By Byron V. Acohido
One of the promising cybersecurity trends that I’ve been keeping an eye on is this: SOAR continues to steadily mature.
Security orchestration, automation and response, or SOAR, is a fledgling security technology stack that first entered the cybersecurity lexicon about six years ago.
Related: Here’s how Capital One lost 100 million customer records
SOAR holds the potential to slow – and, ultimately, to help reverse – the acute and worsening cybersecurity skills shortage. SOAR vendors purport to do this by leveraging automation in more sophisticated ways to help enterprises and MSSPs cull the vast data flows that inundate modern business networks.
One SOAR innovator that has been gaining steady traction is Mountain View, Calif.-based LogicHub. I first spoke to Kumar Saurabh, LogicHub’s co-founder and CEO, not long after the company launched in 2016. Saurabh spent 15 years leading product development at ArcSight, the SIEM management company acquired by HP for $1.5 billion, and later co-founded SumoLogic.
Saurabh told me he developed a passion for helping organizations improve the efficiencies of their security operations. And this inspired him to co-found LogicHub. I had the chance to meet with him again at Black Hat 2019 in Las Vegas. He told me about recent breakthroughs LogicHub has made putting smarter tools into the hands of cyber analysts.
For a full drill down on our discussion give a listen to the accompanying podcast. Here are my takeaways:
Skills deficit
Over the past 20 years, enterprises have shelled out small fortunes in order to stock their SOCs with the best firewalls, anti-malware suites, intrusion detection, data loss prevention and sandbox detonators money can buy. But that hasn’t been enough.
Today there exists a widening shortage of security analysts talented and battle tested enough to make sense of the rising tide of data logs inundating their SIEM systems. This skills deficit has been the top worry of IT pros for several years, according to tech consultancy ESG’s annual survey of IT pros; some 53% of the organizations participating in ESG’s 2018 -2019 poll reported a “problematic shortage” of cybersecurity skills.
Digital transformation has only exacerbated this security skills gap. Rising implementations of cloud services and IoT systems, not to mention the arrival of 5G, has quickened the pace of software development and multiplied data handling complexities. In this milieu, even well-defended enterprises continue to suffer catastrophic data breaches. Just ask Capital One, Marriott or Equifax.
Stuck in a rut
Enter SOAR, which takes well-understood data mining and business intelligence analytics methodologies and applies them to cybersecurity. Early SOAR solutions automated tedious, but necessary tasks, such as copying and pasting results from one tool to another. Another big thing many SOAR solutions do is compile “playbooks” to automate responses to certain patterns identified as being indicators of malicious activity.
However a recent Gartner report found that use cases implemented by early SOAR adopters have been “stuck in a rut” for the past 12 months. Enterprises are finding that SOAR solutions are not as plug-and-play as they thought, almost always require customization, and often result in a long-run reliance on a mix of professional services and internal expertise.
Even so, Gartner projects that by year-end 2022, some 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, some six times more than the 5% that do so today. Improving SOAR tools will help accelerate adoption, along with word spreading about more success stories, the Gartner report concludes.
‘Living off the land’
LogicHub aims to be at the leading edge of this emerging market. “The main challenge security analysts face is the fact that threat hunting, alert triage and incident response all require complex decision-making,” Saurabh told me.
For example, SOAR solutions must improve at detecting what’s referred to as “living off the land” cyber attacks. Take PowerShell-enabled breaches, for instance. PowerShell is a command-line shell designed to make it convenient for system administrators to automate tasks and manage system configurations. Microsoft began installing PowerShell by default years ago, and today it is deeply embedded in a very high percentage of organizations, globally.
By design, PowerShell, and other widely-used admin tools like it, lie inert and only execute in memory – on a fleeting basis. Threat actors who gain a foothold behind a company’s firewall specialize in stealthily manipulating such tools and are said to be living off the land.
SOAR has improved data collection and data enrichment, and playbook responses have helped reduce the workload of human analysts. However, identifying more sophisticated attacks, such as living-off-the-land breaches, requires logic that is often too complex to capture with scripting language, Saurabh told me. Detecting and stopping attacks that unfold in a dynamic situation requires critical thinking by an experienced human analyst, of which there is an acute shortage.
Virtualizing human expertise
Saurabh asserts that LogicHub has found a way to capture and replicate the expertise of a Level III security analyst. It recently rolled out LogicHub SOAR+ platform which is capable of doing this, he says. This new platform can deliver a higher level of response, in real time, in a way that’s scalable, he told me.
Saurabh
“We can autonomously guide security operations personnel through difficult and time-consuming decision-making processes,” Saurabh says. “We do this by gaining advanced threat context and then we are able to virtualize the expertise of a Level III security analyst to deliver expert recommendations in real time.”
When I asked Saurabh to explain how LogicHub could “virtualize” human expertise, he pointed to how, back in the mid-1980s, no one thought a computer could ever defeat the young Russian chess grandmaster, Garry Kasparov, at tournament-rules chess. That held true until 1996 when Kasparov lost a chess match to IBM’s Deep Blue supercomputer.
“IBM took the chess playing expertise of the best players, and Big Data, and built that into their software,” Saurabh says. “We are taking the threat-hunting expertise, held primarily by people, and making the software as smart and as good as it can be.”
My non-technical understanding of this is that LogicHub is attempting to combine the human capacity to intuitively connect dots and visualize context with a machine’s capacity for crunching numbers and identify distinctive patterns.
“People are still very creative, people have all the context. It’s all about making a software system that’s able to access those human capabilities,” Saurabh says.
It’s going to be fascinating to see how far LogicHub can get in a very competitive cybersecurity market. LogicHub and other SOAR innovators are pushing the ball forward. The quicker and deeper they can train Big Data analytics on detecting and cutting short leading-edge attacks, the better off we’ll all be. Talk more soon.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
