The increase in the number and complexity of cybersecurity threats and attacks in the last several years is continuing to heavily influence enterprise security decisions. As well as seeing the growing business need, the significant benefit that Security Orchestration, Automation and Response (SOAR) technology can offer security operations and incident response teams is now truly being realized.
The complexity of cyber attacks has increased the need for organizations to share threat intelligence information within different areas of the business, and today may even include external stakeholders such as law enforcement or government agencies, to enable them to detect, contain and mitigate the constant and diverse cyber attacks that are occurring. Choosing the right SOAR tool can bring significant added value to an organization’s security operations, not only in terms of full incident lifecycle automation, (including triage, notification, context enrichment, hunting and investigation, as well as threat containment), but it can also enable incidents to be detected, responded to and mitigated more efficiently than ever before, ultimately becoming a force multiplier, enabling security teams to do more, respond faster, all with less resources.
It is key for any security team to ensure the security tools, technologies and platforms they implement are best suited for their infrastructure, workflows, processes, and procedures. Every set up likely varies from organization to organization. So, what questions should you be asking yourself as a security manager or CISO when it comes to selecting the appropriate SOAR solution? It is important to perform research, evaluate the tools and request a proof of concept before you invest in any SOAR tool. Here, we will cover 5 fundamental areas that should be considered as part of the process.
Human Manual Actions or Machine Automated Actions?
Incident response teams are now in constant defense mode as the number of security alerts being generated is hitting an all-time high. In addition to the increasing and advancing threat challenges, many security teams now face a lack of skilled workforce that can efficiently react, investigate and collect the necessary threat intelligence to properly determine the impact of an attack, then contain and remediate it. It is no secret that there is a lack of skilled cybersecurity professionals in the industry, but this fact is also well known by attackers. A skilled analyst will know exactly what information is needed to assess a situation and quickly eliminate the attack by containing and remediating the threat. Humans, even when very skilled, do have limitations on how fast they can react and access, collect, analyze and correlate information to gather proper threat intelligence.
Therefore, it is important to assess your resources and answer key questions including: Are all your alerts being responded to or are they falling along the wayside? Are analysts overworked and suffering from alert fatigue? Would it be more effective and efficient for them to be working on higher level prioritized tasks, as opposed to basic, mundane, repetitive ones that could potentially be automated? If the answer is yes to any of these questions, then some form of automation would make a significant impact on the operational performance of your security team.
When analyzing a SOAR solution, you should also consider one that enables both human actions and automated machine actions to work hand in hand simultaneously. Dual-action will enable you to automate the menial, repetitive tasks, but also ensure those tasks that need human intervention can also easily be actioned.
Which Existing Software and Solution Integrations Does It Have?
The average security team uses somewhere between 10 to 15 key security tools from third-party security vendors, including tools such as system information and event management (SIEM), intrusion prevention system (IPS), endpoint detection and response (EDR), malware sandboxes and threat intelligence. A SOAR tool should easily integrate with these third-party technologies to provide bi-directional support for a number of different actions to expedite the incident response process. The selected SOAR tool should not only support cybersecurity standards and best practices, but also APIs and interfaces to other tools which would be beneficial. The tool should also support queries into databases to facilitate obtaining enrichment information. Widely used communication methods, such as syslog and email should be supported as they allow the transmission of data from a large number of third-party tools.
It is crucial to evaluate the security tools currently in use and ensure they are capable of being integrated into the SOAR platform, which will ultimately be used to orchestrate and automate these security tools.
Does it Aid Regulatory Compliance?
SOAR vendors that endeavor to ensure their products and solutions follow industry best practices and standards, such as ISO, NIST, CERT, SOA, COBIT, OWASP, MITRE, OASIS, PCI, HIPAA, offer the best products, factoring these into the planning, architecture, design and build development stages.
Vendors which are able to think ahead of the curve and have the ability to cater for a range of industries and their respective compliance, regulations, and standards across worldwide locations offer the best solutions, as large enterprises need to meet their day to day business needs as well as their security needs. One example is the upcoming Global Data Protection Regulation (GDPR) where breach notification is required within 72 hours. Your SOAR solution needs to be able to cater for this need and ensure it can provide a complete and user-friendly incident report as needed for varying levels of stakeholders.
When choosing a SOAR solution, it is important to make a list of all the regulations, standards and best practices that you need to meet and ensure the SOAR provider can address these requirements.
What is the True Cost of the Tool?
