Integration Can Help Your Cyber Resilience SOAR

No matter how skilled or well-staffed security organizations are, the volume of attacks, incidents, and alerts they face is outstripping their abilities to respond manually. One recent survey found that 70% of organizations have seen alerts more than double in five years; 83% are experiencing “alert fatigue,” and 99% call high alert volumes a real problem.[1]

It’s no wonder: Large organizations average more than 75 different point security solutions that create constant noise. Alerts come from web and email gateways, anti-malware services, intrusion detection and prevention systems and many other sources. To quickly parse and act on all this information, organizations are turning to Security Orchestration, Automation and Response (SOAR) systems. For SOAR to succeed, it must seamlessly integrate all your security tools and infrastructure. Open APIs promote that integration.

Why Integration Is Critical to SOAR Performance

To understand the importance of integration, consider what SOAR systems do, and why. As Gartner’s definition of SOAR puts it, these systems “enable organizations to collect security threat data and alerts from different sources, where incident analysis and triage can be performed using a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow.”[2]

In SOAR, orchestration comes first. The system must maintain robust connections with your disparate security tools, services, and infrastructure you’re using, now or in the future. Your SOAR system must capture continually up-to-date information from those systems, and be able to direct their responses.

With that foundation in place, SOAR can begin automating a wide array of security and incident response tasks that humans shouldn’t have to do manually, and couldn’t possibly do as quickly. Common examples include running anti-malware scans, blacklisting or temporarily quarantining risky IP addresses, and closing ports.

In many cases, organizations translate their existing incident response playbooks into automated processes that SOAR can execute without human intervention. As SOAR systems become more sophisticated, draw on richer datasets, and utilize more advanced machine learning, they can get smarter about evaluating events. They can give security analysts more help in hunting threats and reducing mean time to resolution.[3] Humans still direct the automation, but at a higher level – for example, taking precautions to avoid automations that attackers can recognize, evade, or deceive.

Again, however, all this rests on a foundation of strong data integration.

Open APIs Facilitate Integration – and Reliable Automation

Platform providers attempt to provide SOAR integrations with as many third-party security products as possible. When those security products don’t expose open APIs, such integrations can be more difficult to create, maintain, and customize – both for the platform provider, and for the customer. Even if your own security team doesn’t plan to get under the hood and tweak the “connective tissue” linking your SOAR platform with other tools, open APIs make it easier for those who might – whether that’s your SOAR provider or a third-party consultant.

When security providers offer open APIs, they are making stronger commitments to developers about how connections to their systems should be built, and how those connections will behave. They are providing standardized, supported ways to handle tasks like authorization and authentication, accessing logs, listing users or messages, creating or populating groups, or executing policies.

In addition, when a provider offers a shared set of open APIs across an entire family of products, the value of that product family increases relative to point solutions without shared APIs. Such APIs give customers another reason to establish strong strategic relationships with a few security providers rather than continuing to work with dozens of point vendors.

The best open APIs give developers proven sample code to start from, full documentation, dedicated staging environments to help developers test their integrations, and support from the team that built the API and the underlying security tool. All this translates to faster, easier integration – and to greater confidence that automated processes will be consistently repeatable, and that today’s SOAR integrations will work tomorrow.

The Bottom Line

SOAR platforms are designed to help security organizations act effectively on the massive amounts of security data they are collecting. They help recognize real attacks amidst the noise generated by thousands of alerts, letting you more quickly halt and mitigate attacks, thus improving cyber resilience. Reliable integration makes security orchestration, automation, and response possible – and open APIs make integration easier for everyone.

[1] “Security alerts more than doubled in the last 5 years, SecOps teams admit they can’t get to them all,” Help Net Security

[2] “Understanding the Power of SOAR for Government,” Security Boulevard

[3] “The LogicHub Difference,” LogicHub