Risk-based SOAR

As part of our efforts to bring our readers the most exciting and innovative technologies to be found at RSAC 2020, Brilliance Security Magazine sat down with SIRP to discuss their compelling new SOAR solution.

SIRP is a Risk-based Security Orchestration, Automation, and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response. Through a single integrated platform, it drives security visibility so that decisions can be better prioritized, and response time is dramatically reduced. With SIRP, the entire cybersecurity function works as a cohesive unit.

We met with SIRP co-founders, Faiz Ahmad Shuja, and Muhammad Omar Khan. They gave us the inside scoop on why their SOAR platform outperforms other solutions in this space.

Faiz Ahmad Shuja, SIRP Co-founder

When asked how SIRP got its start, Faiz said, “Omar and I started our first cybersecurity startup in 2006. We were working in the Middle East, and our headquarters were in Dubai. This first company was a professional services company serving the Gulf Region. Our services included security consulting services such as penetration testing, incident response, red team services, and other cybersecurity-related services.

“Back then, we offered our customers managed services like security monitoring, incident response, and off-site SOC services. We soon realized that we needed a better platform to manage our internal operations as well as the operations of our clients. This was the beginning of the platform we offer today. We took feedback and ideas from our first clients and incorporated them into our platform.

“In 2017, we spun this remarkable platform off to be the foundation of a new company. We worked in stealth mode from 2018 to 2019. We came out of stealth mode in January 2019 and have been running SIRP for two years now.

“We are headquartered in London. We were part of CyLon, the world’s leading cybersecurity accelerator and seed investment program. And, that is how we got our start.”

Faiz has reason to be optimistic about SIRP’s future. He indicated that their current customers include Oman’s largest oil refinery, a Forbes Global 2000 bank, a leading MSSP in Saudi Arabia, and the top five banks in Pakistan. 

SIRP refers to its solution as a Risk-based Security Orchestration, Automation and Response platform, a Risk-based SOAR. The primary focus of a SOAR platform is to gather and organize information in a way that cybersecurity professionals can easily manage and process.

A SOAR platform takes in information from a wide range of systems and delivers it to a single, central hub that analysts can then evaluate. The idea is to standardize case management and help investigators incorporate incident investigations into their workflow.

A SOAR platform also automates the process of incident response by analyzing and categorizing each specific incident and then deciding whether there is a need for a human operative to do more work. SOAR platforms help to eliminate the need for people to respond to constant alerts manually and enable engineers to categorize different threats for evaluation.

We asked Faiz to explain how risk factors in their solution and how it differs from other SOAR platforms. He told us, “Most SOAR platforms focus only on security alerts coming in from a security information and event management (SIEM) system and then perform orchestration and automation on that data. What is missing is any sense of context. We focus on context and prioritization, not just alerts.”

Muhammad Omar Khan, SIRP Co-founder

Muhammand explained that many organizations have upwards of 25 tools that generate security alerts, and it becomes exhausting to navigate to multiple security tools to identify, investigate, and respond to dispersed cybersecurity data. SIRP aggregates all cybersecurity data coming in from different tools.

As an example, Faiz said, “If you are getting 10,000 alerts, there is no point to it. How can anyone handle that many alerts? What we do differently is we prioritize alerts based on the context around the alert along with the risk to the organization. 

“Understanding the organization’s risks and having context around the alert inputs allows us to prioritize information accurately. The security analyst’s queue is much easier to manage. They can make better decisions faster. 

“We ingest more information about each alert. Some of this additional information may come from threat intelligence feeds that our customers subscribe to. We ingest vulnerabilities from the customer’s security scanners and fuse all this information with the customer’s assets and risks. The ability to fuse these various sources, and then prioritize alerts is unique to our platform. When an alert comes in, the analyst can see the asset as well as all the vulnerabilities and threat intelligence applicable to that asset. This data is all represented in a SIRP Security Score (S3). The S3 is based on the asset, the importance of the asset, and the criticality of a loss involving that asset.

“In addition to risk-based alert prioritization, the platform provides a workflow for case management, reporting, and an alerting dashboard. The user can automate and orchestrate any of the events coming into the system. We provide a single security operations platform where a security analyst can find all the information they need all at once. We provide a full view of the threatscape for the organization.”

As the flood of security threats increases, new tools are needed to manage the rising tide of alert data. SOAR platforms go a long way toward providing actionable information but often fall short by failing to incorporate threat intelligence and context tied to the organization’s risk. SIRP is an excellent example of how innovative technology is rising to meet the challenge posed by today’s advanced threatscape. 

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.