SANS 2018 SOC Survey – How Does Your SOC Stack Up?

Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs.  With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.

This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”!  This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.  

You can download the full report here. DFLabs is joining the SANS team for a live webinar to discuss the results in more detail (16th August at 1:00 PM EDT).  

SANS 2018 SOC Survey Highlights

Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization.  So, how does your SOC stack up against the 2018 survey results?

Here are the key findings.

  • Only half of SOCs (54%) use any form of metrics to measure their performance
  • There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
  • Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
  • The most meaningful event correlation is still primarily carried out manually
  • Over half of respondents (54%) did not consider their SOC a security provider to their business
  • The most common architecture is a single central SOC (39%)
  • Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
  • Top shortcomings to SOC performance included:
    • – Shortage of skilled staff (62%)
    • – Inadequate automation and orchestration (53%)
    • – Too many unintegrated tools (48%)

What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.

With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.   

Defining and Measuring SOC-cess

What is “SOC-cess” and how can we determine what an efficient and effective SOC is?  SANS definition of SOC-cess is as follows.

SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions.  The response activities of SOC represent the reactive side of operations.”

I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor.  Of those SOCs surveyed, the top three metrics measured included:

  1. Number of incidents handled
  2. Average time from detection to containment to the eradication of an incident
  3. Number incidents closed in a single shift

Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.

Summary of Findings

Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.

Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.

There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.

Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.

How Can DFLabs Help?

A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.

Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.

Automate Actionable Network Intelligence with Tufin and DFLabs SOAR Platform

Enterprise networks are complex environments, with numerous components often under the control of teams outside the security team. During an incident, it is critical that respondents understand the network topology and have the most current network policy and device information available to them. Network documentation is often incomplete and out-of-date; security teams need a way to quickly and efficiently gather actionable network intelligence to effectively respond to a security incident.

This blog will cover some of the current challenges faced by security operations teams and how they can harness the vast amounts of network intelligence available, such as device, policy and path information, using Tufin as a case study. By integrating with Tufin Orchestration Suite, DFLab’s IncMan SOAR platform can utilize its R3 Rapid Response Runbooks to enable the collection of actionable network intelligence, along with its automation, orchestration, and measurement power to respond faster and more efficiently to security incidents.

The Challenges

There are three specific challenges that are common within any security operations center and analysts need to be able to find an effective and efficient way to solve them and obtain the information they need as quickly as possible.

  • How can I get a current list of network devices?
  • How can I get a current list of rules and policies?
  • How can I determine the network path from source to destination?
The DFLabs and Tufin Solution

Tufin Orchestration Suite takes a policy-centric approach to security to provide visibility across heterogeneous and hybrid IT environments, enable end-to-end change automation for network and application connectivity and orchestrate a unified policy baseline across the next generation network. The result is that organizations can make changes in minutes, reduce the attack surface and provide continuous compliance with internal and external/industry regulations. The ultimate effect is greater business continuity, improved agility and reduced exposure to cyber security risk and non-compliance.

Tufin Orchestration Suite together with DFLabs IncMan SOAR platform provides joint customers with an automated means to gather actionable network intelligence, a task which would otherwise need to be performed manually, taking up valuable analyst time when every minute counts. This results in an overall decrease in the mean time to respond (MTTR) to a computer security incident, saving the organization both time and potential financial and reputation loss.

It provides a list of current network devices based on any number of criteria, a list of current rules and policies for any number of devices and is able to simulate network traffic from source to destination, including path and associated rules. Here is a use case in action to see exactly how!

Use Case

Network traffic between a workstation and a domain controller has been identified as potentially malicious by the organization’s UBA platform. The UBA platform generated an alert which was forwarded to IncMan SOAR, causing an incident to be automatically generated. Based on the IncMan Incident Template, the following R3 Runbook was automatically assigned and executed to gather additional network intelligence.

network intelligence

 

The information gathering begins by simulating the network path between the source address and destination address of the potentially malicious network traffic. This information is gathered by two separate Enrichment actions, one which will display this information in a table format, and another which will display the same information in a graphic network path which can be exported and shared or added to reports.

network intelligence 2

 

As with information from any other IncMan Enrichment action, each network device on the path between the source address and the destination address is stored within an array which can be used by subsequent actions.

