single page.. It allows analysts to see all the data collected in a well-structured way so that they can easily make insightful decisions.
War Room timeline
With War Room, the cyber team sees everything that happened in a specific incident in chronological order. Using the familiar concept of a timeline, the War Room shows a detailed view of every relevant event that happened during a specific incident.
The cyber team can filter the results according to their specific needs and analyze all the information collected and actions performed, including:
War Room filters
War Room entries have been categorized into different types and each type has a corresponding color and bookmark allowing for quick filtering and instant recognition. The entries are listed chronologically in a card format and each card shows relevant information according to the type of entry, displaying the most important content at a glance.
Some cards expand details for a deeper analysis. For instance, playbook cards can be expanded to show the actual results of their execution.
It is also possible to add custom events to the War Room that will be classified as notes. Custom events are useful for taking notes on a particular event, allowing information sharing and additional collaboration between investigators.
The War Room helps to increase collaboration. From it the cyber team can add notes, set the ordering, activate playbooks, perform tasks, filter results and even export the War Room information .
A new "Graph View" shows the standard timeline format, offering a visual outcome of the incident development.
War Room Graph View
Cloud SOAR also reduces your incident response time thanks to the following:
Flexibility in creating incident response processes. Thanks to the Open Integration Framework, all integrations can be created or modified, even independently, and playbooks can be constantly improved.
The easy use of SOPs by analysts who find only high-value tasks in the SecOps dashboard to manage.
A powerful case manager with hundreds of custom fields that allow you to store data in an orderly manner.
In concert with Cloud SOAR, War Room provides timely visibility of everything that has been done in a single incident and performs other actions directly from it.
Flexibility vs structured response plan vs total control of incidents
Nowadays it is very complex to handle different types of attacks while managing so many technologies. You need the flexibility to adapt cybersecurity to business processes, a structured response plan that every analyst can follow and a solution that allows easy control of all incidents and actions performed. Cloud SOAR War Room and the other key capabilities give you the overall control of every single incident allowing you to improve the efficiency and the consistency of your cyber team’s activities.
If you'd like to see how Sumo Logic Cloud SOAR can improve your team's collaboration and reduce incident response time, request a demo today.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.