When a security incident occurs, it is unlikely that the entire scope and chain of events will be obvious from the outset. More often, it is a single indicator or security alert which provides the first inkling that something is wrong. This is especially true for more advanced, complex, or targeted attacks. It is the security team’s responsibility to take that small, possibly benign event, and determine if it is indeed an incident (triage), and if so, the full scope and impact of the incident (investigation).
Security teams often rely on threat intelligence during both the triage and investigation stages of an event. This information can be critical in determining the veracity of an alert and then pivoting from that first indicator to quickly determine the scope of the potential cyber security incident. For example, an endpoint alert for a suspicious file may provide a hash value, but little else. Manual analysis of the file will likely provide additional indicators, however, very few organizations have the time or resources to manually analyze each suspicious file they encounter. Threat intelligence can quickly add context to that first hash indicator; perhaps informing analysts that that file is a known dropper for another malicious file which may not have been detected by the endpoint solution, as well as providing IP addresses or domains to which the dropped file is known to have communicated with in the past. Online sandboxes can also be used to provide this kind of threat intelligence in near real-time, much faster and more cost-effectively than manual analysis.
How can threat intelligence be an effective tool?
For threat intelligence to be an effective tool, it must be both reliable and actionable. In the case of threat intelligence, reliable means that we are able to rely on the accuracy and completeness of the intelligence with a high degree of confidence. Actionable in this case means that the intelligence must be something that enables us to take some action, further investigation, containment etc., which we would not have been able to take without the threat intelligence. By definition, threat intelligence cannot be actionable if it is not reliable. For example, a threat intelligence source that classifies 18.104.22.168 (Google’s DNS) as malicious because a malware sample made a DNS request to this IP should not be considered reliable, and therefore we would not want to take action on intelligence from this source.
Reliable, actionable threat intelligence is the backbone of successful security automation. Where human analysts can determine the reliability and actionability of threat intelligence for each query, automation can be much less forgiving. For this reason, it is even more critical that there is a high degree of confidence in the source of threat intelligence when used in automation.
Still, when a high confidence threat intelligence source is combined with well-executed automation and orchestration processes, the result is a level of efficiency that simply cannot be achieved using strictly manual processes, The “query, investigate, pivot, repeat” can take many minutes or even hours when performed manually, but is often a very predictable and repeatable process which can be automated and completed in significantly less time. This allows analysts to focus their limited time on the portions of an investigation which require human analysis instead of the arduous data gathering and enrichment processes.
DFLabs and Cisco Use Case
As an example, let’s examine a malware analysis automation use case using a Runbook from DFLabs IncMan SOAR and several Cisco security products. This use case focuses strictly on the analysis of a malicious file, it is not dependent on the source of the file such as an attachment seen by Cisco Email Security. This same Runbook could be used with other automated runbooks as part of the response to an endpoint alert, malicious email attachment or other security event.
The Runbook begins by using Cisco Threat Grid to perform advanced sandbox analysis of the file to gather intelligence which can be used to further enhance and pivot the investigation. In this example use case, we will focus primarily on network indicators and threat intelligence to demonstrate the way in which automation can be used to pivot from indicator to indicator.
Follow the detonation and report from Cisco Threat Grid, this Runbook will perform basic enrichment actions on any IP addresses the malware sample was observed to be communicating with, such as WHOIS and geolocation queries. Following these basic enrichment actions, the Runbook will query Cisco Threat Grid for IP reputation information for each of the IP addresses. If Cisco Threat Grid returns negative reputation results exceeding a user defined threshold, the IP address will be automatically blocked at the firewall. The organization’s solution will then be queried to see if any hosts have been observed making connections to the malicious IP addresses. If the EDR solution returns results, the analyst will be presented with a User Choice decision, allowing the analyst to review the previously enriched information and make a manual decision as to whether to quarantine the host until further investigation can be completed.
Simultaneously, the Runbook queries Cisco Umbrella Investigate for domains associated with the IP addresses found during the executable analysis by Cisco Threat Grid. If any domains are found, a similar process to that performed on the IP addresses is performed; basic enrichment followed by a threat intelligence query and a domain detonation using Cisco Threat Grid. If Cisco Threat Grid returns negative reputation results exceeding a user defined threshold, the domain will automatically be blocked using Cisco Umbrella. As with the IP addresses, the EDR solution is then queried and any results will cause a User Choice decision to be presented to the user to consider quarantining the host until further investigation can be completed.
