Today, data is likely your most valuable and vulnerable strategic asset, and yet many of the methods for storing and protecting it are decades old. Data is not only a record of what has happened; it can also be used to anticipate the future and train machines to make human-like decisions in an instant. It has become a fungible and strategic asset that drives key processes.
As the importance and dimensions of data in organizations have grown, it’s also become a greater target for malicious actors. The way that we use data today requires not just a new security mindset but also new skill sets and new technologies around data management.
The growing category of security orchestration, automation and response (SOAR) shows how cybersecurity practices are evolving to deal with this new paradigm. SOAR covers more than just a new wave of technology solutions — it’s about reorganizing security practices to make them more efficient and effective in today’s environment.
Handling Greater Volume And Variety
Organizations today are overwhelmed by the volume of data they have to handle, and that is one of the core problems that SOAR aims to solve. By orchestrating and automating many of the responses to cyberthreats, security teams are able to deal with an exponentially larger number of incidents. Rather than requiring security teams to manually sort through every issue, the SOAR approach empowers them to set broad policies that quickly and automatically deal with many of the incidents that would typically require direct attention.
The increasing variety of threats that organizations now have to respond to is another problem that SOAR is meant to resolve. Traditional security technology and tools have been oriented around known factors and threats, which are tracked using “signature-based” systems that recognize and flag common attackers using indicators of compromise (IoCs). But today, organizations are often facing direct threats that haven’t yet been identified and flagged — and therefore can’t be blocked based on their signature.
To deal with this issue, SOAR takes an automated approach that leverages analytics and machine learning to monitor tactics, techniques, and procedures (TTPs) and uncover possible attacks. By taking a broader automated approach that looks for potential effects of an attack, rather than just searching for the malicious code itself, SOAR techniques can help teams uncover previously unknown threats.
Leveraging Machine Learning For Smarter Scanning
In order to identify threats in this way, SOAR often requires more data than traditional solutions. For example, user behavior analytics (UBA) is a prominent component of SOAR that sorts through data on user activity across an environment to detect anomalies. This analysis is typically enabled by machine learning algorithms that are trained on huge datasets in order to “learn” typical behavior patterns. These algorithms then analyze huge volumes of user activity data in real time to highlight incidents that differ from normal behavior patterns.
As the SOAR approach combs through massive amounts of data covering activities across the organization, we are starting to see the convergence of the network operations center and the security operations center into a single, unified team. The job of monitoring network availability has traditionally been handled by a dedicated team, but with a new security focus on network activity and gathering data from a broad range of workloads across the enterprise, it becomes more efficient and effective for network and security teams to combine their work.
Implementing A SOAR-Based Setup
When agencies are looking to get started with a SOAR approach, they need to examine their existing enterprise security architecture. It’s important to look closely at tools they’re utilizing today and find gaps in SOAR-like capabilities. While some agencies have an understanding of SOAR, many are still relying on legacy software suites that are not designed for SOAR methodology.
Agencies also need to define their top priorities and reasons they want or need to implement SOAR. The need most likely stems from bottlenecks across processes or fragmented silos of information, but there needs to be a clear understanding of how SOAR can address an agency’s specific issues.
When implementing SOAR, it’s typically best to begin with a few specific use cases that address particularly troublesome pain points. This not only gives teams an opportunity to fine-tune their efforts through trial and error, but it also serves as a proof of concept to be used as evidence throughout the organization, particularly those who need to be convinced to fully buy in.
For example, when it comes to protecting your data from cybersecurity threats such as ransomware, take a look at the joint Cohesity-HPE data protection solution that not only helps stop your backup and unstructured data from being a ransomware target, but also provides early threat detection through Machine Learning-based models, and in the worst-case scenario, recovery of all your primary and backup data—at scale. This helps you protect your last line of defense – your backup data – to help you recover from a ransomware attack and ensure business continuity.
Dealing with the next wave of cyberthreats will force organizations to take a more nimble and responsive approach to security in a way that can respond to attacks even when their origin is unknown. The SOAR approach requires us to rethink existing security architecture and tools to include a much broader range of potential threats, powered by a much broader examination of data from every corner of the organization.
Learn more about Cohesity and its anti-ransomware solutions, here.
This article first appeared on Forbes.com.
Chief Technology Officer, Federal and US East
Steve Grewal, a veteran C-level technology executive and a public sector change agent, has worked for several federal agencies where he has overseen many significant IT innovation projects. He is also a Forbes Technology Council member and regularly writes for leading tech publications. Grewal served as deputy chief information officer for the U.S. General Services Administration (GSA) and also held senior positions (CIO/CTO/CISO) at GSA, Depts. of Education, Transportation and HHS before taking on the role of chief technology officer, federal and U.S. East, at Cohesity.