If online security just keeps getting better, why are we still at risk?
State-of-the-art solutions are constantly evolving to offer better protection for our on-premises and cloud-based servers, infrastructure, networks, and endpoints of all kinds. All of these tools serve the same goals: detect a potential threat, analyze its severity, alert stakeholders, and then activate a predetermined chain of responses.
And we’re all hoping for the same thing: avoid being the next company to make headlines with a big-dollar breach. Take veteran game manufacturer Capcom, which was attacked by a ransomware hacker group that reportedly seized 1TB of sensitive data, demanding $11,000,000 in Bitcoin as payment.
In pursuing that hope, the buzzwords are evolving just as quickly as the tools. These include EDR (endpoint detection and response) and SOAR (security orchestration, automation, and response), both of which have one very obvious feature in common: The “R” stands for “response.”
However, when it comes to security, response isn’t the most important R–because it doesn’t go far enough. These approaches overlook a more important R: remediation. Remediation differs from response because it doesn’t just clean things up after an attack, it also takes care of the problem so it won’t happen again.
Remediation is ultimately the only real cure for today’s serious and fast-moving threats.
What Is SOAR?
According to Gartner, SOAR is a catch-all term for “solutions that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform.”
The term SOAR emerged as a convergence of three existing models: security orchestration and automation (SOA), security incident response (SIR), and a threat intelligence platform (TIP).
The response portion of SOAR includes a coordinated step-by-step response triggered by a security event. It involves the systematic application of a series of predefined policies and procedures: detection, evaluation, response, recovery, resumption of operations, post-mortem.
This is a great start to systematize incident response so that nothing falls through the cracks. Yet even SOAR has an Achilles heel: It usually lacks a strong mechanism to address the root of the problem. SOAR is powerful but fails to go far enough.
Getting to the Root of the Problem
Let’s look at the anatomy of a security incident, meaning an organization’s reaction to an immediate threat. There are many possible examples, and, unfortunately, most are very familiar:
- A virus attacks a loophole in the OS, so you block the virus.
- A phishing attack tries to exploit an unsuspecting user, so you redirect the user to a safe “sandbox” website in the case of phishing.
- A user receives a suspicious attachment, so you open the attachment in a secure container in the cloud rather than on the user’s computer.
- Detection systems report an anomaly, such as abnormal communications to a remote server, so you close the port in the firewall and block communications.
What do all of these responses have in common?
None are actually fixing the problem. They’re reducing the harm, which is absolutely essential, but they’re all just temporary solutions.
The root cause of the problem that still has to be addressed is the underlying vulnerability: Hackers are betting your systems haven’t been patched, which is a pretty safe bet. According to CSO Online, 60% of attacks took advantage of vulnerabilities for which a patch was already available–the organizations simply hadn’t rolled it out yet.
A response that temporarily fixes the immediate threat is crucial, as you can’t just do nothing while being attacked. But dealing with the root of the problem demands that you also remediate the underlying vulnerability.
From Responding to Remediating
SOAR is certainly a step up, and it’s on the right track by guiding IT security teams toward systematically addressing the response phase. But responding isn’t enough. We have to shift our mindset from merely RESPONDING to actually REMEDIATING.
How is remediation different?
Response is a one-step approach: Do what’s needed to put out the fire. But when you only respond, you don’t address the original problem. To do that, you need to update your systems, and that usually means rolling out a patch.
A remediation approach involves two steps: First, respond; second, patch–not just put out the fire but ensure that no more fires can start.
This way, once you’ve fixed the problem, you’ve also eliminated the need to respond. Why? There won’t be a next time–because the root cause has been remediated, meaning the actual problem has been solved.
Taking a Bigger View of Security
SOAR is a wonderful development toward total security for a number of reasons, including its systematization and, in some cases, automation. But SOAR software doesn’t cover you to the fullest extent.
As we’ve seen, remediation is bigger than mere response, and that makes it more powerful. SOAR solutions may be so focused on response that they’re overlooking this crucial next step.
Remediation is an ongoing process, not just a process to put in place during or after a specific incident. That’s why a modern remediation tool like JetPatch makes sure you’re not just responding to problems but pulling them out by the roots.
JetPatch gives you a bird’s-eye view of your entire system, including a huge range of assets and endpoints, so that you can review patching policy and prioritization and make sure you’re on top of it all.
With an intuitive interface that helps you remediate your environment end to end, you’re not just responding, you’re making sure breaches involving known vulnerabilities don’t happen in the first place.