The modern cybersecurity landscape presents defenders with an excessive number of threats and critical workforce shortages. While traditional Security Orchestration, Automation, and Response (SOAR) systems offer remedies, they often demand high programming expertise, which most security providers lack. To address this, we introduce SOAR-Flow, an original low-code orchestration paradigm that opens complex automation to security analysts without requiring advanced coding knowledge. As a visual workflow engineering tool, SOAR-Flow manages multi-source threat intelligence and incident response through two major functional modules: the CVEIntel Pipeline for vulnerability checking and the Multi-Source Threat Aggregator for combining intelligence. It was empirically tested across twelve enterprise environments over a six-month period, processing 10,847 security events and eight threat intelligence feeds. Before SOAR-Flow’s implementation, the average Mean Time to Respond (MTTR) was 204 min, with 62% classification accuracy and 28% false positives, requiring 45 analyst triage hours weekly. After implementation, MTTR decreased by 87% to 26 min; classification accuracy increased to 94.2%; false positives reduced to 9%; and manual triage demand fell to 12 analyst hours per week (a 73% decrease). Annual expenditures, including analyst overheads and delayed response impacts, decreased from approximately $2.8 million to $280,000 due to SOAR-Flow’s automation efficiency and accelerated threat remediation. These results demonstrate that powerful security automation can be achieved through intelligent design and visual methods, without extensive programming expertise.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

SOAR-Flow: Automated Multi-source Threat Intelligence and Incident Response Orchestration

  • Yaakulya Sabbani,
  • Suryaprakash Nalluri,
  • Hemalatha Kandagiri,
  • Murali Mohan Malyala

摘要

The modern cybersecurity landscape presents defenders with an excessive number of threats and critical workforce shortages. While traditional Security Orchestration, Automation, and Response (SOAR) systems offer remedies, they often demand high programming expertise, which most security providers lack. To address this, we introduce SOAR-Flow, an original low-code orchestration paradigm that opens complex automation to security analysts without requiring advanced coding knowledge. As a visual workflow engineering tool, SOAR-Flow manages multi-source threat intelligence and incident response through two major functional modules: the CVEIntel Pipeline for vulnerability checking and the Multi-Source Threat Aggregator for combining intelligence. It was empirically tested across twelve enterprise environments over a six-month period, processing 10,847 security events and eight threat intelligence feeds. Before SOAR-Flow’s implementation, the average Mean Time to Respond (MTTR) was 204 min, with 62% classification accuracy and 28% false positives, requiring 45 analyst triage hours weekly. After implementation, MTTR decreased by 87% to 26 min; classification accuracy increased to 94.2%; false positives reduced to 9%; and manual triage demand fell to 12 analyst hours per week (a 73% decrease). Annual expenditures, including analyst overheads and delayed response impacts, decreased from approximately $2.8 million to $280,000 due to SOAR-Flow’s automation efficiency and accelerated threat remediation. These results demonstrate that powerful security automation can be achieved through intelligent design and visual methods, without extensive programming expertise.