Detection and response
How to automate and accelerate work of Security Operation Center?
Many organizations are struggling with security department overload. At one company in the energy industry, a SIEM-class product recorded as many as 2,000,000 events in a week. More than 12,000 of these required review. The security team was only able to handle 700 during that time – far too few relative to the demand.
What’s more, it turned out that more than 200 hours elapsed between the time the information about the incident surfaced and its closure. However, the time required to handle it alone was only 20 minutes.
How do you automate and speed up the SOC’s work in such situations? What are the reasons that such a small percentage of work is handled?
This is due to:
- Overloading the team with tasks.
- Lack of prioritization of tasks.
- Excessively long time from incident occurrence to action.
- Long time to handle repetitive incidents.
Artificial intelligence is a lifesaver for organizations exposed to a high number of attacks. Automating repetitive processes relieves SOC teams from performing tedious tasks and thus speeds up and streamlines their work. Implementing a SOAR – Security Orchestration, Automation and Response – solution helps organize incident response processes and better control their progress. It also supports more effective management of security incidents in the organization.
A modern SOC requires automating tasks and directing priorities in handling incidents, and more accurately distinguishing them from false positives in the early stages of handling. A SOAR solution that comprehensively addresses the needs of today’s cybersec departments is Cortex XSOAR from Palo Alto Networks.
It was able to increase the efficiency of the security team by redirecting its energy from simple, repetitive tasks to handling more demanding incidents.
Incident handling time was also reduced. Thus, the integration of the tool into the organization's IT solution architecture has significantly contributed to enhancing its cyber security.
Reduction of handling time consumption even to zero for 80% of events - due to their repetitiveness and low relevance.
Reduction of time-consuming handling of 19% of events to 10 minutes - due to streamlining and streamlining of processes.
Reduce average incident life from 200 hours to 5-30 minutes through task prioritization.