The final simultaneous action is a query of the EDR solution for evidence of execution of the executable’s hash value returned by Cisco Threat Grid. Any results will cause a User Choice decision to be presented to the user to consider quarantining the host until further investigation can be completed.
In this use case, User Choice decisions were used before quarantining hosts was performed to show how manual decision points can be used to enhance the confidence in Runbooks which may perform tasks which could have a negative impact on the environment, such as quarantining a host. These User Choice decisions could easily be automated decisions, depending on the preference of the organization. Conversely, the automated decisions made to block the IP addresses and domains could easily be made User Choice decisions.
This example use case shows how a time consuming manual process like pivoting from malware analysis to indicators across the network can be easily automated, saving analyst time while not compromising the final outcome of the process, by utilizing reliable and actionable threat intelligence.
By combining the vast capabilities of Cisco’s suite of security products, with the orchestration and automation power of DFLabs’ IncMan SOAR platform, organizations can respond to potential security incidents, with unmatched speed and accuracy.
To learn more about using threat intelligence effectively in Security Automation and Orchestration with Cisco Security, register now for our upcoming webinar on Tuesday October 30, at 11am EST / 4pm CET hosted by myself with guests Jessica Bair, Senior Manager, Advanced Threat Solutions, Cisco Security and Michael Auger, Senior Security Solutions Architect, Cisco Security.
About National Cybersecurity Awareness Month (NCSAM)
Every year since 2004, October has been recognized and celebrated as National Cybersecurity Awareness Month (NCSAM). NCSAM was created in a united effort between the Department of Homeland Security and the National Cyber Security Alliance to raise awareness on a variety of cybersecurity issues. NCSAM has grown exponentially over the years, reaching consumers, small and medium-sized businesses, corporations, government entities, the military, educational institutions, and young people nationally and internationally. NCSAM was designed with one goal, to engage and educate the public as well as the private sector partners through a series of events and initiatives with the goal of raising awareness about cybersecurity in order to increase the resiliency of the nation in the event of facing cyber incidents. This unified effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come.
What’s New in 2018
This year, National Cybersecurity Awareness Month (NCSAM) focuses on internet security as a shared responsibility among consumers, businesses and the cyber workforce. NCSAM 2018 aims to “shine a spotlight on the critical need to build a strong, cyber-secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected.” The month is divided into four week-long topics:
Week 1 (Oct. 1–5): Make Your Home a Haven for Online Safety
Week 2 (Oct. 8–12): Millions of Rewarding Jobs — Educating for a Career in Cybersecurity
Week 3 (Oct. 15–19): It’s Everyone’s Job to Ensure Online Safety at Work
Week 4 (Oct. 22–26): Safeguarding the Nation’s Critical Infrastructure
Staying Safe Online
This month, organizations should make it a priority to build on their existing cybersecurity knowledge and practices, better understand the current cyber threats impacting their industry. With the spotlight on security, NCSAM is a great time to review current cybersecurity strategies and map out strategic actions that could be undertaken to secure the organization’s infrastructure as much as possible.
Even though preventing every single attack is an impossible mission, all stakeholders within any organization, regardless of their position, capability or involvement within cybersecurity should aim to increase their security knowledge, as one phishing attack could have devastating consequences. Working towards increasing levels of awareness and training, strengthening partnerships and defenses, exchanging valuable information, and with advancing technology will help organizations to protect their brands and valuable assets.
With that being said, we know from experience that today cyber attacks are inevitable and regardless of the vast number of preventative measures we take to protect ourselves, our businesses and our infrastructure are still at risk. We can never be 100% certain that they are fully secure. Therefore it is key that organizations also have an appropriate and in-depth incident response plan in place in order to be able to respond efficiently and effectively to any type of incident that should unfortunately occur.
How SOAR Technology Helps To Improve Incident Response
Effective cyber defense demands a team effort where employees, end users, and enterprises recognize their shared role in reducing cybersecurity risks. As the ever-evolving cybersecurity landscape poses new challenges, companies are pushed even more to combat the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are a potential target. Security operations teams need to be prepared to respond to existing as well as to new types of cyber threats, in order to fully defend and protect their company assets.
