A security team is struggling with alert fatigue, and the Chief Information Security Officer has decided to purchase a SOAR platform to alleviate this issue. Which of the following BEST describes how a SOAR platform will help the security team?
A security team is struggling with alert fatigue, and the Chief Information Security Officer has decided to purchase a SOAR platform to alleviate this issue. Which of the following BEST describes how a SOAR platform will help the security team?
SOAR (Security Orchestration, Automation, and Response) platforms are designed to reduce alert fatigue by automating responses and incorporating threat intelligence into the alerting process. By integrating threat intelligence into alerts, the SOAR platform helps the security team decide which events should be investigated first. This prioritization significantly reduces the volume of alerts that require human attention, allowing security analysts to focus on the most critical incidents and reducing their overall workload.
Under this link "https://www.sirp.io/blog/how-soar-helps-security-teams-fight-alert-fatigue/", we can find that both A and D options are valid. Well congrats comptia for creating so sophisticated questions.
For those that put A, how does this reduce alert fatigue? The solution might do some triaging for you but it still requires the alert to be actioned.
Hmmm.. I did originally think A, you do make a good point. Automation can technically relieve alert fatigue and allow the analyst to concentrate on other critical issues.
Threat intelligence can reduce the number of false positives which helps with alert fatigue
A SOAR (Security Orchestration, Automation, and Response) platform will help the security team by automating the response to alerts, reducing the time required for manual investigation and response. The platform can perform automated actions based on predefined rules and workflows, reducing the workload of security analysts and improving the efficiency of incident response. This can significantly reduce alert fatigue and enable security teams to focus on more critical tasks. Therefore, option D, which describes the use of logic to block specific traffic at the firewall based on predefined event triggers and actions, is the BEST description of how a SOAR platform will help the security team.
From PaloAlto's website about SOARs: Integrate security, IT operations and threat intelligence tools. You can connect all your different security solutions - even tools from different vendors - to achieve a more comprehensive level of data collection and analysis. Security teams can stop juggling a variety of different consoles and tools.
Agree. A SOAR will absolutely help with the fatigue.
A SOAR (Security Orchestration, Automation, and Response) platform will help the security team by option A, integrating threat intelligence into the alerts, which will help the security team decide which events should be investigated first. A SOAR platform is designed to streamline the incident response process by integrating and automating the various security tools used by the security team. One of the key features of a SOAR platform is its ability to integrate threat intelligence feeds into the alerts generated by security tools, such as a SIEM (Security Information and Event Management) system. By integrating threat intelligence into the alerts, a SOAR platform can help the security team to quickly identify which alerts are the most critical and require immediate attention.
Security orchestration, automation, and response (SOAR) refers to a set of services and tools that automate cyberattack prevention and response. This automation is accomplished by unifying your integrations, defining how tasks should be run, and developing an incident response plan that suits your organization’s needs. A and B don't touch on the benefits of automation.
Option D only addresses incidents involving traffic through the firewall. How about alerts that are just in the internal network? Issue here is alert fatigue. Integrating threat intelligence can reduce false positive
SOAR A= Automation = less alerts to look at by automating the response.
A SOAR will integrate threat intelligence into the alerts, which will help the security team decide which events should be investigated first.
Another time wasting question... D sounds like a better option because it would reduce alerts which seems to be the goal here rather than A which prioritizes alerts.
I see lots of A...as per chat GPT, lol. That would be a valid answer but in the end, you'd still have the same number of alerts, but less stress figuring out which ones to work on. However, I would go with, if part of the problems "solve themselves" via automation means fewer overall alerts = a happy team lol
SOAR can automatically take action on firewalls based on specified use cases. I work in a SOC for an MSSP and we use SOAR for some of our clients. Answer is D.
kiduuu is right!
SOAR platform can help the security team prioritize alerts by integrating threat intelligence into the alerts. By doing so, the platform can help the security team decide which events should be investigated first, reducing alert fatigue and enabling faster response times to potential threats. Option D describes how a SOAR platform can create logic to block specific traffic at the firewall, but it is not directly related to addressing alert fatigue.
I can not find any reference on google that allows a SOAR system to implement firewall changes, Therefore I must go with A.
As stated bellow threat intelligence can reduce the number of false positives
i agree with A
Why D? Where in the questions says that the fatigue is due firewall alerts? And also, the firewall thing is not the only capability that a SOAR has. Going with A here.