The price of SOAR solution can be a significant consideration. Most SOAR products are charged per number of users per license per year, but you need to ensure there are no extra hidden costs associated, especially for those that are complex and may require professional services to be deployed.
Questions that should be asked include:
– Is the deployment and general day to day use for analysts straightforward?
– Are professional services needed to configure and deploy the solution?
– How long does it take to implement and customize the solution?
– Is basic support included in the price?
– Is additional product support maintenance available?
– Does the vendor provide playbooks and runbooks that can be customized?
One factor that is often overlooked is the price to feature ratio. Remember to evaluate which features will actually be needed versus which would be nice to have or simply won’t be utilized. Select a vendor that can offer affordable tools with no hidden costs and are willing to offer a license and maintenance price that works well for your budget and requirements.
What Product Support
As mentioned above, product support often comes at a price, so it is important to establish what support is included in the base price. Being able to obtain a high level of service and support from the SOAR vendor is an important consideration from the perspective of the success of the rollout, assessing the overall cost and day to day maintenance. Some of the questions that should be asked here are:
– What does the basic support package include?
– What is the cost of extended support?
– When is support available?
– Does the vendor have a significant presence in the region of operation? For example, some SOAR vendors are primarily U.S. based, so if an organization is based in EMEA, ASIA or Latin-America, they may not provide the level of support required.
Support costs can significantly drive up the cost of deployment and should be assessed in the early stages of the procurement process as it is important to establish how much can be achieved directly by the security analysts and engineers internally. Security team managers and CISOs have to ultimately measure the increase in performance of security operations and justify the return of investment received.
Overall, deciding whether or not to implement a SOAR solution should come down to the pure facts and figures from analyzing your current security operations performance against a number of KPIs and metrics and identifying the business need for it. Will it solve your common pain points and challenges such as a lack of skilled resources, the increasing number of alerts, etc. In most cases, the answer will be yes!
Weighing up the SOAR solutions out there then becomes the harder challenge. It is worth reviewing Gartner’s approach to SOAR, as well as making a list of requirements that you know must be covered to effectively work within your current and future infrastructure, those that are nice to have and those that are not so important to you. Overall though, the solution needs to be easy to implement, scalable, cost-effective and something that will enhance the overall performance of the security operations, improving the efficiency and effectiveness of the way incidents are managed.
If you would like to see DFLabs’ SOAR solution in action, request a demo of our IncMan SOAR platform today and get your questions answered.
DFLabs is excited to announce two new technology partnerships with recognized industry leaders: Recorded Future and Tufin. Both Recorded Future and Tufin recently launched formal technology partnership programs and DFLabs is honored to be among the first technology partners to join. Each of these integrations adds significant value to the security programs of our joint customers, allowing them to more efficiently and effectively respond to computer security incidents and reduce risk across the organization.
DFLabs’ new integration with Recorded Future allows joint customers to automate the retrieval of contextualized threat intelligence from Recorded Future, orchestrating these data enrichment actions into the overall incident response workflow. This enriched information can be used within the R3 Rapid Response Runbooks of IncMan SOAR to inform further automated decisions or can be reviewed by analysts as part of the response process.
DFLabs’ integration with Recorded Future includes five enrichment actions: Domain, File, IP and URL reputation queries, as well as a threat intelligence search action. Each of these enrichment actions will return all relevant intelligence on the queried entity, as well as a direct link to the Recorded Future Info Card.
DFLabs’ new integration with Tufin allows joint customers to automate the retrieval of actionable network intelligence from Tufin’s rich sources of network data, providing further context surrounding the organization’s network, allowing for more informed automated and manual decisions. This network intelligence can be used within the R3 Rapid Response Runbooks of IncMan SOAR to make decisions based on numerous factors, such as network device information, simulated path information or network policy rules, or can also be reviewed by analysts as part of the response process.
DFLabs’ integration with Tufin includes five enrichment actions: Get Devices (get network device information based on the supplied parameters), Get Path and Get Path Image (simulate the path which would be taken based on source and destination IP and port information), Get Policies by Device (get network policies for the given device ID), Get Rule Count (get the number of rules which match the specified parameters), and Get Rules by Device (get network rules for the given device ID).
See the DFLabs IncMan SOAR Platform Integrations in Action
Each of these new partnerships extends DFLabs automation and orchestration capabilities into new product spaces with some of the best solutions in their respective classes.
If you are attending the RSA Conference at the Moscone Center in San Francisco and would like to see DFLabs’ new integration with Tufin in action, I will be at the Tufin booth (#929) in the South Expo Hall on Wednesday, April 18th from 3:00 to 4:00 PM PST to provide a live demo and answer any questions.
