Running a SOC center with many customers relying on analysts to quickly detect, investigate and resolve security incidents requires the best and most advanced tools on the market today. As a result, many SOC operators are deploying Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). This is a good first step, but not enough. Despite deploying a traditional SOAR solution in the SOC, many are still facing challenges.
The top five challenges facing SOC operators in a modern SOC center include:
#1 – Overwhelming Number of Alerts and False Positives
The orchestration component of SOAR helps to centralize volumes of alerts into a single platform through integrations. Despite many repetitive tasks being automated, many alerts are not actionable for example, alerts with weak signals, many of which turn out to be false positives. Human interaction is still required for alert prioritization, proper investigation and response which can consume up to 80% of an analyst’s time and be prone to error.
#2 – Case Management
It is not practical to triage each individual alert one by one, data must be collected and analyzed into cases tied to specific incidents. Consolidating alerts into cases with relevant context is still a highly manual process which requires skill and may take many attempts to assure all relevant alerts are put into the right cases.
#3 – Root Cause Analysis
Alerts can be investigated and resolved, some can lead to definitive actions but many are resolved without a definitive root case or explanation due to the amount of work required to determine the root cause. Resolving incidents without understanding the root cause will increase security risk.
#4 – Workflows
SOAR Automation can streamline operations and define workflows to lead the investigation logic and processes, but as the environment is continually changing and evolving, workflows should be able to adapt and improve.
#5 – Collaboration
SOAR enables more collaborative processes across teams, but especially in high pressure situations, relying on analysts to catch every error is not possible. Simply automating steps in the process without alleviating the number of false positives and providing insights into patterns and recommending actions leaves room for error and may negatively impact your business.
SIEM and SOAR is a great first step to orchestrate and automate SOC Operations. What’s needed to truly improve detection, investigation and reduce Mean Time To Response (MTTR) is AI assisted SOAR.
DTonomy’s AI Assisted SOAR addresses the challenges above by dramatically reducing the number of false positives, improving the case management and root cause analysis, and providing insights and recommended actions to speed response with greater confidence on the part of analysts.
DTonomy AIR augments, but does not replace the human efforts in your SOC, humans are still crucial to the process. AIR’s unique AI enables them to take actions with more confidence because it is
- Transparent – provides deep yet clear insights that can be understandable and explainable to humans; insights are supported by data and evidence
- Controllable – analysts have the flexibility to edit what AI suggests in an easy and intuitive way
- Adaptive – the AI engine continuously computes and listens to the security analyst’s feedback provides refreshed insights about your unique environment
To better understand how a modern SOC can achieve better results, please click here to request a demo. https://www.dtonomy.com/demo/
