Closing the Cybersecurity Skills Gap: SOAR with definitive evidence

By Michael Morris, Director of Global Business Development, Endace

We’ve all read the news and seen the stats, so it comes as no surprise that SecOps teams are incredibly short-staffed and there is no quick fix. But the actual numbers are quite staggering: more than four million professionals are needed worldwide to close the cybersecurity skills gap, and that number is expected to increase exponentially in years to come ((ISC)² Research, Nov 2019). SecOps and NetOps teams are consistently being tasked to “do more with less,” while managing a growing number of ever more sophisticated cybersecurity threats. And today, with the global pandemic forcing workforces to work remotely, there’s also a greater chance of network vulnerabilities.

But here’s where it gets awkward. You can’t fix your issues and add headcount to your security team by hiring a couple of hoodie-wearing hackers. You need qualified, knowledgeable staff. And there just aren’t enough senior, enterprise security professionals who have hands-on experience with best-practice security operations, methods, and tools.

In a report released last year (July 2020) from IBM/Ponemon, the biggest cost impact of a data breach was the time it takes to detect threats. The average time to detect and contain a breach was 280 days at an average cost of $3.86 million. However, if an enterprise could detect and contain a breach in less than 200 days, the costs decreased by an average of $1.1 million per breach. Furthermore, an average security analyst receives up to 11,000 alerts a day according to a recent Palo Alto Networks survey of approximately 200 customers (July 2020). Of those, only 17% are touched by automation, leaving 7,000 alerts that require manual intervention, triage, and investigation. The sheer volume of items to investigate is overwhelming.

Organizations need to increase the efficiency of their SecOps teams and improve their ability to train new hires because faster response times reduce company and financial exposure to threats. To do this, many companies are turning to SOAR: Security Orchestration, Automation, and Response.

Let’s quickly define SOAR. Security…

• Orchestration: enables management, coordination, and collaboration between hardware devices and software applications on the network;
• Automation: once security tools are orchestrated, senior staff can create scenarios to automatically trigger security protocols and processes;
• Response: when automated, those scenarios translate into programmed playbooks that collect and collate useful information and trigger automated actions that allow rapid response to threats in real-time.

SOAR gives SecOps and NetOps teams an open platform methodology that works with security hardware and tools you already have installed and know how to use. It builds upon and shares the existing expertise within your organization to provide better integration with workflows. This means better collaboration between teams and staff, faster action on potential threats, rapid escalation and prioritization when needed, and reduction of alert fatigue in the SOC.

Packet capture advances SOAR by providing irrefutable evidence at the packet level, required for fast and conclusive investigation and response. Packet data is unique: it is the only way to obtain unambiguous, substantive information about precisely what happened and when.  This evidence can be collected, preserved and archived, allowing security analysts and threat hunting teams to store evidence for each investigation. Automation of the archival process and preserving everything related to an event – including the actual packets – mitigates the time pressure on SecOps to triage and complete the investigation of events before the information is lost. Packet capture also creates a trusted, tamper-proof source of evidence that can be invaluable in cases where other tools, or teams, are seeing conflicting or ambiguous results.

Packet capture is very affordable with today’s technologies and provides crucial data to perform network forensics–to glean what occurred before, during and after a specific threat event. It not only alerts cybersecurity staff to issues, but it can also capture malware and other binaries, and indicate who may have been targeted—and how—in an attack. Traffic captured before an event happened gives valuable forensic insights, and inspection of the threat vectors can enable SecOps to quickly assess the sophistication of an attack.

When combined with packet capture, SOAR allows SecOps teams to institute a repeatable process for dealing with threats with a mature and thorough response. Less experienced staff can be more effective by following a well-designed incident response process to collect evidence, including packet captures, triage incidents and implement remediation actions.  SOAR processes can be fully automated to do a lot of the work without human involvement — for example, suspicious file objects can be extracted from captured packets and detonated in a sandbox or submitted for analysis to other security analytics tools such as cloud-based virus scanners.

Senior security analysts are free to focus on improving security processes, move to more proactive “threat-hunting” activities, coaching and training junior staff, and responding to only the most serious of incidents. And because all the relevant evidence has been reliably collected and collated in the SOAR war room or evidence board, the incident response process is much faster and a lot more reliable. This means more time to enhance the growing collection of automated incident response procedures to further improve the SOC team’s long-term effectiveness.

The result? Alert and tool fatigue are reduced; learning curves are lessened; processes are determined away from chaos, and that means there’s far less drama and trauma in the SOC – thus increasing morale and staff retention. Hiring new employees is streamlined, too: because the processes are automated and specified, and standardized, less experienced staff can get up-to-speed faster and contribute to the team’s success more effectively.

SOAR combined with packet capture is not a total cure-all to the cybersecurity workforce shortage, but it absolutely can provide a pathway to more efficient and effective use of resources:  time, money, and HR.

About the Author

Michael Morris leads business development and technology alliances at Endace. He is responsible for building a technology alliance ecosystem with strategic vendors in the industry that provides customers with easy workflows and flexibility in leveraging Endace’s packet capture platform.  Michael is the host of the award-winning vidcast, Packet Forensics Files. Prior to joining Endace, Michael was the Senior Director for product management at CA Technologies driving the Infrastructure Management Business Unit.  Michael has over 20 years of experience in software and hardware solutions for infrastructure and network management and security.