After the path information has been retrieved, an additional Enrichment action is used to retrieve information about each device along the path.  This includes information such as device vendor, model, name and IP addresses.

Following the acquisition of the device information, two additional Enrichment actions are utilized to gather additional network intelligence. The first action will retrieve all rules for each network device along the path. Detailed information on each matching rule will be displayed for the analyst, allowing the analyst to assess why the traffic was permitted or denied, what additional traffic may be permitted from the source to the destination, and what rule changes may be appropriate. The second action will retrieve all policies for each network device along the path. Similar to the previous rule information, this information will allow the analyst to assess the configured network policies and determine what, if any, policy changes should be made to contain the potential threat.

Harnessing the power of Tufin Orchestration Suite, along with the additional orchestration, automation and response features of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization.  

To see the integration in action, request a demo of our IncMan SOAR platform today.

DFLabs Announces New No-Script Automation Tool (NAT) at Black Hat USA

DFLabs is going to announce its new No-Script Automation Tool (NAT) At Black Hat USA on August 8th, 2018 in Las Vegas. DFLabs’ No-Script Automation Tool (NAT) is a new free tool that helps incident responders collect live forensic data. In this blog post, we will discuss the details about the NAT tool.

Why has live data acquisition become an increasingly important task?

When responding to a potential security incident, it is often standard practice to perform some level of live data acquisition on potentially compromised hosts. In some cases, this is due to the need to acquire volatile data, such as running processes, open files, network connections and other memory artifacts. In other cases, it is simply not possible to take the host offline to perform traditional dead-box forensics. No matter the reason, live data acquisition has become an increasingly important task.

Performing live data acquisitions presents some unique challenges not present with traditional dead-box forensics. Chief among these challenges is ensuring that any live response tools are run in a repeatable, documented and secure manner. These challenges are most often solved by placing live response tools on a USB drive which can be attached to the target host and script their execution (usually via a batch script on Windows hosts) to guarantee that each tool is run in the correct manner.

While batch scripting does address many of the challenges of live data acquisition, it has several shortcomings. Many live data acquisition tools are specific to a certain OS or CPU architecture. Attempting to make logic choices within a batch script regarding OS and CPU architecture is unreliable at best, and significantly increases the complexity of the batch script.  The only other option is to have a separate batch script for each OS group and CPU architecture, which does not scale well.

Running live data acquisition tools via a batch script can also create security concerns. Unless each tool and its associated commands are manually examined before each execution, it is possible that either the tools themselves or their commands have been modified, whether accidentally or maliciously. This could lead to unintended results when executing the batch script, or even further compromise of the host.

What is The No-Script Automation Tool (NAT)?

The No-Script Automation Tool (NAT) is a free command line tool from DFLabs designed to solve the complexity and management issues surrounding scripting multiple tools via batch scripts for Windows systems. No-Script Automation Tool (NAT) allows users to run sets of pre-defined and pre-verified tools based on the user-specified input, predefined commands and system properties such as architecture and Windows version.

How the No-Script Automation Tool (NAT) works?

As with previous methods, NAT is placed on a USB drive along with any live data acquisition tools. However, that is where the similarities end. Live data acquisition tools are organized into directories based on their category (process information, network information, file information, etc.) and then by OS range and CPU architecture if required. If specific command line arguments are required for a certain tool, one or more set of arguments can be defined by placing a text file in the same directory as the tool.

No-Script Automation Tool (NAT) 1

 

Once the drive is configured with the appropriate directory structure, tools, and commands, the NAT tool allows users to create an integrity file which will hash the contents of both the tools and the commands and store this information in a password protected file on the drive. Once the integrity file is created, NAT will require the user to enter the password or specifically choose to bypass the integrity check. If the correct password is entered, NAT will compare the hash of each tool and command to the known-good values and alert the user if any mismatches are detected.

