When it comes to Security Orchestration, Automation and Response (SOAR), the use cases will vary depending on a number of factors, such as the enterprise-specific internal environment, the industry or vertical the enterprises serve and even the legal and regulatory compliance that need to be met.
In this blog post we will cover five of the most common use cases for a Security Orchestration Automation and Response (SOAR) solution and how by utilizing this technology, a security alert and potential incident can be quickly detected, responded to and resolved without having a major impact on the organization.
It is key to point out that a use case is only limited by the creativity of the organization itself. A Security Orchestration Automation and Response SOAR platform, such as IncMan SOAR from DFLabs, should be able to cater for any scenario and use case that is required.
Phishing emails have become one of the most critical issues faced by organizations over the past several years. Some of the most recent high-profile data breaches have resulted from carefully crafted phishing emails. Security Orchestration, Automation and Response (SOAR) is perfectly positioned to enable automatic triage and examination of suspected phishing emails by extracting artifacts from the email, then performing additional enrichment on these artifacts and if necessary, containing the malicious email and any malicious payloads.
Suspicious emails may be received via any one of the numerous email scanning solutions available today, or via a monitored email address provided to end users to submit suspicious emails to. Once the email is received, SOAR can extract artifacts, such as header information, email addresses, URLs and even attachments. What happens next will largely depend on the organizations’ individual technology integrations. The extracted information may be submitted to various threat reputation and intelligence services, SIEM, EDR or network appliance logs may be queried, and attachments may be detonated in a sandbox. Once the available information has been enriched, if determined to be malicious, automated or semi-automated containment actions may be taken, such as quarantining or deleting the phishing email, searching for and deleting other instance of the phishing email in other user’s accounts, blocking IP addresses or URLs, banning executables from running or quarantining the user’s workstation.
Regardless of the integrations used, utilizing SOAR to examine and respond to phishing emails can reduce the time to investigate these pervasive threats from hours to minutes, automatically containing the attack and minimizing risk to the organization.
The influx of detection technologies means that organizations are facing a constant barrage of alerts. Many of these alerts are generated due to traffic that one detection technology or another has deemed to be potentially malicious. This is usually based on some type of threat indicator, which may or may not be reliable. It is often left up to the organization to further triage and investigate each of these alerts to determine if they are a false positive or an actual potential security event.
Alerts regarding malicious traffic may be received by a SOAR directly, or after being ingested and forwarded by a SIEM. In either case, the advantage of using a SOAR to automate and orchestrate actions surrounding these types of events comes from the automatic enrichment, as well as potential containment of the detected indicators. Under normal circumstances, analysts would use whatever data enrichment tools are available, such as threat intelligence, reputation services, IT asset inventories and tools such as nslookup and whois. Analysts would then determine if the indicators appeared to be malicious, at which point containment and further investigation would begin. Using SOAR technology, it is simple to codify a process such as this into an automated workflow, automatically performing data enrichment as soon as the alert is received. A SOAR solution can also automate the process of searching for additional instances of the same indicator across the organization, alerting analysts to any additionally detected occurrences. Automated or semi-automated containment is also possible; for example, blocking an IP address or URL via the firewall or proxy, or isolating a host pending further investigation.
Alerts regarding potentially malicious traffic are common-place and often sit in the queue for some time before they are investigated. While most are false positives or low priority, any one of these could be the only indicator of a potentially serious data breach. Security Orchestration, Automation and Response (SOAR) Technology allows immediate triage and response to each of these alerts almost instantaneously, automating the mundane, repeatable processes while allowing analysts to focus on the most significant alerts.
Security Orchestration Automation and Response was not intended to be a vulnerability management platform and will never replace the robust vulnerability management systems available today. However, there are some aspects of a good vulnerability management program that a SOAR platform can streamline. In larger enterprises, vulnerability management is often a task performed outside the security team. This can lead to potential risk as the security team may not be aware of vulnerabilities that exist within the infrastructure.
A SOAR solution can be used to ensure that the security team is made aware of any new vulnerabilities within the organization. This allows the security team to proactively examine the vulnerable host, when appropriate, to ensure that there is no evidence of exploitation, place any appropriate additional safeguards in place, and subject the host to increased monitoring until the vulnerability has been mitigated.
Beyond notifying the security team, a Security Orchestration, Automation and Response SOAR solution may also be used to further enrich vulnerability and host information. For example, a SOAR solution could be used to query a database of vulnerabilities to gather additional information on the vulnerability, query Active Directory or CMDB for asset information, or query a SIEM or EDR for events. Based on vulnerability, host or event information, the case could be automatically upgraded or reassigned, or the host could even be temporarily isolated until appropriate mitigation tasks could be performed.
