When you're in the Act stage of your journey, you'll be focused on responding to qualified threats by using a tool like Splunk SOAR. Security Orchestration, Automation, and Response (SOAR) platforms help to clear out mundane tasks that tie up your security administrators' time by employing automation, while also offering orchestration across security infrastructures to boost productivity. SOAR enables them to handle more incidents, investigate the most important issues more deeply, and broadly improve their organization’s overall security posture.
Using tools like Splunk SOAR to help you respond to threats is essential because responding manually is not usually scalable. Additionally, because this task is time-sensitive, delayed manual responses can be problematic.
Automating the entire process of threat response means that you lift the burden of handling thousands or sometimes even millions of alerts from your analysts, so they don't have to decide which alerts to take act on and which can be ignored. You can cut the time it takes to respond and recover from incidents, which can sometimes be days or much longer if you don't have an adequate staff of qualified people. And you can prevent your team from suffering with alert fatigue, and reduce the possibility of missed threats and errors made as teams try to deal with issues quickly and unexpectedly.
If you're a user of Splunk Cloud Platform or Splunk Enterprise, this content can still help you understand the strategies you should use to augment your response to threats. You can find use cases that apply to all Splunk products in the Lantern Security Use Case Library.
What is security automation and orchestration?
Security automation is the machine-based execution of security actions with the power to programmatically detect, investigate, and remediate cyber threats without the need for human intervention.
Security automation can:
- Detect threats in your environment.
- Triage potential threats by following the steps, instructions, and decision-making workflow established by security analysts to investigate the event and determine whether it is legitimate.
- Determine whether to take action on the incident.
- Contain and resolve the issue.
Security orchestration is the machine-based coordination of a series of interdependent security actions across a complex infrastructure. It ensures that all of your security tools - and even non-security tools - are working together, while automating tasks across products and workflows.
Security orchestration coordinates incident investigation, response and ultimately resolution. Additionally, by compiling everything in one place and displaying it on a single dashboard, it eliminates the need for security analysts to navigate multiple screens and systems.
Security automation and security orchestration are terms that are often used interchangeably, but the two platforms actually serve very different roles. Among other things, security automation reduces the time it takes to detect and respond to repetitive incidents and false positives, so alerts don’t linger unaddressed for ages. It also frees security analysts’ time to focus on strategic tasks, like investigative research. However, security automation is limited in that each playbook addresses a known scenario with a prescribed course of action.
Explore automation and orchestration focal areas and find your use cases
If you're at the Act stage of your journey, explore the following focal areas to find use cases you should apply.
- Automating incident response
- Deliver the right alerts to the right people, reducing the time to acknowledge and resolve incidents by automating the incident response process.
- Collaboration and case management
- Track all different artifacts associated with a particular security incident when an alarm goes off, indicating a new threat that needs to be examined.