Cybercriminals from around the globe continue to seek new ways to access sensitive personal and proprietary information. With an ever-increasing amount of critical data stored on networks—both physical and cloud-based—the constantly evolving threat landscape is only growing in size, maturity and sophistication.

One vs. Many

The battle to keep enterprises and organisations secure has never been so dire. As bots and hackers work together to share tools that infiltrate security systems, security teams are still often working in silos, causing a "one vs. many" war that many are losing.

While security operations centers (SOCs) are desperately trying to keep up and protect their IT infrastructure and critical data, CISOs are feeling the responsibility to integrate disparate tools and solutions. But limited resources and overlapping tools can make bolstering the SOC with the aforementioned integration especially difficult.                                           

To stay vigilant, security teams must be aware of the latest tactics, techniques and procedures (TTP), but manually ensuring accurate validation of security alarms against the latest TTPs and Indicators of Compromise (IOC) is a time-consuming, inefficient process. Additionally, disparate systems require disparate teams in order to jump from platform to platform gathering all the information required to investigate and remediate threats.

Compounding the issue, new technologies advance faster than skilled professionals can be trained, causing a shortage in talent across the security and tech industries. In fact, in cybersecurity alone, there’s predicted to be a global shortfall of 1.8 million skilled workers by 2022, according to the Center for Cyber Safety and Education's Global Information Security Workforce Study.

Getting disparate components to share threat information, response and mitigation activities, and team up in other ways means overburdened and understaffed security teams have to perform time-consuming tasks, such as basic triage, enrichment, analysis, ticket generation, and notification, manually. Consequently, these efforts can cause security teams to focus on security silos rather than the big-picture threat environment. And gaps between security silos can result in vulnerabilities that bad actors are more than willing to exploit.

Because many organisations lack the resources and security staff needed to handle the ever-growing number of alerts, many threats go uninvestigated. And in the time it takes for security teams to pour over all of the data manually, a breach could have already occurred.

So how can organisations protect their most sensitive information in an increasingly dangerous digital world?

Many vs. Many

You may be familiar with the novel concept of collaborative security—communities of SOCs and security professionals who share information and use cases on how to identify cyberattacks and potential bad actors and remediate alerts. The idea is to change the security and threat landscape from the daunting “one vs. many” to “many vs. many,” embracing the power of knowledge and collaboration to protect valuable data.

While some of this kind of information sharing currently happens in Information Sharing and Analysis Centers (ISAC), it’s time to move beyond the what of threat detection and remediation and focus on the how. Information gleaned from IOCs is valuable, but even more valuable are the techniques used for detecting the potentially malicious behavior. Doing so could take threat hunting and breach prevention to the next level, optimising data protection.  

Many security professionals might feel uneasy sharing their threat hunting techniques and incident response processes, but bad actors are collaborating and attempting attacks from every possible angle—leading to seemingly inevitable breaches. Collaboration through information sharing can help mitigate this risk significantly more than the SOC working in a silo.

SOAR Solutions Help with Collaboration

Security orchestration, automation and response (SOAR) solutions combine comprehensive data gathering, case management, standardisation, workflow and reporting to provide organisations across industries the ability to implement sophisticated defense-in-depth capabilities. SOAR platforms bolster the SOC by integrating all existing and future processes, people and technologies and automating otherwise tedious and time-consuming incident response processes.

Orchestration technology enables users to organise and manage an organisation's entire security stack (i.e., firewalls, IDS/IPS, sandboxes, endpoint security agents, ticketing systems, deception technologies, vulnerability scanners, behavioral detection tools, etc.). This helps eliminate the manual effort that comes with managing disparate security tools and data reducing both time and cost.

Automation has increasingly become a critical component of a robust security program. But while SOCs are looking to streamline their processes with automation, so are bad actors. To reduce the effort that many traditional cyberattacks require, hackers are developing and deploying automated attacks. Automated security solutions, including SOAR, identify and defend against attacks at network speeds, leveraging their security teams’ higher-value skills rather than bogging them down with tedious, manual tasks.

As SOCs and IT infrastructures continue to evolve in an attempt to keep up with the latest technology and growing threat landscape, there is only going to be a higher demand for skilled security professionals. Organisations need to consider ways they can do the most with less—cross-industry collaboration and SOAR solutions can help them do just that while bolstering the entire security industry.


This is a contributed thought leadership article by Cody Cornell, CEO of SwimLane, a SOAR provider. The views and opinions expressed in this article are those of the author's and do not necessarily reflect those of the InfoSec Insider staff.