As prevention is becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response and the processes and workflows that should be implemented in order to minimize the impact. The main reasons why companies are failing at Incident Response is due to a number of factors including but not limited to inadequate resources, lack of skilled analysts, failure to manage phases, task overload and more.
Adopting a complete and comprehensive Security Orchestration, Automation and Response (SOAR) solution can go a long way towards preventing and mitigating the consequences of cyber incidents. The deployment of a SOAR solution can help alleviate a number of current security operations challenges (including the growing number of alerts, increased workloads and repetitive tasks, current talent shortage and competition for skilled analysts, lack of knowledge transfer and budget constraints), while improving the overall organization’s security posture by eliminating the most-common scenarios of resource-constrained security teams struggling to identify critical cyber incidents.
Some of the key benefits of using a Security Orchestration, Automation and Response (SOAR) solution are outlined below.
Top 10 Benefits of Adopting a SOAR Solution
- Acts as a force multiplier for security teams
- Automates manual repetitive processes to avoid alert fatigue
- Responds to all security alerts eliminating false positives
- Decreases the time to detect, remediate and resolve incidents
- Simplifies incident response and investigation processes
- Integrates with existing security operations tools and technologies
- Improves the overall efficiency and effectiveness of existing security programs
- Reduces operational costs and improves ROI
- Minimizes the risk and damage resulting from incidents
- Meets legal and regulatory compliance (e.g. NIST and GDPR) including incident reporting and breach notification
Security Orchestration, Automation and Response With DFLabs IncMan SOAR Platform
DFLabs’ IncMan SOAR platform provides a complete and comprehensive solution to streamline the full incident response lifecycle. IncMan SOAR, is designed for SOCs, CSIRTs and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks, all from within one single, intuitive platform. IncMan SOAR is easy to implement and use, allowing you to leverage the capabilities of your existing security infrastructure and assets.
Take this October’s national cybersecurity awareness month seriously and do your part in learning something new which could help your organization to better protect itself. Contact us today to organize a bespoke demonstration and to discuss your individual requirements.
We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.
Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.
Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.
With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?
How does security orchestration and automation help security teams?
With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.
Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:
- Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
- Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
- Collaboration – Promotes more efficient communication and knowledge transfer across security teams
- Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
- Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.
Now let’s focus on the details of these core functions and see how they improve the overall performance.
Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.
With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.
Incident Management and Collaboration
Incident management and collaboration consist of the following activities:
- Alert processing and triage
- Journaling and evidentiary support
- Analytics and incident investigation
- Threat intelligence management
- Case and event management, and workflow
Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.
Dashboards and Reporting
SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.
Human Factor Still Paramount
Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.
Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.
Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.
Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.
Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.
Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.
1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”
The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.
Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.
To sum up the most common drivers for someone asking about Security Automation and Orchestration:
- A high volume of alerts and incidents and the challenge in managing them
- A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
- Regulatory mandates for incident response and breach notification
- An overstretched security operations team
- Reporting risk and the operational performance of the CSIRT and SOC to an executive audience
One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.
The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.
Threat actors are increasingly adopting security automation and machine learning – security teams will have to follow suit, or risk falling behind.
Many organizations still conduct incident response based on manual processes. Many playbooks that we have seen in our customer base, for example, hand off to other stakeholders within the organization to wait for additional forensic data, and to execute remediation and containment actions.
While this may seem like good practice to avoid inadvertent negative consequences such as accidentally shutting down critical systems or locking out innocent users, it also means that many attacks are not contained in a sufficiently short time to avoid the worst of their consequences.
Manual Processes Cannot Compete with Automation
Reports are mounting about threat actors and hackers leveraging security automation and machine learning to increase the scale and volume, as well as the velocity of attacks. The implications for organizations should be cause for concern, considering that we have been challenged to effectively respond to less sophisticated attacks in the past.
Ransomware is a case in point. In its most simple form, a ransomware attack does not require the full cyber kill chain to be successful. A user receives an email attachment, executes it, the data is encrypted and the damage is done. At that point, incident response turns into disaster recovery.
Automated attacks have been with us for a long time. Worms and Autorooters have been around since the beginning of hacking, with WannaCry and its worming capability only the most recent example. But these have only automated some aspects of the attack, still permitting timely and successful threat containment further along the kill chain.
