How to optimize SLA execution with Chronicle SOAR

Measuring the effectiveness of security operations programs can be challenging. Since time is of the essence when it comes to effective threat detection and response, one metric that is commonly used by security operations teams is service level agreements (SLAs). SLAs define the desired amount of time it should take a security operations team to investigate and address a “case.” They are also becoming an increasingly important tool for leadership as they aim to:

Track security tools and services impact on the organization

Measure the amount of risk reduction being performed

Identify gaps, reallocate resources and evolve existing processes

These goals ring true for both managed security service providers (MSSPs) and enterprises, but through different lenses. For enterprises, SLAs are typically used for tracking and planning purposes, whereas for MSSPs, SLAs often serve as a contractual agreement with a customer, thereby impacting not just cybersecurity but also customer satisfaction and ultimately revenue. And as SLA adoption continues to grow, so will the need for security tools that make meeting SLAs more about quality than speed. Enter: Chronicle SOAR, part of the Chronicle Security Operations suite.

Fixed, time-based SLAs only incentivize speed, which means there’s little to no room left for quality and efficiency. Here to pave the way for thoughtfully designed SLAs is Chronicle SOAR. With our new and improved SLA management, security engineers can now set SLAs by case or alert priority as part of the automated playbook design process. 

These capabilities enable security teams to design SLAs realistically, with complexity and severity in mind. For example, incidents with high business impact can be prioritized, just as incidents with high difficulty can be set for longer response times. Building these into your SLA design is key to successfully meet SLAs with high-quality outputs.

But, what good is a well-designed SLA without visibility? Security operations platforms need to ensure SLAs are visible throughout the investigation and response process so analysts know  when and how to act. Chronicle SOAR maximizes SLA visibility with pop-ups in the case header, new icons and a revamped homepage. Now security teams can easily see which cases have SLAs that are approaching, along with their details and requirements. This visibility paired with thoughtfully designed SLAs empowers security teams to better prioritize and execute their work without sacrificing quality. 

Now that we’ve got the best practices down, let’s dive into what this realistically looks like for a SOC team.

The security engineer approach

As a security engineer, you would kick off the SLA process by logging into Chronicle SOAR and heading to settings. This is where you can begin to configure SLA rules based on alert and/or case complexity and severity. After you have set the well-thought-out time frames for the SLA period (the amount of time that can pass before SLA is breached) and SLA critical period (time before SLA enters the critical phase) you can click “add.” From here you can go to the cases tab where you can  see all the SLAs you created.

One way for you to accelerate SLA execution is by leveraging Chronicle SOAR’s new parallel actions capability. Now you can build faster and more effective playbooks by running actions in parallel as part of a playbook or block of actions.

How Chronicle SOAR can help security analysts

As a security analyst, your first step after logging into Chronicle SOAR is navigating to the “cases” tab to begin addressing potential threats. Once here, you will be able to see SLA icons and pop-ups in the case header that indicate their status. Each SLA status will enable you to prioritize which incidents you need to address and respond to first to successfully meet your SLAs. And, you can even expedite this process with the shortened playbook execution time from parallel actions.

What SOC managers need to know

As a SOC manager tracking SLA performance, your first stop in Chronicle SOAR will be the “reports” tab. Here you can track your team’s SLA execution using interactive reports and dashboards. You can leverage this information to identify gaps and where to improve processes, which you can then report to your team and leadership.

Next steps

As SLA adoption continues to grow across security teams, so will the need for security tools that prioritize both SLA quality and execution. Chronicle SOAR together with Chronicle SIEM can enable security teams to detect and respond to cyberthreats with speed and precision, and demonstrate this to all stakeholders.

For a deeper look at these capabilities, contact your Google Cloud sales or CSM team. To see all of Chronicle Security Operations’ latest improvements, check out our feature roundup.