Otherwise, for more information regarding our new Recorded Future and Tufin partnerships, please contact us to schedule a demo to see IncMan SOAR Platform in action here.
Within any organization’s security operations center (SOC), regardless of the level of role undertaken (security analyst, engineer or manager), when it comes to the security program at hand, the overall high level goal is to ensure that potential security risks from the alerts generated are dealt with in the most efficient and effective way possible, keeping the threat and potential incident under control, resulting in minimal impact to the day to day operations of the business.
As more and more security alerts are being triggered, potentially with increasing veracity as hackers get more sophisticated, the mean time to detection and mean time to resolution (MTTR) is vital. This is when it becomes critical to make sure your security operation center and incident response teams are fully utilizing the tools and resources they have available to them, to detect, orchestrate, automate and measure their security operations and incident response processes and tasks.
With security incidents becoming more costly, organizations must find new ways to further reduce the mean time to detection and the mean time to resolution. At the same time, they face pressure from being heavily monitored based on a number of security program KPIs to accurately measure (and improve) performance, which will inevitably be reported back to varying levels of stakeholders, including security management, c-level executives, and even board level. (For more information about KPIs for security operations and incident response, download our recent whitepaper here). While some members of the SOC team such as the analysts will solely be focused on the incidents at hand, KPIs and questions surrounding service level agreements (SLAs), mean time to resolution (MTTR) and the overall return on investment (ROI) of security tools and technologies are bound to be at the forefront of the agenda of perhaps the SOC manager, but in particularly the CISO.
In this blog we will briefly discuss how a SOC can enhance its security operations program SLAs, MTTR and ROI, by investing in a Security Orchestration, Automation and Response tool, such as the IncMan SOAR platform from DFLabs and we will run through a basic scenario of what happens when a security alert is detected and triggered using IncMan SOAR.
Many large organizations already use a number of third-party solutions, including security information and event management (SIEM) and endpoint detection and response (EDR) tools, but the question is…is all of the information being generated by these tools and technologies being utilized and fused together providing meaningful aggregated, correlated and analyzed security intelligence? The answer is most probably no and the likelihood is the SOC team is being overwhelmed with the number of alerts and information that it is receiving, therefore not easily being able to identify which is a high level vs. low level threat, or know exactly which process should initially be taken to start putting a playbook or runbook into action to contain the specific threat alert they are dealing with.
How IncMan Tackles an Alert with Security Orchestration and Automation
An incident was automatically triggered in IncMan SOAR when the organization’s vulnerability management systems found that one of the critical servers reported non-compliance due to missing patches. The security analyst on duty assessed that the problem needed an immediate remediation. An incident management record was created to assign the correction of the problem to the system administrator in charge of the server. Automated actions triggered email notifications to the system administrator and to the security architecture and governance team, who manage the organization’s compliance.
Earlier in the year, the CISO mandated that changes within the large organization were monitored end to end through the system development lifecycle (SDLC). This would try to ensure that there were no security gaps in the infrastructure, as non-compliance within servers can create a security gap that can easily be exploited and misused by a hacker.
This is just one example of an alert that an organization could receive and in this case, it is quite a simple one. Imagine hundreds of alerts coming in per day related to suspected phishing attempts, malware injections, ransomware attacks and data breaches etc. to name a few, that are more complex. Analysts often get overwhelmed with the number of alerts they receive but need to be able to respond quickly to all of them, while also prioritizing them at the same time. The key is to transform the resource intensive and manual tasks into an effective and efficient automated and orchestrated process, where dual actions (automated and manual) can occur side by side as needed. Automating the process with the use of tools such as the IncMan SOAR platform will cut down the time to gather the data manually and the number of resources needed to complete the several stages of the process.
IncMan SOAR provided this customer with a real-time alert that was responded to and remediated almost immediately. Automated processes were followed, reducing the amount of human manual interaction required, including data collection, enrichment, containment and remediation, all in a more efficient, standardized and timely manner. IncMan SOAR facilitated the enrichment of information via the integration tools that the security team was already using and this helped to provide additional intelligence to the investigation, that triggered the original security alert, helping to validate its severity.
With a vast amount of information being generated, having the ability to provide this information in an easy to use and understand format, then facilitated the communication among different IT team members and departments, allowing them to share the visualized information via dashboards and detailed reports that standardize the information sharing process.