During execution, NAT records a detailed log of each tool that is executed. By default, NAT will write the output of each tool to a folder named for the hostname it is executed on, in the root of the drive it is executed from. Users have the option to change the output directory when NAT is run.  Upon completion, the output from each tool is hashed and this information is also recorded in the log to ensure data integrity.

Download the No-Script Automation Tool (NAT) from DFLabs here.

If you missed my speaking slot at Black Hat USA in Arsenal 2 on August 8th or would like further information, please do not hesitate to get in touch.  

DFLabs IncMan SOAR V4.4 Brings Automated START Triage Capability, New Bidirectional Integrations and More

DFLabs is excited to announce the latest release of its award-winning and industry-leading Security Orchestration, Automation and Response (SOAR) platform, IncMan SOAR Version 4.4. We are constantly listening to customer and industry feedback, and IncMan v4.4 includes many new features which come directly from our users.

Security teams across the industry are plagued with false positive alerts and DFLabs is continually seeking innovative ways to improve the efficiency of the incident handling process. Traditionally, each alert generates an incident, which must be investigated by an analyst to determine the veracity of the alert. This process can lead to an overwhelming number of incidents, sometimes created because of false positive alerts.

Automated START Triage Capability –  one of the most exciting features of IncMan v4.4

One of the most exciting features of IncMan v4.4 is the new automated Triage capability called START (Simple Triage And Rapid Treatment) Triage. IncMan’s START Triage allows alerts to be sent to IncMan via the API to be triaged before being converted to an incident. The Triage event queue, separate from the Incident queue, can be worked by Tier 1 analysts to determine which events warrant further investigation as an incident, and which events can be discarded as false positives. The Triage event function is able to harness the full automation and orchestration power of IncMan’s R3 Rapid Response Runbooks to enrich event information, allowing the analyst to quickly make a determination regarding the reliability of the alert and take quick, decisive action.

The flexibility and customizability of the new automated START Triage allow it to adapt to almost any use case. Some use cases include network alerts, endpoint alerts, transaction fraud alerts and threat intelligence alerts.  START Triage is already being used by a major European bank to eliminate manual first line assessments of suspected fraudulent online transactions in one of the first applications of SOAR technology to financial fraud investigations.

DFLabs IncMan SOAR v 4.4 introduces a variety of new bidirectional integrations

IncMan v 4.4 includes many new bidirectional integrations from a variety of product categories including SIEM, network defense, endpoint protection and threat intelligence, chosen to broaden the orchestration and automation capabilities of our customers. These new bidirectional integrations include:

In addition to these new integrations, we have also make several improvements to existing integrations, such as Splunk and IBM QRadar, to expand the capabilities of these integrations.

Flexible R3 Rapid Response Runbooks for any situation

IncMan v4.4 includes several enhancements designed to make our R3 Rapid Response Runbooks even more flexible.  R3 Runbooks can now be used to call other R3 Runbooks. For example, a phishing R3 Runbook which detects a malicious attachment can now automatically call the appropriate malware R3 Runbook, eliminating the need to create processes within multiple runbooks. R3 Runbooks now also have the ability to update any attribute of an incident, such as priority, type, assigned analysts or any custom attributes, ensuring that the incident information is automatically updated as needed.

IncMan v4.4 features improvements to our automatic observables harvesting capabilities. Unstructured data added to free text areas of IncMan will automatically be searched for the presence of any observables, such as email addresses, IP addresses or domains. Any observables detected within this unstructured data will be automatically added to the appropriate observables section within IncMan, allowing users to perform any of the many enrichment, containment or custom actions on this data.

These are just some of the highlights of our latest IncMan release; IncMan SOAR Version 4.4 includes many other enhancements designed to streamline your orchestration, automation and response process.  

