The recent SANS 2018 Security Operations Center (SOC) Survey, which was designed to identify the areas of SOCs that need improvement to reach consistent levels of success, revealed several significant deficiencies. These challenges can be overcome with several proven best practices. This blog post will focus on the top four identified SOC deficiencies, the core causes behind them, and the actions that should be taken to the end of improving them.
Lack of automation/orchestration, integrated toolsets and processes/playbooks
Most SOCs fall behind with automation and orchestration mainly because they aren’t aware of the processes that should be automated. This issue can be fixed by performing employee interviews and conducting risk and security assessments.
The employees are the first line of defense in an organization. Those processes that are repeatable can be easily discovered by interviewing employees and find out what tasks they are responsible for.
Interviewing employees to find out what tasks they are responsible for can identify repeatable processes. These processes, such as evidence gathering during an incident (IP/URL reputation, information, etc.), are time-consuming but can be easily automated with SOAR technology. By automating time-consuming processes, employees can better utilize their time with more urgent matters which will benefit the overall organization.
Performing risk assessments and other security-related tasks will naturally lead to the strengthening of a security program by identifying assets (asset management), identifying vulnerabilities (vulnerability management), providing metrics to monitor and improve (security metrics program), and highlighting areas to be included in a security monitoring program. Identifying these areas of an organization’s security landscape means additional repeatable processes will be exposed, and this not only provides automation opportunities but also aids in overcoming the other deficiencies today’s SOCs are struggling with.
Additionally, the lack of integration between security tools can be attributed to the security vendor space becoming more and more saturated and organizations are forced to layer their security defenses to protect from multi-threaded attacks. This has left security teams with a vague knowledge of their product lines and what they can do in concert with each other. However, there is no easy fix here – some alternatives may include performing Proof of Concept (POC) engagements and encouraging security vendors to “lean in” and gain a better understanding of the organization’s environment. By doing so, these organizations can test drive the product, identify possible gaps, and correct them before deploying it to the environment.
Finally, SOCs that fall behind in terms of processes and playbooks typically have a low maturity security program. In these situations, working with a managed security service provider or managed detection and response service seem to be good alternatives.
Asset discovery and inventory tool satisfaction was lowest of all SOC technologies
The main reason for this finding is simple: asset inventory and management is hard. Even with an asset management or inventory system in place, the technology staff will be left doing the heavy lifting. The initial upfront investment of time and energy is what usually causes organizations to become dissatisfied. In a world of instant gratification, we expect that if we spend a certain amount of money on any product that it should accelerate us to our end goal. But unfortunately reality sets in and we are still faced with dynamic business landscapes and a rapidly evolving technology curve which forces us to roll up our sleeves and get our hands dirty.
Any asset management program requires planning and a full understanding of the environment. Without these crucial steps, any tool that is purchased will fail to meet your requirements. As mentioned earlier, perform risk and security assessment against your environment. A lot of security assessments, particularly vulnerability assessments, have a discovery phase. This phase will produce a list of assets as well as their vulnerabilities which an organization can use as a jumping off point. And as always, keep in mind there is no single solution good enough for everyone. There will be some pain and heartache when standing up an asset management solution, but when done correctly will be worth it in the long run.
Despite the use of SIEM and big data tools, most event correlation is still manual
This seems counter-intuitive, but there’s a good explanation. When standing up a SIEM, it is not as simple as turning it on and pointing log sources towards it. Organizations should have a grasp of their log sources and the overall visibility they provide into the environment.
In order to do this correctly, an organization should perform a network audit. This will highlight where network taps should be located, what devices consistently speak to each other, and if there are any gaps or obstacles which must be resolved. Obstacles, for example, web proxies masking a true source, or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization’s SIEM from conducting the proper correlation between events. Understanding where these gaps lie and the limitations a chosen SIEM product may have can help investigation teams better understand areas where manual correlation may still be necessary.
Effectiveness of SOC/NOC integration is low
This deficiency is a cultural problem, SOC teams have one agenda (detection and protection), while NOC teams have another (maintaining uptime and availability). These are usually at odds with each other, take for example the age-old conflict of least privilege. Network teams want to have the keys to the castle and be able to move freely through the environment, while SOC teams are focused on locking down the environment to better identify anomalies which may indicate malicious activity.
Meanwhile, to add to this misaligned agenda, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the surmounting responsibilities these teams face when maintaining and securing a network. To bridge the gap, organizations will want to institute processes and procedures that outline rules of engagement between the teams. By creating rules of engagement, both departments know what their responsibilities are and the processes and procedures which are in place for their interactions leave little doubt as to how the partnership should function.
