M-SOAR is a critical component of ICES to reduce MTTR to email threats

Duncan Mills | 4th Oct 2022

Industry analyst, Gartner, first coined the term M-SOAR (more recently MSOAR) in their 2019 Market Guide for Email Security. The full term is mail-focused security orchestration, automation and response. It is functionality that is included with the leading integrated cloud email security (ICES) products that enables security analysts to triage user-reported suspicious emails and investigate, contain and remediate email-related incidents.

Below, we discuss the alternatives and why M-SOAR is a popular choice to help SecOps teams meet their mean time to respond (MTTR) targets.

Phishing exacerbates fatigue in the SecOps team

The Egress report, Fighting Phishing: The IT Leaders View, found that 84% of organizations had been victims of phishing. These incidents must be investigated, responded to and remediated by already overworked security analysts and/or email admins.

An IBM report found that the average number of security tools in use by organizations was 45 and responding to an incident required coordination across on average, 19 tools. This requires security analysts to be competent in the effective use of many different tools, creating console fatigue. And this is not the only fatigue that this vendor sprawl introduces – alert fatigue is the result of each security technology that is deployed logging events and creating alerts when suspicious activity is detected.

Can SIEMs make life easier?

Security incident and event management (SIEM) tools can help alleviate some of the pressure of alert fatigue by correlating alert data and helping analysts triage events to prioritize the most critical incidents for investigation. However, since SIEMs were conceived, the volume of log data has increased to the point where it is not cost effective for security teams to ingest everything they might want to, and they must decide what data to prioritize. This could result in an artifact that might be critical to an investigation potentially being disregarded.

SIEMs might help with wider incident investigation, but they add a layer of complexity not necessary to quickly investigate and contain the first stage of a phishing attack. They also provide little help triaging and prioritizing user-reported phishing emails.

Can SOARs ease the pressure?

Security orchestration, automation and response (SOAR) tools provide yet more support for analysts by automating much of the incident response process, and most will have some form of phishing response playbook. While a significant step forward in helping the SecOps team meet their goals, to be effective, they require integration with SIEMs and email security tools – a costly and time-consuming exercise that is probably only implemented by the more-mature security operations centers.

Will extended detection and response (XDR) help?

Endpoint detection and response (EDR) tools are evolving into extended detection and response (XDR). This seeks to replicate some functionality provided by SIEM and SOAR by pulling data from multiple security controls to use during threat hunting and incident response. XDR essentially combines some traditional SecOps tooling with front end components like firewalls, EPP/EDR, SEG, SWG, CASB, etc.

As well as helping investigate incidents involving phishing, some XDR tools can help with the challenge of triaging user reported suspicious emails by monitoring an abuse mailbox and parsing the emails into the component parts necessary for rapid investigation.

Which solution is right for my organization?

If you are an IT or security professional in a mid-sized organization, you might be thinking what a great problem it would be to have this array of security tools at your disposal. You may want to reconsider – the IBM report referenced earlier also found that those with more than 50 tools ranked themselves 8% lower than others in their ability to detect an attack.

The truth is that none of these tools that are designed to make life easier meet all the requirements of the IT or SecOps teams, and of course, they introduce a level of complexity and cost that many organizations cannot manage. They are essentially architectures, not solutions in their own right, and each solves part of the challenge.

The action on you is to understand your highest priority desired outcomes and source the right tools to achieve them. If rapid and easy triage, investigation, and remediation of email phishing threats across your email platform is one of these, then M-SOAR is probably a critical capability for you.

Learn how Egress Defend can help reduce your time to respond and remediate phishing attacks.