See IncMan SOAR v4.4 in action

If you would like to see a demo of our latest release you can see it first hand at the upcoming Black Hat USA conference at our booth #IC2329 on August 8-9, schedule a time for a chat with one of our cybersecurity experts here, or alternatively you can request a live demo online.  

Stay tuned to our website for additional updates, feature highlights and demos of our latest release.

Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO

The escalation in the cyber threat environment, a growing attack surface, increased regulatory cyber security requirements and a shortfall in skilled cyber security professionals have converged to create a nexus of forces that is challenging enterprises to manage their threat management and their overall security posture to succeed in business in the 21st century. Machine learning and security automation are key critical capabilities to surmount these challenges and will enable organizations to thrive amidst adversity.

Security operations teams struggle to gain visibility of threats and rapidly respond to incidents due to the sheer number of different security technologies they must maintain and manage and the resulting flood of cyber alerts. Challenges they face include but are not limited to:

  • How can I aggregate and correlate disparate security sources to increase my visibility of threats and effectively investigate alerts and incidents?
  • How can I prioritize my response to security incidents at volume and at scale across a growing attack surface?
  • How can I rapidly respond to security incidents with limited resources to contain the damage and limit legal exposure?
DFLabs and McAfee are key partners in delivering full lifecycle threat management.

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry. Unifying security management through an open platform, McAfee ePO makes risk and compliance management simpler and more successful for organizations of all sizes. As the foundation of McAfee Security Management Platform, McAfee ePO enables customers to connect industry-leading security solutions to their enterprise infrastructure to increase visibility, gain efficiencies, and strengthen protection.

Aggregating these alerts into a single pane of glass to prioritize what is critical and needs immediate attention, requires a platform that can consolidate disparate technologies and alerts, and provides a cohesive and comprehensive capability set to orchestrate incident response efforts.

By integrating with McAfee ePO, DFLabs IncMan SOAR platform extends these capabilities to McAfee customers, enabling them to execute full lifecycle incident response management.

DFLabs IncMan R3 Rapid Response Runbooks automate and orchestrate end to end threat containment by integrating with McAfee ePO. Security Operations teams can enrich security incidents with asset context and quarantine compromised systems based conditional and logical decision paths that can be fully and semi-automated, acting as a force multiplier, reducing the time from threat discovery to containment, and increasing operational efficiency. DFLabs’ machine learning driven Automated Responder Knowledge guides security analysts in identifying the most effective course of action using McAfee ePO.

DFLabs SOAR and McAfee ePO Use Case in Action

An alert based on a malicious file detected by AV has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malware incident within IncMan based on the organizations’ policies, which initiates the organization’s Malware Alert runbook, shown below.

threat management incman_1

 

IncMan automatically queries the hash value provided by the organization’s AV solution against VirusTotal. If VirusTotal indicates that five or more AV vendors have identified the hash value as malicious, IncMan will us an Enrichment action to automatically query McAfee ePO for the host information and send this information to the appropriate analysts.

Next, using a Containment action, IncMan will automatically tag the host which generated the AV alert with the tag “quarantine” in McAfee ePO. Finally, IncMan will notify the appropriate analysts that the host has been appropriately tagged in IncMan.

 

threat management incman_2

 

The automated workflow of IncMan’s R3 Runbooks means that an incident will have been automatically generated, and these enrichment and containment actions through the Quick Integration Connector with McAfee ePO will have already been committed before an analyst is even aware that an incident has occurred.

Harnessing the power of McAfee ePolicy Orchestrator, along with the additional Security Orchestration, Automation, and Response of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective incident response and reduced risk across the entire organization.

Five Critical Components of SOAR Technology

In our previous two blogs, we looked at some of the most common problems a Security Orchestration, Automation and Response (SOAR) Technology is designed to solve and the three pillars of a SOAR solution. We will round out this three-part series by taking a more detailed look at some of the most critical SOAR Technology components any SOAR solution should possess. While some of these components may be more critical than others to individual organizations, each plays an important role in the overall function of a SOAR solution and should be considered when evaluating different platforms.