These Security Operations Centers (SOC) deficiencies in most organizations can be easily overcome with timely planning and with the right processes in place. A good option for those that lack appropriate resources or security program is to use a managed security service provider, or managed detection and response service.
When a security incident occurs, it is unlikely that the entire scope and chain of events will be obvious from the outset. More often, it is a single indicator or security alert which provides the first inkling that something is wrong. This is especially true for more advanced, complex, or targeted attacks. It is the security team’s responsibility to take that small, possibly benign event, and determine if it is indeed an incident (triage), and if so, the full scope and impact of the incident (investigation).
Security teams often rely on threat intelligence during both the triage and investigation stages of an event. This information can be critical in determining the veracity of an alert and then pivoting from that first indicator to quickly determine the scope of the potential cyber security incident. For example, an endpoint alert for a suspicious file may provide a hash value, but little else. Manual analysis of the file will likely provide additional indicators, however, very few organizations have the time or resources to manually analyze each suspicious file they encounter. Threat intelligence can quickly add context to that first hash indicator; perhaps informing analysts that that file is a known dropper for another malicious file which may not have been detected by the endpoint solution, as well as providing IP addresses or domains to which the dropped file is known to have communicated with in the past. Online sandboxes can also be used to provide this kind of threat intelligence in near real-time, much faster and more cost-effectively than manual analysis.
How can threat intelligence be an effective tool?
For threat intelligence to be an effective tool, it must be both reliable and actionable. In the case of threat intelligence, reliable means that we are able to rely on the accuracy and completeness of the intelligence with a high degree of confidence. Actionable in this case means that the intelligence must be something that enables us to take some action, further investigation, containment etc., which we would not have been able to take without the threat intelligence. By definition, threat intelligence cannot be actionable if it is not reliable. For example, a threat intelligence source that classifies 220.127.116.11 (Google’s DNS) as malicious because a malware sample made a DNS request to this IP should not be considered reliable, and therefore we would not want to take action on intelligence from this source.
Reliable, actionable threat intelligence is the backbone of successful security automation. Where human analysts can determine the reliability and actionability of threat intelligence for each query, automation can be much less forgiving. For this reason, it is even more critical that there is a high degree of confidence in the source of threat intelligence when used in automation.
Still, when a high confidence threat intelligence source is combined with well-executed automation and orchestration processes, the result is a level of efficiency that simply cannot be achieved using strictly manual processes, The “query, investigate, pivot, repeat” can take many minutes or even hours when performed manually, but is often a very predictable and repeatable process which can be automated and completed in significantly less time. This allows analysts to focus their limited time on the portions of an investigation which require human analysis instead of the arduous data gathering and enrichment processes.
DFLabs and Cisco Use Case
As an example, let’s examine a malware analysis automation use case using a Runbook from DFLabs IncMan SOAR and several Cisco security products. This use case focuses strictly on the analysis of a malicious file, it is not dependent on the source of the file such as an attachment seen by Cisco Email Security. This same Runbook could be used with other automated runbooks as part of the response to an endpoint alert, malicious email attachment or other security event.
The Runbook begins by using Cisco Threat Grid to perform advanced sandbox analysis of the file to gather intelligence which can be used to further enhance and pivot the investigation. In this example use case, we will focus primarily on network indicators and threat intelligence to demonstrate the way in which automation can be used to pivot from indicator to indicator.
Follow the detonation and report from Cisco Threat Grid, this Runbook will perform basic enrichment actions on any IP addresses the malware sample was observed to be communicating with, such as WHOIS and geolocation queries. Following these basic enrichment actions, the Runbook will query Cisco Threat Grid for IP reputation information for each of the IP addresses. If Cisco Threat Grid returns negative reputation results exceeding a user defined threshold, the IP address will be automatically blocked at the firewall. The organization’s solution will then be queried to see if any hosts have been observed making connections to the malicious IP addresses. If the EDR solution returns results, the analyst will be presented with a User Choice decision, allowing the analyst to review the previously enriched information and make a manual decision as to whether to quarantine the host until further investigation can be completed.
