2. 2
What is Security Orchestration
Automation & Response?
Why do I care or need it?
3. 3
Multiple Logins
Attempts
Auth Events
SIEM
Rules
Alert
Mission: Block Malicious Intent or Close as False Positive
Source Target Response
Who is? Asset? Block IP
Geolocation? Owner? Disable Account
Reputation? Cause? Patch Vulnerability
Threat Intel? Who else?
What are the key things Security Teams should look to automate?
TTR Status Next
12 Mins? False Positive? 100+ alerts in queue
• 3+ Security Tools
• 3+ Security Staff
What are the key elements
needed to be ready for SOAR?
• Email Phishing
• Endpoint Infections
• Hunt, Block & Tackle
• Incident Response
4. 4
Alert Fatigue Slow Response Times Lack of Collaboration
Challenges
Alerts Overload
Lenient Rules > False Positives > Alert Fatigue
Strict Rules > True Negatives > Weak Security
Multiple, Disintegrated Tools
Fact: You would easily have 18 to 25 products to deal with
Question: How many SIEM or Firewalls can you learn?
Manual and Inconsistent responses causing weak security posture
Solution: SOAR augments human analyst
Single Pane of Glass to manage all activities of SOC
Measure and Boost SOC Efficiency
Deliver consistent investigation and response
Leverage automation without programing skills
Salient Features and Use Cases
Integrated with SIEM to receive, respond and close the alert
Automated Triaging, Enrichment, Investigation and Remediation
Investigations for Phishing, C&C, Data Exfiltration etc.
Automated Remediation with human approval
Integrations with 250+ products, 3000+ actions
Challenges that SOAR Solves in Current Environment
6. 6
Incident Response Platform
Highly Configurable
Role based Access
Multi-Tenant
Case Management
Orchestration &
Automation
Playbooks
Connectors/Integrations
Case Management
Highly configurable platform
Contextual Data Visualization
Build your own Modules
Automated Playbooks
Visual Playbook Designer,
Out of Box Connectors,
Real Life Use Case’s Reference Content
Multi Tenant
Distributed/Federated Architecture
Control Access to Data and
Playbooks
SOAR Platform
Why you want an Incident Response and Automation Platform
7. 7
Response Playbooks
SOAR Alert Record
SOAR’s Automate Information Flow & Incident Response
SIEM Alerts
eMails
Other Alerts (EDR, IDS etc)
Integrations
Orient
Gauge the Impact
Action
Block URL, IP, Domain, File hash
Disable User Account
Reset Password
Observe
Enriched contextual data from
Threat Intel,
Asset Management,
User Directory,
Historical Data
Decide
Manual Decisions, Tasks, Approvals
Actionable Data
8. 8
Cost
Savings
Threat Window
Time Per to
Complete
Weekly Incidents
Time Spent Time Time Cost Savings
Annually Savings (Hours) Savings (%) ($150/h)
45 50 390 0 0% $0.00
Manual minutes Incidents hours hours
22 75 190 200 75% $180,000
Semi-Automated minutes Incidents hours hours
1.4 100 12 378 98% $472,800
Automated Minutes Incidents hours hours
MANAGE ALERTS
FASTER RESPONSE
INCREASE MORALE
How to Obtain a Security Operations ROI with SOAR
9. 9
Explore CyOPs
TM
Community Edition
Solutions: SOC Automation, Vulnerability Management and BYOS
Manage: Alerts, Incidents, Indicators, Tasks across Tenants
Measure: MTTD, MTTR, ROI, Reports, Dashboards
Respond: Automate, Visual Playbook Designer, Out of Box Connectors
Reach us at Sales@CyberSponse.com