Utilizing Playbooks and Runbooks
So how does a SOAR solution like IncMan know which actions to automate when a security alert is triggered? A security operations center can maximize its incident response process by utilizing a range of already predefined automation and orchestration processes via playbooks and runbooks that expedite activities based on the type of security alert. You could have specific ones for ransomware or a phishing attack for example that have been written, trialed and tested a number of times, over and over again to ensure the correct actions are taken.
IncMan’s SOAR powerful engine provides an assortment of automation and actions that within second of being triggered can enrich, contain, remediate and notify stakeholders faster than a human being can react, to gather diverse information from different data sources. The process is flexible and can be used fully automated or in hybrid mode with human interaction to approve certain actions, for example, to block an IP-address or quarantine a compromised asset.
In summary, the above example would have been a mundane and manual process without the use of orchestration and automation, that would depend on human resources collecting information from different data sources, actioning a number of activities and writing a manual report.
The power of the correlation engine in IncMan SOAR cuts down the time by facilitating the collection of the threat information via the integrated third-party vendors’ data sources. With the help of playbooks and automated runbooks meaningful threat intelligence can be easily gathered enriched and correlated to produce a visualization of the incidents, that can be displayed in an automated standard report. The information is quickly available, easily shared to make available to all teams as necessary, without having to wait for dependencies to obtain additional information about the incident from the project teams.
IncMan SOAR maximizes the SLAs for security availability and MTTR, by delivering key details expeditiously via digital computation from multiple data sources of information and delivering it in a visual or readable detailed report format to multiple stakeholders, leadership team or anyone that needs them. The data can subsequently be kept, helping to build and identify historical trending, analysis, patterns, type of attacks to name a few, facilitating the automation actions of future alerts, creating a better security defense system.
Overall the benefits of using a Security Orchestration, Automation and Response platform outweigh the negatives and such a solution can increases the efficiency of your security operations center, enabling it to become more effective, focused on incident response management, proactively threat hunting while minimizing cybersecurity vulnerabilities, as opposed to carrying out the multitude of mundane, repetitive and time consuming basic tasks.
Automation and orchestration reduces the MTTR, as well as aiding the organization’s management team with standard visualization and focused detailed written reports, that helps to contribute to better meeting compliance such as breach notification requirements, while meeting the organization mission to operate in a secure infrastructure in an efficient manner, by increasing cybersecurity governance SLAs and ROI, ultimately maximizing the company resources by doing more with less.
Faced with a growing threat landscape, a shortage of skilled cyber security professionals, and non-technical employees who lack awareness of cyber security best practices, to name a few, CISOs are continuously confronted with a number of existing and new challenges. To mitigate some of these challenges by eliminating security threats and minimizing security gaps, they must make some critical strategic decisions within their organizations.
Even though we are only at the beginning of April, 2018 is already proving to be a year of increasing cyber incidents, with security threats spanning across a range of industry sectors, impacting both the private and public sectors alike. We have seen many data breaches including Uber, Facebook and Experian that have made it clear that no organization, not even the corporate giants, are safe from these cyber threats and attacks. We are now also seeing newly evolving threats affecting the popular and latest smart devices including products such as Alexa and Goоgle Home. New technology not fully tested, or security vulnerabilities from IoT devices being brought into the workplace, now bring additional concerns for CISOs and their security teams, as they try to proactively defend and protect their corporate networks.
This problem seems quite simple to identify in that corporate policies are not being updated fast enough to keep up with dynamic changes and advancements in technology, as well as to cope with the increasing sophistication of advancing threats, but managing this problem is seemingly more difficult. This generates an additional set of challenges for CISOs to enforce policies that still need to be written, while conquering internal corporate bureaucracy to get them created, modified or updated. This is just one challenge. Let’s now discuss a few more and some suggested actions to manage them.
How CISOs Can Overcome Their Challenges
CISOs in international corporations need to focus on global compliance and regulations to abide with a range of privacy laws, including the upcoming European Union’s General Data Protection Regulation (GDPR). This new regulation due to come into force on May 25th, 2018 has set the stage for protection of consumer data privacy and in time we expect to see other regulations closely follow suite. International companies that hold EU personal identifiable information inside or outside of the EU will need to abide by the regulation and establish a formalized incident response procedure, implement an internal breach notification process, communicate the personal data breach to the data subject without delay, as well as notify the Supervisory Authority within 72 hours, regardless of where the breach occurred. Organizations need to report all breaches and inform their affected customers, or face fines of up to 20 million Euros or four percent of annual turnover (whichever is higher). A new law called the Data Security and Breach Notification Act is also being worked on presently by the U.S. Senate to promote this protection for customers affected. This new legislation will impose up to a five year prison sentence on any individual that conceals a new data breach, without notifying the customers that had been impacted.