1. Customizability and Flexibility

No two security programs will be alike; this is especially true when you cross vertical lines. For a SOAR solution to be effective, it should be capable of being the single tool on top of the security stack. A SOAR solution should be able to be implemented in a manner that is optimized for CSIRT teams, as well as SOCs, MSSPs and security teams. Data input from a multitude of sources, including machine to machine, email, user submissions and manual input should be supported. The importance of security metrics means that customers should be able to customize not only the values available in the solution but also what attributes are tracked as well.

The number of security solutions, commercial, open source, and developed in-house means that any viable SOAR solution must be flexible enough to support a multitude of security products. Any SOAR solution will support many security products out of the box, however, the likelihood that all the organization’s security products will be supported by default is low. For that reason, it is crucial that a SOAR solution has a flexible option in place that allows customers to easily create bi-directional integrations with security products which are not supported by default.  

2. Process Workflows

One of the key benefits of a SOAR solution is being able to automate and orchestrate process workflows to achieve force multiplication and reduce the burden of repetitive tasks on analysts. To achieve these benefits, a SOAR solution must be able to support flexible methods for implementing process workflows. The implementation of these workflows must be flexible enough to support almost any process which may need to be codified within the solution. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks to be completed by an analyst. Flow controlled workflows should support multiple types of flow control mechanisms, including those which allow for an analyst to make a manual decision before the workflow continues.  

3. Incident Management

Incident response is a complex process. Orchestration and automation of security products provide obvious value to any security program, but to maximize the time and monetary investment in a SOAR solution, a comprehensive SOAR solution should include additional features to manage the entire incident response lifecycle. This should include basic case management functionality, such as tracking cases, recording actions taken during the incident and providing reporting on critical metrics and KPIs. This should also include other ancillary functions such as detailed task tracking, evidence, and chain of custody management, asset management, and report management.  

4. Threat Intelligence

Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. Because a SOAR solution has access to not only the indicators but also the rest of the incident information which can provide the additional context, it is in a unique position to gather actionable threat intelligence.

A proactive security program requires threat intelligence to be properly correlated to discover attack patterns, potential vulnerabilities and other ongoing risks to the organization. This correlation should be done automatically and it should be immediately clear if an ongoing incident may share common factors with any previous incidents. Because threat intelligence can consist of a vast amount of data, visual correlation is also an important factor when assessing threat intelligence capabilities.

5. Collaboration and Information Sharing

Incident response is not one player sport. Response to a security incident will likely include multiple individuals and potentially multiple teams and even organizations. To be effective in a team environment, a SOAR solution must support seamless collaboration and information sharing among team members in a controlled manner.  

Collaboration and information sharing must also be possible outside of the organization itself.  This is especially true in the context of threat intelligence. Open sharing of threat intelligence, when possible, it a critical tool in fighting cybercrime. There are numerous avenues available to share threat intelligence, open, closed and industry-specific. The majority of these threat intelligence sharing programs utilize one of the open standards for threat intelligence, such as STIX/TAXII, OpenIOC or MISP, and each of these standards should be supported by a SOAR solution.

For more information on any of these topics covered in this three-part series, please check out our whitepaper “Security Orchestration, Automation, and Response (SOAR) Technology” here.

Leveraging SOAR Technology to Facilitate Knowledge Transfer in Security Operations

Earlier this year I was talking to a colleague about the state of SOC operations and how I was looking forward to going to the SANS Security Operations Summit in New Orleans in July. The folks who attend SANS events are at the top of their game and let’s be honest, SANS provides some of the best training in our industry, so what’s not to love?

The conversation quickly turned to how to provide better scalability within SOC operations. Given that our teams are confronted with an increased number of alerts coming from more sophisticated actors on a daily basis, how do we keep up? We spoke about the need for better security automation to enrich the information available at the onset of an incident and how malware has been automating since the Morris worm 30 years ago.

