A peep into the world of SOAR (Security Orchestration, Automation and Response)
Information Security has become one of the top priorities for most organizations today as they are now expected to rise to the challenges posed by data leakage, privacy risks, cyber threats, Zero Days and so on. Moreover, the attack surface has increased due to the advancement in technologies like Infrastructure Big Data, Cloud, Infrastructure as Code, Containers, IOT and many others.
Let’s look at some of the statistics on cyber security attacks:
64% of companies have experienced web-based attacks,
62% experienced phishing & social engineering attacks,
59% experienced malicious code and botnets, and
51% experienced denial of service attacks.
Did you know that hackers attack on computers with Internet Access every 39 seconds and 95% of cyber-security breaches are due to human error. Even then, more than 77% of organizations do not have a Cyber Security Incident Response plan. In fact, most companies take nearly 6 months to detect a data breach, even major ones.
Since COVID-19, the US FBI confirmed a 300% increase in reported cyber crimes. There are new exploits in the wild almost every day taking on the databases and software platforms — Crypto Mining, Ransomware attacks have been growing lately. We have various security solutions available for security needs but it can be daunting to manage them as you will get thousands of alerts and overwhelming false positives every day. Besides this, Security Analysts can investigate a limited number of alerts only, so action in real time is rarely possible leading to High Mean Time to Detect (MTTD) increasing the Mean Time to Respond/Remediate (MTTR). This is why organizations are in dire need of solutions that can help them detect the issues and resolve them faster, ultimately reducing the overall time spent per incident as well as maximize value of Security Analysts by utilizing them in value additions instead of spending time on repetitive tasks and false positives.
Security management is enabled by Security Automation that guides companies in identifying threats, triaging and investigating alerts as they appear and remediating them in a prompt manner with or without human intervention. Security Automation encourages best practices, uniformity and standardization when fully integrated with the required workflows and provides visibility of the overall security infrastructure. Companies are now catching up as more and more SOC, TD, TH and DFIR Teams are leveraging either basic level automation or advanced security platforms like XSOAR.
What is a Security Automation and Orchestration Response (SOAR) platform?
In the security automation platform, you can perform a series of actions across the security infrastructure in a matter of seconds, orchestrating across all security products. This allows us to standardize and automate Security related processes for faster response times and increased productivity. SOAR is engaged when an incident is detected via the network, a file scan, an email scan, and so on, to respond appropriately.
Security automation platforms offers various features, some of them are listed below:
End to End Case Management Platform: SOAR is a platform that combines security automation, orchestration and incident management into an investigation as per which you can perform real-time actions and collaborate with your team members.
Playbook Creation and Customization: Security automation platforms allow you to create multiple workflows that comprise different tasks. The workflows combined together are referred to as playbooks and there are various default playbooks already available in the platforms, enabling you to perform different actions with JSON data and make decisions using the defined logics.
Standardized Incident Response: Since the playbook is a collection of standardized workflows, it guides the integrations and scripted tasks to respond to incidents based on the defined rules, ensuring that repeatable, streamlined steps are performed. Some of the integration actions could include: IOC searching, malware detonation and URL blocking.
Solution Hub for all Security Offerings: SOAR platforms integrate effortlessly with your security solutions like firewalls, EPP, EDR, Sandboxes, SIEM, TI etc. and it also monitors the alerts & Incident assignments. These integrations are categorized into different business areas like Database, Case Management, Authentication, Messaging, Forensics Analysis, Vulnerability Management etc. and most of these integrations are already available by default as part of the SOAR content library with an option of “BYOI” Bring Your Own Integrations(Write your integrations) or customizing them yourself.
The Difference Between Orchestration and Automation
Security automation integrates coded tasks that simplify essential processes like URLs, IP reputation check. Orchestration is the next step, that ensures all security applications are well integrated to perform the designated actions and create task responses.
Orchestration enables your security and threat detection infrastructure to work cohesively, offering proactive security approaches and remediation.
Thinking about moving to SOAR platform? Consider these:
You can’t automate everything, so go easy and start with tasks that eliminate the repetitive work that the security team wastes the most time on, then monitor your progress and adapt. To get started, you can -
- Define use cases based on your industry and set your security goals.
- Document all your playbooks and automation scripts in a descriptive manner and use a standard documentation template.
- Decide upon the required architecture of SOAR platform, such as Multi-tenancy with cloud deployment.
- Keep a different environment for testing and production work.
Upskill your Security team to work on the SOAR platform, ideally, you should have a dedicated team of SMEs who can help run the security platform. Your team should comprise resources with good knowledge of varied security platforms and software development with scripting and APIs. Don’t hesitate to reach out to user communities and product teams for any assistance and keep the list of use cases ready well in advance.
The multifaceted issues that involve decision making and complex problem solving will still require the expertise of Security Analysts, in order to investigate and identify appropriate solutions.
Valid use-case for SOAR : SOC (Security Operations Center)
SOC Management:
Day-to-day SOC management activities are great candidates for security automation as most of the SOC teams operate in a 24x7 model that includes multiple shift handovers, so automating the case assignment and escalations can help you in effortless management of security operations. SOAR not only detects the security related issues but it also allows to remediate them by executing the required workflow while reducing the chances of human or process related misses/errors.
Solutions like Palo Alto’s Demisto now, XSOAR gives you an option to automate the entire work flow of investigation via playbooks and escalations can be defined & automated based on the processes that are unique to your organizations. Automating both these tasks ultimately streamlines shift handoffs as well.
Risk Mitigation:
Security operations teams often lack documented processes, relying on individuals’ knowledge to triage, investigate and respond to incidents. This can be high risk exposure as each analyst performs the investigation activities in different ways but SOAR allows conversion of these RP (Reaction Plans) or processes to different workflows in the form of playbooks for consistent security investigation.
The quick starting point for listing the SOC automation use-case would be to consider the SANS IR life-cycle as per which the well documented reactions plans can be converted to automated workflows via Playbooks, required security products can be integrated with SOAR platform, all security alerts can be managed as per the predefined rules in your playbooks and the required remediation like quarantine the endpoints or block the identified IOCs can be performed.
However, please note that the application of SOAR isn’t just limited to SOC, you can also look up to some other potential automation candidates like TH (Threat Hunting) and DFIR (Digital Forensics and Incident Response).
If you want to connect for any automation and security use cases, feel free to reach out. Security Automation is what I do everyday and I totally enjoy working with complex security tools and open source technologies to manage the security infrastructure.