Simultaneously, the Runbook queries Cisco Umbrella Investigate for domains associated with the IP addresses found during the executable analysis by Cisco Threat Grid. If any domains are found, a similar process to that performed on the IP addresses is performed; basic enrichment followed by a threat intelligence query and a domain detonation using Cisco Threat Grid. If Cisco Threat Grid returns negative reputation results exceeding a user defined threshold, the domain will automatically be blocked using Cisco Umbrella. As with the IP addresses, the EDR solution is then queried and any results will cause a User Choice decision to be presented to the user to consider quarantining the host until further investigation can be completed.
The final simultaneous action is a query of the EDR solution for evidence of execution of the executable’s hash value returned by Cisco Threat Grid. Any results will cause a User Choice decision to be presented to the user to consider quarantining the host until further investigation can be completed.
In this use case, User Choice decisions were used before quarantining hosts was performed to show how manual decision points can be used to enhance the confidence in Runbooks which may perform tasks which could have a negative impact on the environment, such as quarantining a host. These User Choice decisions could easily be automated decisions, depending on the preference of the organization. Conversely, the automated decisions made to block the IP addresses and domains could easily be made User Choice decisions.
This example use case shows how a time consuming manual process like pivoting from malware analysis to indicators across the network can be easily automated, saving analyst time while not compromising the final outcome of the process, by utilizing reliable and actionable threat intelligence.
By combining the vast capabilities of Cisco’s suite of security products, with the orchestration and automation power of DFLabs’ IncMan SOAR platform, organizations can respond to potential security incidents, with unmatched speed and accuracy.
To learn more about using threat intelligence effectively in Security Automation and Orchestration with Cisco Security, register now for our upcoming webinar on Tuesday October 30, at 11am EST / 4pm CET hosted by myself with guests Jessica Bair, Senior Manager, Advanced Threat Solutions, Cisco Security and Michael Auger, Senior Security Solutions Architect, Cisco Security.
The terms security automation and security orchestration are often used almost interchangeably nowadays in the IT ecosystem. But it’s very important to note that these terms have completely different meanings and purposes. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.
When automation emerged in the security field, it became a crucial asset for security teams that were already exhausted from time-consuming, repetitive, low-level tasks. Orchestration was the next step for better time and resource management for teams, as it helped professionals respond to issues faster, and prioritize important tasks with defined and consistent processes and workflows.
Security orchestration vs. security automation – the difference
When we speak about automation, it’s often wrongly assumed to mean automating an entire process, which is not always correct. The proper definition of security automation is setting a single security operations-related task to run on its own, without the need for human intervention (or a task could be semi-automated if some form of human decision is required).
On the other hand, orchestration, in essence, refers to making use of multiple automation tasks across one or more platforms. This means that automation tasks are part of the overall orchestration process, which covers larger, more complex scenarios and tasks. With this being said, we can say that orchestration means the automated coordination and management of systems, middleware, and services. Security orchestration uses multiple automated and semi-automated tasks to automatically execute a complex process or workflow, and these can consist of multiple automated tasks or systems.
Security Orchestration aims to streamline and optimize repeatable processes and ensure correct execution of tasks. Anytime a process becomes repeatable and tasks can be automated, orchestration can be used to optimize the process and eliminate redundancies.
Automation and orchestration can be best understood by differentiating between a single task and a complete process. Automation only handles a single task, while orchestration makes use of a more complex set of tasks and processes. When a task is automated, it speeds things up, especially when it comes to repeating basic tasks. But optimizing a process is not possible with simple automation, as it only handles a single task. A process is not limited to a single function, so optimization is only possible with orchestration. If done right, orchestration achieves the main goal of speeding up the entire process from start to finish.
By now, we believe you’re aware of the core difference of security automation vs security orchestration, but bare in mind that these two are not completely inseparable and are used in conjunction with each other. As we’ve been discussing so far, security orchestration is not possible without automation. Now let’s go through the main benefits of both orchestration and automation:
Automation makes many time-consuming tasks run smoothly without (or with little) human intervention, thus allowing organizations to take a more proactive approach in protecting their infrastructure from increasing volumes of security alerts and potential incidents, which would take far too many man-hours to be able to complete.
The primary goal of orchestration is to optimize a process. While security automation is limited to automating a particular task, orchestration goes way beyond this. With automation providing the necessary speed to the processes, orchestration, on the other hand, provides a streamlined approach and process optimization.
What happens when these two work together?
- Better utilization of assets, allowing the organization to be more efficient and effective
- Improved ROI on existing security tools and technologies
- Increased productivity – all tasks are automated and orchestrated between themselves
- Reduced security analyst fatigue from alert and task overload
- Processes remain consistent due to standardization of activities.