At one point she asked me how best we can handle the transfer of incident handling “tribal knowledge” from the senior Incident Response personnel to the junior members, given the daily workload they carry. I thought about it for a moment and threw out that perhaps increased spending for machine learning or AI could help bridge the knowledge gap. She then asked, “Couldn’t we take that money and invest in knowledge transfer within the team instead?”. That simple and simultaneously complex question got me to thinking about how we can better utilize existing resources to provide that knowledge transfer in an environment as dynamic and rapidly changing as an Incident Response organization.

I thought this topic was interesting enough to make it my focus for my upcoming speaking engagement at SANS.

As we already know an increased workload coupled with an industry-wide shortage of skilled responders is heavily impacting operational performance in Security Operations Centers (SOC) globally and an integral part of the solution is formulating a methodology to ensure that crucial knowledge is retained and transferred between incident responders. By utilizing Security Orchestration, Automation and Response (SOAR) technology, security teams can combine traditional methods of knowledge transfer with more modern techniques and technologies.

Join me at the SANS Security Operations Summit on July 30, 2018 at Noon for an informal “Lunch and Learn” session to discuss how we ensure that the Incident Response knowledge possessed by our senior responders can be consistently and accurately passed along to the more junior team members while simultaneously contributing to the Incident Response process. I look forward to meeting you there.

If you are not attending the summit, don’t worry, you can visit our website to find out more information about the benefits of utilizing a SOAR solution with DFLabs’ IncMan SOAR platform.  Alternatively, if you would like to have a more in-depth discussion, you can arrange a demo to see IncMan live in action.

3 Core Pillars of a SOAR Solution

In our first blog in this series, we looked at some of the key drivers for Security Orchestration, Automation and Response (SOAR) adoption and what problems SOAR technology can help solve. Now, let’s look at the 3 core pillars which define what a SOAR solution is: Orchestration, Automation and Measurement.

The Core Pillars of a SOAR Solution: Orchestration, Automation, and Measurement

Security Orchestration

The number of technologies involved in today’s advanced security and incident response programs is exponentially more than it was even five years ago. While this has become necessary to effectively detect and respond to the current range and complexity of today’s threats, it has created its own problem; coordinating these into one seamless process. Switching between these multiple technologies, what Gartner refers to as “context switching”, can create enormous inefficiencies in an organization’s security program.

Technology integrations are the most common method used to support technology orchestration. There are numerous methods which can be used to integrate technologies through a SOAR solution, including common communication mechanisms such as syslog and email, as well as more complex, bidirectional integration methods such as API calls. Although technology is typically the primary focus of orchestration, it is equally important to consider the orchestration of people and processes in a holistic security program. Technology should be supported by effective processes, which should enable people to respond appropriately to security events. A strictly technology-centric security program is no longer adequate; people and processes must also be orchestrated properly to ensure that a security program is operating at its maximum efficiency.

Security Automation

Although the concepts of orchestration and automation are closely related, the goals they seek to achieve are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching to support faster, more informed decision making, security automation is intended to reduce the time these processes take by automating repeatable processes and applying machine learning to appropriate tasks.  

The key to successful automation is the identification of predictable, repeatable processes which require minimal human intervention to perform. Automation should act as a force multiplier for security teams, reducing the mundane actions that must be manually performed and allowing analysts to focus on those actions which require human intervention. Although some processes may be fully automated, a SOAR technology solution must also support automation which allows for human intervention at critical decision points.  

Measurement

Because a SOAR solution sits at the crossroads of the incident response process, it is in an ideal location to collect a trove of information. Measurement of security information is key for making informed tactical and strategic security decisions. Proper measurement is what turns raw incident information into critical intelligence. Measurement of both tactical and strategic information is useless without proper display and visualization. A SOAR solution must support multiple methods for displaying and visualizing all information in an effective and easy to digest manner.