While suitable testing and deployment of patches are critical in an enterprise environment, existing vulnerabilities present an ongoing risk to the organization. It is crucial that the security team are aware of these risks and take the proper steps to ensure that the vulnerability has not and will not be exploited until it can be properly addressed. A Security Orchestration, Automation and Response (SOAR) solution can be utilized to ensure that the security team remains informed of all current vulnerabilities and can efficiently evaluate the possible risk of each vulnerability in order to take proper risk mitigation actions.
Managed Security Service Providers (MSSPs) face many of the same issues as Computer Security Incident Response Teams (CSIRTs) and Security Operations Centers (SOCs), but on a much larger scale. In addition to these shared challenges, MSSPs also face some unique issues which the SOAR technology can address. MSSPs must work within the confines of strict service level agreements (SLAs). Failing to meet these SLAs could result in loss of business, loss of reputation and even the potential for legal action. Automating and orchestrating actions with a Security Orchestration, Automation and Response SOAR solution allows MSSPs to work more efficiently, ensuring that all SLAs are met. In addition, MSSPs are constantly under pressure to prove to customers that these SLAs are being met, that they are taking appropriate, timely actions and that they are continuing to provide value to their customers. The advanced metrics and audit logs of a SOAR addresses these needs by providing a robust set of metrics suitable for both analysts and executives alike.
MSSPs must also find a method to manage each customers data securely and in a segregated manner. At the same time, MSSPs must also ensure that each customer is provided access to their data to ensure transparency and to allow seamless teamwork between the MSSP and the customer’s internal teams. Security Orchestration, Automation and Response (SOAR) accomplishes these tasks by providing individual tenants for each customer, physically segregating each customers data to ensure confidentiality while allowing the MSSP access across customer tenants for ease of use.
Although not strictly an orchestration and automation function, case management is an important part of the incident response process and is another function that SOAR can help streamline. Many organizations struggle with managing the vast amounts of disparate information that is gathered during a security incident. Spreadsheets and shared documents are simply not sufficient for managing a complex cyber incident.
Not only does SOAR maintain all information and enriched data gathered from automated and orchestrated activities, it also maintains a detailed audit log of all actions taken during the response. A full-featured SOAR solution should also allow for detailed task management, allowing incident managers to create, assign and monitor tasks assigned to all analysts taking part in the response. In addition, a full-featured SOAR should also allow users to track assets involved in the incident and maintain a detailed chain of custody for all physical and logical evidence.
A Security Orchestration, Automation and Response (SOAR) with full case management functionality will help ensure the smooth and efficient handling of an incident from identification through remediation, providing responders will the information they need right at their fingertips and allowing them to focus on the task at hand.
If you would like to see a SOAR solution in action and discuss your specific use cases, request a live demo today.
In our first blog in this series, we looked at some of the key drivers for Security Orchestration, Automation and Response (SOAR) adoption and what problems SOAR technology can help solve. Now, let’s look at the 3 core pillars which define what a SOAR solution is: Orchestration, Automation and Measurement.
The Core Pillars of a SOAR Solution: Orchestration, Automation, and Measurement
The number of technologies involved in today’s advanced security and incident response programs is exponentially more than it was even five years ago. While this has become necessary to effectively detect and respond to the current range and complexity of today’s threats, it has created its own problem; coordinating these into one seamless process. Switching between these multiple technologies, what Gartner refers to as “context switching”, can create enormous inefficiencies in an organization’s security program.
Technology integrations are the most common method used to support technology orchestration. There are numerous methods which can be used to integrate technologies through a SOAR solution, including common communication mechanisms such as syslog and email, as well as more complex, bidirectional integration methods such as API calls. Although technology is typically the primary focus of orchestration, it is equally important to consider the orchestration of people and processes in a holistic security program. Technology should be supported by effective processes, which should enable people to respond appropriately to security events. A strictly technology-centric security program is no longer adequate; people and processes must also be orchestrated properly to ensure that a security program is operating at its maximum efficiency.
Although the concepts of orchestration and automation are closely related, the goals they seek to achieve are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching to support faster, more informed decision making, security automation is intended to reduce the time these processes take by automating repeatable processes and applying machine learning to appropriate tasks.
The key to successful automation is the identification of predictable, repeatable processes which require minimal human intervention to perform. Automation should act as a force multiplier for security teams, reducing the mundane actions that must be manually performed and allowing analysts to focus on those actions which require human intervention. Although some processes may be fully automated, a SOAR technology solution must also support automation which allows for human intervention at critical decision points.
Because a SOAR solution sits at the crossroads of the incident response process, it is in an ideal location to collect a trove of information. Measurement of security information is key for making informed tactical and strategic security decisions. Proper measurement is what turns raw incident information into critical intelligence. Measurement of both tactical and strategic information is useless without proper display and visualization. A SOAR solution must support multiple methods for displaying and visualizing all information in an effective and easy to digest manner.
Stay tuned for our final blog in this series, where we will discuss the some of the critical components and functionality that a SOAR solution should contain. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.