Orchestration and automation work together to empower security teams, allowing them to be more effective, and ultimately focus on incident analysis and important investigations, rather than on manual, time-consuming and repetitive tasks. Having all of the tools to hand within a centralized, single and intuitive orchestration platform can only benefit your security operations team. This ultimately means more time for analysts and incident respondents to focus on issues that require a level of human intervention for a higher level of investigation for mitigation and remediation.
Both of these concepts: security automation and security orchestration relate to each other, and it’s often very difficult to differentiate between them. As we discussed in detail regarding this confusion, one last piece of advice would be to look at these in their fundamental difference, which lies in their varying individual goals. Automation is all about codification and orchestration is all about systematization of processes. The adequate differentiation between these two principles will help you to achieve a streamlined and accurate execution of your incident response processes and tasks.
About National Cybersecurity Awareness Month (NCSAM)
Every year since 2004, October has been recognized and celebrated as National Cybersecurity Awareness Month (NCSAM). NCSAM was created in a united effort between the Department of Homeland Security and the National Cyber Security Alliance to raise awareness on a variety of cybersecurity issues. NCSAM has grown exponentially over the years, reaching consumers, small and medium-sized businesses, corporations, government entities, the military, educational institutions, and young people nationally and internationally. NCSAM was designed with one goal, to engage and educate the public as well as the private sector partners through a series of events and initiatives with the goal of raising awareness about cybersecurity in order to increase the resiliency of the nation in the event of facing cyber incidents. This unified effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come.
What’s New in 2018
This year, National Cybersecurity Awareness Month (NCSAM) focuses on internet security as a shared responsibility among consumers, businesses and the cyber workforce. NCSAM 2018 aims to “shine a spotlight on the critical need to build a strong, cyber-secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected.” The month is divided into four week-long topics:
Week 1 (Oct. 1–5): Make Your Home a Haven for Online Safety
Week 2 (Oct. 8–12): Millions of Rewarding Jobs — Educating for a Career in Cybersecurity
Week 3 (Oct. 15–19): It’s Everyone’s Job to Ensure Online Safety at Work
Week 4 (Oct. 22–26): Safeguarding the Nation’s Critical Infrastructure
Staying Safe Online
This month, organizations should make it a priority to build on their existing cybersecurity knowledge and practices, better understand the current cyber threats impacting their industry. With the spotlight on security, NCSAM is a great time to review current cybersecurity strategies and map out strategic actions that could be undertaken to secure the organization’s infrastructure as much as possible.
Even though preventing every single attack is an impossible mission, all stakeholders within any organization, regardless of their position, capability or involvement within cybersecurity should aim to increase their security knowledge, as one phishing attack could have devastating consequences. Working towards increasing levels of awareness and training, strengthening partnerships and defenses, exchanging valuable information, and with advancing technology will help organizations to protect their brands and valuable assets.
With that being said, we know from experience that today cyber attacks are inevitable and regardless of the vast number of preventative measures we take to protect ourselves, our businesses and our infrastructure are still at risk. We can never be 100% certain that they are fully secure. Therefore it is key that organizations also have an appropriate and in-depth incident response plan in place in order to be able to respond efficiently and effectively to any type of incident that should unfortunately occur.
How SOAR Technology Helps To Improve Incident Response
Effective cyber defense demands a team effort where employees, end users, and enterprises recognize their shared role in reducing cybersecurity risks. As the ever-evolving cybersecurity landscape poses new challenges, companies are pushed even more to combat the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are a potential target. Security operations teams need to be prepared to respond to existing as well as to new types of cyber threats, in order to fully defend and protect their company assets.
As prevention is becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response and the processes and workflows that should be implemented in order to minimize the impact. The main reasons why companies are failing at Incident Response is due to a number of factors including but not limited to inadequate resources, lack of skilled analysts, failure to manage phases, task overload and more.
Adopting a complete and comprehensive Security Orchestration, Automation and Response (SOAR) solution can go a long way towards preventing and mitigating the consequences of cyber incidents. The deployment of a SOAR solution can help alleviate a number of current security operations challenges (including the growing number of alerts, increased workloads and repetitive tasks, current talent shortage and competition for skilled analysts, lack of knowledge transfer and budget constraints), while improving the overall organization’s security posture by eliminating the most-common scenarios of resource-constrained security teams struggling to identify critical cyber incidents.
Some of the key benefits of using a Security Orchestration, Automation and Response (SOAR) solution are outlined below.
