Within any organization’s security operations center (SOC), regardless of the level of role undertaken (security analyst, engineer or manager), when it comes to the security program at hand, the overall high level goal is to ensure that potential security risks from the alerts generated are dealt with in the most efficient and effective way possible, keeping the threat and potential incident under control, resulting in minimal impact to the day to day operations of the business.
As more and more security alerts are being triggered, potentially with increasing veracity as hackers get more sophisticated, the mean time to detection and mean time to resolution (MTTR) is vital. This is when it becomes critical to make sure your security operation center and incident response teams are fully utilizing the tools and resources they have available to them, to detect, orchestrate, automate and measure their security operations and incident response processes and tasks.
With security incidents becoming more costly, organizations must find new ways to further reduce the mean time to detection and the mean time to resolution. At the same time, they face pressure from being heavily monitored based on a number of security program KPIs to accurately measure (and improve) performance, which will inevitably be reported back to varying levels of stakeholders, including security management, c-level executives, and even board level. (For more information about KPIs for security operations and incident response, download our recent whitepaper here). While some members of the SOC team such as the analysts will solely be focused on the incidents at hand, KPIs and questions surrounding service level agreements (SLAs), mean time to resolution (MTTR) and the overall return on investment (ROI) of security tools and technologies are bound to be at the forefront of the agenda of perhaps the SOC manager, but in particularly the CISO.
In this blog we will briefly discuss how a SOC can enhance its security operations program SLAs, MTTR and ROI, by investing in a Security Orchestration, Automation and Response tool, such as the IncMan SOAR platform from DFLabs and we will run through a basic scenario of what happens when a security alert is detected and triggered using IncMan SOAR.
Many large organizations already use a number of third-party solutions, including security information and event management (SIEM) and endpoint detection and response (EDR) tools, but the question is…is all of the information being generated by these tools and technologies being utilized and fused together providing meaningful aggregated, correlated and analyzed security intelligence? The answer is most probably no and the likelihood is the SOC team is being overwhelmed with the number of alerts and information that it is receiving, therefore not easily being able to identify which is a high level vs. low level threat, or know exactly which process should initially be taken to start putting a playbook or runbook into action to contain the specific threat alert they are dealing with.
How IncMan Tackles an Alert with Security Orchestration and Automation
An incident was automatically triggered in IncMan SOAR when the organization’s vulnerability management systems found that one of the critical servers reported non-compliance due to missing patches. The security analyst on duty assessed that the problem needed an immediate remediation. An incident management record was created to assign the correction of the problem to the system administrator in charge of the server. Automated actions triggered email notifications to the system administrator and to the security architecture and governance team, who manage the organization’s compliance.
Earlier in the year, the CISO mandated that changes within the large organization were monitored end to end through the system development lifecycle (SDLC). This would try to ensure that there were no security gaps in the infrastructure, as non-compliance within servers can create a security gap that can easily be exploited and misused by a hacker.
This is just one example of an alert that an organization could receive and in this case, it is quite a simple one. Imagine hundreds of alerts coming in per day related to suspected phishing attempts, malware injections, ransomware attacks and data breaches etc. to name a few, that are more complex. Analysts often get overwhelmed with the number of alerts they receive but need to be able to respond quickly to all of them, while also prioritizing them at the same time. The key is to transform the resource intensive and manual tasks into an effective and efficient automated and orchestrated process, where dual actions (automated and manual) can occur side by side as needed. Automating the process with the use of tools such as the IncMan SOAR platform will cut down the time to gather the data manually and the number of resources needed to complete the several stages of the process.
IncMan SOAR provided this customer with a real-time alert that was responded to and remediated almost immediately. Automated processes were followed, reducing the amount of human manual interaction required, including data collection, enrichment, containment and remediation, all in a more efficient, standardized and timely manner. IncMan SOAR facilitated the enrichment of information via the integration tools that the security team was already using and this helped to provide additional intelligence to the investigation, that triggered the original security alert, helping to validate its severity.
With a vast amount of information being generated, having the ability to provide this information in an easy to use and understand format, then facilitated the communication among different IT team members and departments, allowing them to share the visualized information via dashboards and detailed reports that standardize the information sharing process.
Utilizing Playbooks and Runbooks
So how does a SOAR solution like IncMan know which actions to automate when a security alert is triggered? A security operations center can maximize its incident response process by utilizing a range of already predefined automation and orchestration processes via playbooks and runbooks that expedite activities based on the type of security alert. You could have specific ones for ransomware or a phishing attack for example that have been written, trialed and tested a number of times, over and over again to ensure the correct actions are taken.
IncMan’s SOAR powerful engine provides an assortment of automation and actions that within second of being triggered can enrich, contain, remediate and notify stakeholders faster than a human being can react, to gather diverse information from different data sources. The process is flexible and can be used fully automated or in hybrid mode with human interaction to approve certain actions, for example, to block an IP-address or quarantine a compromised asset.
In summary, the above example would have been a mundane and manual process without the use of orchestration and automation, that would depend on human resources collecting information from different data sources, actioning a number of activities and writing a manual report.
The power of the correlation engine in IncMan SOAR cuts down the time by facilitating the collection of the threat information via the integrated third-party vendors’ data sources. With the help of playbooks and automated runbooks meaningful threat intelligence can be easily gathered enriched and correlated to produce a visualization of the incidents, that can be displayed in an automated standard report. The information is quickly available, easily shared to make available to all teams as necessary, without having to wait for dependencies to obtain additional information about the incident from the project teams.
IncMan SOAR maximizes the SLAs for security availability and MTTR, by delivering key details expeditiously via digital computation from multiple data sources of information and delivering it in a visual or readable detailed report format to multiple stakeholders, leadership team or anyone that needs them. The data can subsequently be kept, helping to build and identify historical trending, analysis, patterns, type of attacks to name a few, facilitating the automation actions of future alerts, creating a better security defense system.
Overall the benefits of using a Security Orchestration, Automation and Response platform outweigh the negatives and such a solution can increases the efficiency of your security operations center, enabling it to become more effective, focused on incident response management, proactively threat hunting while minimizing cybersecurity vulnerabilities, as opposed to carrying out the multitude of mundane, repetitive and time consuming basic tasks.
Automation and orchestration reduces the MTTR, as well as aiding the organization’s management team with standard visualization and focused detailed written reports, that helps to contribute to better meeting compliance such as breach notification requirements, while meeting the organization mission to operate in a secure infrastructure in an efficient manner, by increasing cybersecurity governance SLAs and ROI, ultimately maximizing the company resources by doing more with less.