Threat actors have also leveraged automated command and control infrastructure for many years. DDoS Zombie Botnets, for example, are almost fully automated. To sum it up, the bad guys have automated, the defenders have not. Manual processes cannot compete with automation.
With the increase in the adoption of automation and machine learning by cyber criminals, enterprises will find that they will have to automate as well. The future mantra will be “Automate or Die”.
Making the Cure More Palatable Than the Disease
But automating containment actions is still a challenging topic. Here at DFLabs we still encounter a lot of resistance to the idea by our customers. Security teams understand that the escalating sophistication and velocity of cyber-attacks means that they must become more agile to rapidly respond to cyber incidents. But the risk of detrimentally impacting operations means that they are reluctant to do so, and rarely have the political backing and clout even if they want to.
Security teams will find themselves having to rationalize the automation of incident response to other stakeholders in their organization more and more in the future. This will require being able to build a business case to justify the risk of automating containment. They will have to explain why the cure is not worse than the disease.
There are three questions that are decisive in evaluating whether to automate containment actions:
- How reliable are the detection and identification?
- What is the potential detrimental impact if the automation goes wrong?
- What is the potential risk if this is not automated?
Our approach at DFLabs to this is to carefully evaluate what to automate, and how to do this safely. We support organizations in selectively applying automation through our R3 Rapid Response Runbooks. Incident Responders can apply dual-mode actions that combine manual, semi-automated and fully automated steps to provide granular control over what is automated. R3 Runbooks can also include conditional statements that apply full automation when it is safe to do so but request that a human vet’s the decision in critical environments or where it may have a detrimental impact on operational integrity.
We have recently experienced a devastating wave of ransomware attacks such as Wannacry or ‘WannCrypt’ which spread to more than 200 countries across the globe. While Russia was hit hard, Spain and the United Kingdom saw significant damage to their National Health Services. Hospitals were forced to unplug their computers to stop the malware from spreading even further. This is just one of the security threats posed by special malware that encrypts computer files, network file shares, and even databases thereby preventing user access (Green 18-19). It happens in spite of heavy investments in a wide array of security automation and orchestration solutions and staff required to triage, investigate and resolve threats.
The primary problem is that organizations seem to be losing the battle against cyber attackers (Radichel, 2). The security administrators are overburdened and compelled to manually perform time-consuming and repetitive tasks to identify, track, and resolve security concerns across various security platforms. Notwithstanding the time and effort, it is difficult to analyze and adequately prioritize the security events and alerts necessary to protect their networks. Still, the inadequate visibility into the present activities of the security teams, metrics and performance leave security managers struggling to justify additional resources. It has long been accepted that the organizational efficiency depends heavily on the ability of the security system to reduce false positives so that analysts can focus on the critical events along with indicators of compromise.
Security event automation and orchestration ensures that an organization detects a compromise in real time. A rapid incident response ensures a quick containment of the threat. Through the automation of common investigation enrichment and response actions, as well as the use of a centralized workflow for performing incident response, it is possible to minimize response times and thus make the organization more secure. Security events automation and orchestration expedites workflows across the threat life-cycle in various phases. However, for the security team to deploy security automation and orchestration of event-driven security, there must be access to data concerning events occurring in the environment that warrant a response. To effectively employ event-driven security, automation should be embedded into processes that could introduce new threats to the environment (Goutam, Kamal and Ingle, 431). The approach requires that there be a way to audit the environment securely and trigger event based on data patterns that indicate security threat or intrusion. Of particular importance, continuous fine tuning of processes is required to make certain the events automation and orchestration being deployed is not merely automating the process, but providing long-term value in the form of machine learning and automated application of incident response workflows that have previously resolved incidents successfully.
At a time of increased cybersecurity threats, a structured approach can expedite the entire response management process from event notification to remediation and closure through automated orchestration and workflow. An automatic gathering of key information, the building of decision cases and the execution of critical actions to prevent and/or remediate cyber threats based on logical incident response processes are enabled. With security orchestration and event automation, various benefits are realized such as cost effectiveness, mitigation of security incidents and improved speed and effectiveness of the response. Hence, security event automation and orchestration is the real deal in containing security threats before real damage takes place.