How SOAR, SIEM and the cloud can help organisations overcome the cybersecurity skills gap

By Ross Brewer, VP & MD EMEA, LogRhythm

In today’s data security climate, it’s becoming clear that we are all in danger of being breached at any point and it’s a matter of when, not if.

With threats coming from every angle, organisations, and the cybersecurity professionals they rely upon, are increasingly struggling to keep level with this ever-present security challenge; and this dynamic is being felt across the industry. A 2018 CyberEdge survey revealed that 77 per cent of respondent organisations were compromised during the 12 months ahead of the study.

SOCs under strain –the cyber skills gap

Security professionals, particularly those working in smaller teams, frequently operate in a high-pressure, stressful, environment. Recent spates of high-profile GDPR violations, and the resultant pressure from leadership to adopt new technologies, with limited budget, to avoid suffering the same fate have only exacerbated the situation.

In recent years, enterprises have increased investment in cybersecurity tools dedicated to network monitoring and threat detection. In the current threat landscape the result is that these tools generate thousands to tens of thousands of daily alarms for security teams to handle. Security operations centres (SOCs) are therefore forced to commit considerable time to containing and investigating potential attacks.

This is a convoluted, manual process. There is an expectation for security teams to follow labyrinthine guidelines, including numerous steps requiring comprehensive understanding of multiple products in order to correlate the data they produce and decide whether an alarm is a false positive or genuine threat. The time-sink is enormous, even for SOCs that are well-equipped to meet such challenges. Containing attacks is always a race against time, and under-resourced security teams on tight budgets are struggling to stay ahead of the clock.

One solution to this issue would, of course, be to hire more security-dedicated staff. However, there is a skills deficit in the industry making it different to find the right people to hire..

The cybersecurity skills gap in the UK is ever-widening, with a key area of concern being a shortage of cloud expertise. A recent Rackspace report ‘The Cost of Cloud Expertise’ revealed that only 26 per cent of UK IT professionals are adequately experienced in cloud security. Given that 88 per cent of UK businesses are now reliant on some form of cloud technology, the severity of the skills deficit cannot be overstated.

A shift in cyberthreat management to alleviate the budget and resources challenges

The problems faced by budget-constrained and resource-limited SOCs need an answer, and the combination of embedded security orchestration, automation and response (SOAR) tools, and cloud-hosted security information and event management (SIEM) could be a likely solution.

SOAR is a catch-all term to describe the emerging category of platforms born of incident response, security automation, case management, and other tools that enable SOCs to deliver the level of efficiency today’s cybersecurity climate requires. Nowadays most best-of breed SIEM solutions include embedded SOAR capabilities, and industry analysts see these two markets increasingly converging in years to come.

At the most fundamental level, a SOAR approach automates a lot of the manual,  time-consuming tasks usually undertaken by SOCs. Many SOCs are burdened with a plethora of admin-based jobs, including writing up reports and documenting security procedures. SOAR can lighten this burden by reducing paperwork and improving reporting capabilities by aggregating intelligence from numerous sources and then displaying them in a visual dashboard. In such a way, SOAR removes the need for these tasks to be completed manually enabling the focus to stay on top priority tasks and the true threats.

SOAR enables security teams to create customisable workflow and controls, helping to remove the complexity from investigating, threats that might endanger the corporate network. Such capabilities – when paired with the use of case playbooks – free analysts from having to use multiple platforms when responding to issues, which further accelerates response times and ensures that no threats will slip by unnoticed. SOAR supports the entire threat investigation process leading to an increase in productivity and efficiency when dealing with cyberthreats.

How SOAR works – a breakdown

A key advantage that SOAR delivers to security teams is trackable metrics. It is crucial for analysts to understand the effectiveness of their workflows as well as rapidly detecting and responding to real threats. SOAR metrics include mean time to detect (MTTD), mean time to respond (MTTR), time to qualify (TTQ) and time to investigate (TTI). 

These metrics help analysts to better focus the activities of their SOC where they are needed, while also empowering team leaders to audit the overall business value that is being driven by the team. In the regulatory-heavy environment impacting today’s security professionals, these metrics can be used as evidence to exhibit security compliance should regulatory bodies demand it.  

Automation provides efficiency and cost saving; however, the SOAR approach is not solely software driven – SOAR aligns people, processes, and technology to improve response to cyber risks. Despite the relatively substantial upfront cost to initiating SOAR, the resulting collaboration between security, IT and operational technology (OT) teams is essential for organisations hoping to achieve swift and effective results.

Enter the cloud

Whilst the benefits of a SIEM/SOAR approach for unburdening stretched SOCs have been laid out quite clearly above, this should by no means be considered future-proof. The threat landscape is constantly evolving, budgets can be tightened further and the cybersecurity skills gap is arguably widening. . Further efficiency gains will be needed if SOCs are to remain effective against cyberthreats.

SIEM/SOAR hosted in the cloud will be the next step in allowing SOCs to do more with less. On top of the benefits detailed above, cloud-hosted SIEM/SOAR reduces the operational overhead associated with maintaining technology infrastructure (as the provider will do so), as well as being faster to deploy than a traditional on-premises solution. When operating in an environment where the smallest of margins can separate success or failure, the incremental gains of cloud can and will prove vital.

SIEM/SOAR in the cloud is still a relatively immature market, and many providers’ cloud offerings do not offer the same feature parity with their on-premises versions. As more businesses initiate a cloud-first strategy, cloud-based SIEM/SOAR will mature, develop and proliferate.

With skills short and threats high, businesses need to do everything in their power to ensure their security professionals are well-equipped for the mammoth task at hand. If there are obstacles in a SOCs’ way, be they too many manual-processes, infrastructure management tasks or too few hands on deck, business leaders need to ensure there is a plan to remove them. A cloud-driven, orchestrated and automated solution promises to be the future for evening the odds for security professionals.

About the author

In his capacity as Vice President and Managing Director of Europe, the Middle East and Africa (EMEA), Ross Brewer brings nearly 30 years of sales and management experience delivering outstanding results for high tech organizations around the globe.

As a respected thought leader and featured presenter on leading information and cyber security topics, he is often cited as an expert in a variety of top tier media publications.

Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as Vice President and Managing Director of EMEA.

Brewer previously held key leadership roles in Europe and the South-Pacific region, on multiple senior executive leadership teams for several companies including systems and security management vendor NetIQ, security vendor PentaSafe (acquired by NetIQ) and Symantec, each time delivering consistent, rapid growth over several years.”