Stay tuned for our final blog in this series, where we will discuss the some of the critical components and functionality that a SOAR solution should contain. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.

Streamline Incident Management and Issue Tracking Using DFLabs SOAR and Jira

Security incidents are complex and dynamic events, requiring the coordinated participation from multiple teams across the organization. For these teams to work with maximum efficiency, as a single body, it is critical that information flows seamlessly between all teams in real-time. Faced with a continued onslaught of security incidents, organizations must find ways to maximize the utilization of their limited resources to remain ahead of the attackers and ensure the integrity of the organization’s critical resources.

This blog will briefly discuss how your security operations team can manage security incidents in a whole new and efficient way by integrating DFLabs IncMan Security Orchestration, Automation and Response (SOAR) platform with your existing Jira solution, including a simple use case.

It is critical to bridge the gap between security teams orchestrating incidents with SOAR solutions such as IncMan and teams tracking other tasks with Jira, to ensure that all teams maintain a holistic view of the incident and function together as a single, unified body.

The Challenges

Today there are many challenges faced by security teams within their specific security programs. By integrating DFLabs IncMan SOAR with Jira you will be able to overcome the following key problems:

  • How can I ensure that all teams have the most up-to-date incident information?
  • How can I integrate the power of IncMan into my existing issues management process?
  • How can I enable all teams to work as a single unified body to increase the efficiency of the incident response process?
  • How can I quickly communicate critical information to those outside the security team?


Let’s discuss how in more detail.

How to Streamline Incident Management and Issue Tracking With The DFLabs SOAR and Jira Solution

Security operations teams struggle to gain visibility of threats and rapidly respond to cyber incidents due to the sheer number of different security technologies they must maintain and manage and the resulting flood of alerts. Aggregating these into a single pane of glass to prioritize what is critical and needs immediate attention requires a platform that can consolidate disparate technologies and alerts, and provides a cohesive and comprehensive capability set to orchestrate incident response efforts.

Jira’s industry-leading issue tracking solution has been battle-tested and becomes the core of an organization’s support, IT, incident response and project management processes worldwide. Jira allows teams from across the organization to collaborate and share information to plan, track and report projects and issues in real-time, maximizing efficiency and reducing impacts on the organization’s critical business processes.

By integrating with Jira, DFLabs IncMan extends these capabilities to Jira users, combining the orchestration, automation and response power of IncMan with the organization’s existing issue tracking process. IncMan’s R3 Rapid Response Runbooks can be used to automatically create issues within Jira and continue to update the issue as the incident progresses.

Allowing organizations to seamlessly share information between IncMan and Jira ensures that all involved in the incident response process are working with a unified set of information, enabling organizations to maximize security analyst efficiency, reduce incident resolution time, as well as reduce the number of incidents handled.

Use Case

An alert of a host communicating with a potentially malicious domain has automatically generated an Incident within IncMan.This alert is automatically categorized within IncMan based on the organizations’ policies, which initiates the organization’s Domain reputation runbook, shown below:

incident management DFLabs


Through this runbook, IncMan automatically gathers domain reputation information for the domain which generated the alert. If the resulting domain reputation information indicates that the domain may be malicious, IncMan will use a Notification action to automatically create a new Issue within Jira, allowing Jira users to immediately begin next steps. Next, using additional Enrichment actions, IncMan will automatically gather additional information regarding the suspicious domain, such as WHOIS and geolocation information. IncMan will then automatically update the Jira issue with this information. Finally, a screenshot of the page (if applicable), is taken and added to IncMan.

The automated workflow of IncMan’s R3 Runbooks means that an IncMan incident and Jira issue will have been automatically generated, and these enrichment actions through the Quick Integration Connector with Jira and other enrichment sources will have already been committed before an analyst is even aware that an incident has occurred. Both IncMan and Jira users are now able to perform their respective tasks, knowing that they are each working with the same information, and can continue to do so as the incident progresses.  

By harnessing the power of Jira’s industry-leading issue tracking solution, along with the orchestration, automation and response capabilities of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective incident response and reduced risk across the entire organization.