So how can CISOs proactively stay ahead of the growing number of cyber security threats, notify affected customers as soon as possible and respond within 72 hrs of a breach? The key is to carry out security risk assessments, implement the necessary procedures, as well as utilize tools that can help facilitate Security Orchestration, Automation and Response (SOAR), such as the IncMan SOAR platform from DLFabs. IncMan has capabilities to automate and prioritize incident response and related enrichment and containment tasks, distribute appropriate notifications and implement an incident response plan in case of a potential data breach. IncMan handles different stages of the incident response and breach notification process including providing advanced reporting capabilities with appropriate metrics and the ability to gather or share intelligence with 3rd parties. This timely collection of enriched threat intelligence helps expedite the incident response time and contribute to better management of the corporate landscape.
The Need to Harden New Technology Policies
Endpoint protection has also become a heightened concern for security departments in recent months, with an increasing number of organizations facing multiple ransomware and zero days attacks. New technologies used by employees within the organization, not covered by corporate policies, such as Bring Your Own Device (BYOD) and the Internet of things (IoT) have brought new challenges to the CISOs threat landscape. One example as we mentioned earlier are gadgets such as Alexa or Google Home, where users bring them into the office and connect them to the corporate WIFI or network without prior approval. When connected to the network, they can immediately introduce vulnerabilities and access gaps in the security network that can be easily exploited by hackers.
Devices that are not managed under corporate policies need to be restricted to a guest network that cannot exploit vulnerabilities and should not be allowed to use Wi-Fi Protected Access (WPA). CISOs need to ensure that stricter corporate policies are implemented to restrict and manage new technologies, as well as utilizing tools such as an Endpoint Protection Product (EPP) or Next-Generation Anti Virus (NGAV) solution to help prevent malware from executing when found on a user machine. NAGV tools can learn the behaviors of the endpoint devices and query a signature database of vaccines for exploits and other malware on real time to help expedite containment and remediation to minimize threats.
Maximizing Resources With Technology as a Solution
With the significant increase in the number of and advancing sophistication of potential cyber security threats and security alerts, combined with a shortage of cyber security staff with the required skill set and knowledge, CISOs are under even more pressure to protect their organizations and ask themselves questions such as: How do I effectively investigate incidents coming in from so many data points? How can I quickly prioritize incidents that present the greatest threat to my organization? How can I reduce the amount of time necessary to resolve an incident and give staff more time hunting emerging threats?
They will need to assess their current organization security landscape and available resources, while assessing their skill level and maturity. Based on the company size it may even make business sense to outsource some aspects, for example by hiring a Managed Security Service Provider (MSSP) to manage alert monitoring, threat detection and incident response. CISOs should also evaluate the range of tools available to them and make the decision whether they can benefit from utilizing Security Orchestration, Automation and Response (SOAR) technology to increase their security program efficiency and effectiveness within their current structure.
Security Infrastructure and Employee Training Are Paramount
In summary, CISOs will be faced with more advancing challenges and increasing threats and these are only set to continue over the coming months. They should ensure that their security infrastructures follow sufficient frameworks such as NIST, ISO, SANS, PCI/DSS, as well as best practices for application security, cloud computing and encryption.
They should prepare to resource their security teams with adequate technology and tools to respond to threats and alerts and to minimize the impact as much as feasibly possible, with set policies and procedures in place. To enforce security best practices across all departments of the company, it is important that security decisions are fully understood and supported by the leadership team as well as human resources, with a range of corporate policies to meet the challenges of ever changing technologies.
CISOs need to promote security best practices and corporate policies, industry laws regulations and compliance by educating and training relevant stakeholders, starting with employees. The use of workshops, seminars, websites, banners, posters and training in all areas of the company will heighten people’s awareness to threats and exploits, increasing their knowledge, while also teaching them the best way to respond or to raise the alarm if there is a potential threat. The initial investment in education and training may be a burden on time and resources but in the long run will prove beneficial and could potentially prevent the company from experiencing a serious threat or penalty from non-compliance.
Completing a full analysis of current resources, skill sets and security tools and platforms will all play a part when deciding whether in-house or outsourced security operations is the best approach, but the benefits of using SOAR technology to leverage existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents, as well as to assist with important breach notification requirements, should not be overlooked.