Back to blog list

PaloAlto SOAR and Arcanna - a powerful team against cyberthreats

Good cybersecurity means winning the race between emerging threats and implementing solutions. When challenges are growing exponentially both in volume and complexity, the organizations need to keep up by implementing automated technology which keeps track of all the moving parts in a large organization. 

This is where SOAR comes into play. The acronym stands for “security orchestration, automation and response”. This tool uses visual representations of the company’s flows translated into security “playbooks” to create automations, including a wide range of security tools and human tasks.

The other side of the problem is that such a system can generate a myriad of alerts, some of which are not relevant but can actually lead to alert fatigue for the SOC team. An efficient triage system like Arcanna is necessary to streamline the decisions and only escalate those which require the attention of a SOC team member. The powerful AI-powered alert triage engine can be integrated with SOAR and offer SOC analysts automated decision options. Even more, when humans have identified a particular course of action for specific alerts, that response can also be automated in a SOAR playbook for events in that class. 

Sample use cases for SOAR and Arcanna

These are some practical examples where Arcanna would enhance SOAR’s usability and performance based on the latter’s functionality.

Handling security alerts

Playbooks can help deter unwanted incidents such as phishing by automating the triage and user alert systems. In this case, Arcanna’s utility is to help identify the false positives and prevent unnecessary panic among the users.

Another potential security issue is related to unusual login points. A playbook can look at multiple indicators to assess if the login is genuine or an attack. Integrating the AI-powered Arcanna tool in this decision process means fewer actual logins reported as an issue and avoiding locking out of the system someone who is, for example, traveling for work. 

Managing security operations

Although the SOAR playbooks can manage numerous security aspects, including SSL and endpoint diagnostic, the collaboration with Arcanna is most useful regarding vulnerability management.

When the system detects a vulnerability, it has to evaluate its severity and classify it according to the underlying risk level. Since there could be thousands of vulnerabilities in an organization and the time of the SOC team is limited, the alert triage features of Arcanna can help prioritize which alerts are escalated first. The playbook is closed after successful human intervention, and the course of action can become a response playbook.

Automating Security

Once an IOC has been identified, the combination between Arcanna and SOAR can trigger specific playbooks as a response to the alert degree. This is a security automatization that can, in time, save a lot of time and money for the organization by avoiding performing the same tasks multiple times.

Since automation should also follow a hierarchy of severity, the two platforms can work together to create AI-assisted playbooks for automatically checking vulnerability scores and making decisions.

Final thoughts

As the digital medium becomes more crowded with various tools, so grows the necessity to have a centralized view of the underlying problems. The security team requires a space where they have a visual overview of the potential problems. 

However, for this space to be functional, it should always show top alerts, which require human intervention. At the same time, the algorithms handle trivial cases which can be automated without being escalated. 

The future belongs to companies that will choose intelligent incident management, protecting their NOC and SOC teams from alert fatigue.

Horia Sibinescu