If you would like to see IncMan and Jira in action together in more detail, get in touch to request a live demo of IncMan with one of the team.

SOAR Technology – What Problems Are We Trying To Solve?


Increasing Adoption of SOAR Solutions

Over the past several years, Security Orchestration, Automation and Response (SOAR) has gone from being viewed as a niche product to one gaining traction across almost all industry verticals. Today, more and more private organizations, MSSPs and governments are turning to SOAR Technology to address previously unsolved problems in their security programs. SOAR is about taking action: “Automate. Orchestrate. Measure”. Organizations are implementing a SOAR solution to improve their incident response efficiency and effectiveness by orchestrating and automating their security operations processes. Gartner estimates that by 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.

In this three-part blog, we will discuss the key drivers for SOAR adoption and what problems a SOAR solution can help solve.  In the next blog, the second part of this three-part blog, we will discuss the three pillars of Security Orchestration, Automation and Response (SOAR). Finally, we will round out the series by discussing the critical components and functionality that a SOAR solution should contain.

Five Key Problems SOAR Technology Helps to Solve

Like many new product categories, Security Orchestration, Automation and Response (SOAR) technology was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To define the product category more accurately, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address.

  • Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less

As the number and sophistication of threats has grown over the past decade, there has been an explosion in the number of security applications in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data. Although it may not be as difficult to find security analysts as it once was, a truly skilled security analyst is still somewhat of a rare breed.  Intense competition for these skill analysts means that organizations must often choose between hiring one highly skilled analyst, or several more junior analysts.

  • Valuable analyst time is being consumed sorting through a plethora of alerts and performing mundane tasks to triage and determine the veracity of the alerts

Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams.  Each one of these alerts must be manually verified and triaged by an analyst.  Alerts which are determined to be valid then require additional manual research and enrichment before any real action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in.

  • Security incidents are becoming more costly, meaning that organizations must find new ways to further reduce the mean time to detection and the mean time to resolution

The cost of the average incident has increased steadily year on year. The immediate cost of an incident due to lost sales, employee time spent, consulting hours, legal fees and lawsuits is relatively easy to quantify. The financial loss due to reputational damage, however, can be much more difficult to accurately measure. Reducing the time to detect and resolve potential security incidents must be an absolute priority. Each hour that a security incident persists is effectively money out of the door.

  • Tribal knowledge is inherently difficult to codify, and often leaves the organization with personnel changes

Employee retention is an issue faced by almost every security team. Highly skilled analysts are an extremely valuable resource for which competition is always high. Each time an organization loses a seasoned analyst, some tribal knowledge is lost with them and they are replaced with an analyst who, even if they possess the same technical skills, will lack this tribal knowledge for at least a period of time. Training new analysts takes time, especially when processes are manual and complex.  Documenting security processes is a complex, but critical task for all security teams.

  • Security operations are inherently difficult to measure and manage effectively

Unlike other business units which may have more concrete methods for measuring the success or failure of a program, security metrics are often much more abstract and subjective. Traditional approaches to measuring return on investment are often not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security product or program requires a measurement process specially designed to meet these unique requirements.

About DFLabs IncMan SOAR

DFLabs is an award-winning and recognized global leader in Security Orchestration, Automation and Response (SOAR) technology. Its pioneering purpose-built platform, IncMan SOAR, enables SOCs, CSIRTs, and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks. IncMan SOAR drives intelligence-driven command and control of security operations, by orchestrating the full incident response and investigation lifecycle and empowers security analysts, forensic investigators and incident responders to respond to, track, predict and visualize cyber security incidents.  As its flagship product, IncMan SOAR has been adopted by Fortune 500 and Global 2000 organizations worldwide.

Schedule a live demo with one of our cyber security specialists here and see DFLabs IncMan SOAR platform in action. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.

Stay tuned for our next blog in this series, where we will discuss the three pillars of SOAR technology.