Top 10 Benefits of Adopting a SOAR Solution
- Acts as a force multiplier for security teams
- Automates manual repetitive processes to avoid alert fatigue
- Responds to all security alerts eliminating false positives
- Decreases the time to detect, remediate and resolve incidents
- Simplifies incident response and investigation processes
- Integrates with existing security operations tools and technologies
- Improves the overall efficiency and effectiveness of existing security programs
- Reduces operational costs and improves ROI
- Minimizes the risk and damage resulting from incidents
- Meets legal and regulatory compliance (e.g. NIST and GDPR) including incident reporting and breach notification
Security Orchestration, Automation and Response With DFLabs IncMan SOAR Platform
DFLabs’ IncMan SOAR platform provides a complete and comprehensive solution to streamline the full incident response lifecycle. IncMan SOAR, is designed for SOCs, CSIRTs and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks, all from within one single, intuitive platform. IncMan SOAR is easy to implement and use, allowing you to leverage the capabilities of your existing security infrastructure and assets.
Take this October’s national cybersecurity awareness month seriously and do your part in learning something new which could help your organization to better protect itself. Contact us today to organize a bespoke demonstration and to discuss your individual requirements.
We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.
Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.
Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.
With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?
How does security orchestration and automation help security teams?
With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.
Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:
- Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
- Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
- Collaboration – Promotes more efficient communication and knowledge transfer across security teams
- Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
- Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.
Now let’s focus on the details of these core functions and see how they improve the overall performance.
Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.
With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.
Incident Management and Collaboration
Incident management and collaboration consist of the following activities:
- Alert processing and triage
- Journaling and evidentiary support
- Analytics and incident investigation
- Threat intelligence management
- Case and event management, and workflow
Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.
Dashboards and Reporting
SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.
Human Factor Still Paramount
Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.
Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.
Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.
Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.
Security teams are inundated with a constant barrage of alerts. Depending on the severity of each alert, it is often minutes to hours before an analyst can properly triage and investigate the alert. The manual triage and investigation process adds additional time, as analysts must determine the validity of the alert and gather additional information. While these manual processes are occurring, the potential attacker has been hard at work; likely using scripted or automated processes to probe the network, pivot to other hosts and potential begin exfiltrating data. By the time the security team has verified the threat and begun blocking the attacker, the damage is often already done.
So, how can security operations temporarily contain a possible threat and/or permanently block a known threat? This blog will explain how by utilizing the IncMan SOAR technology from DFLabs with its integration with McAfee Web Gateway, including a use case example in action.
DFLabs and McAfee Web Gateway Integration
McAfee Web Gateway delivers comprehensive security for all aspects of web traffic in one high-performance appliance software architecture. For user-initiated web requests, McAfee Web Gateway first enforces an organization’s internet use policy. For all allowed traffic, it then uses local and global techniques to analyze the nature and intent of all content and active code, providing immediate protection. McAfee Web Gateway can examine the secure sockets layer (SSL) traffic to provide in-depth protection against malicious code or control applications.
Attackers are scripting and automating their attacks, meaning that additional infections and data exfiltration can occur in mere seconds. Security teams must find new ways to keep pace with attackers in order to minimize the impact from even a moderately skilled threat. Utilizing DFLabs IncMan’s integration with McAfee Web Gateway, IncMan’s R3 Rapid Response Runbooks automate and orchestrate the response to newly detected threats on the network, enabling organizations to immediately take containment actions on verified malicious IPs and ports, as well as temporarily preventing additional damage while further investigation is performed on suspicious IP addresses and ports.
Use Case in Action
McAfee Web Gateway has generated an alert based on potentially malicious traffic originating from a host inside the network to an unknown host on the Internet. Based on a predefined Incident Template, IncMan has automatically generated an Incident and notified the Security Operations Team. As part of the Incident Template, the following R3 Runbook has been automatically added to the Incident and executed.
Data exfiltration can occur in mere seconds. By the time a security team has validated the threat and blocked the malicious traffic, it is often too late. DFLabs integration with McAfee Web Gateway allows organizations to automatically contain the threat and stop the bleeding until further action can be taken.
The Runbook begins by performing several basic Enrichment actions, such as gathering WHOIS and reverse DNS information on the destination IP address. Following these basic Enrichment actions, the Runbook continues by querying two separate threat reputation services for the destination IP address. If either threat reputation service returns threat data above a certain user-defined threshold the Runbook will continue along a path which takes additional action. Otherwise, the Runbook will record all previously gathered data, then end.
If either threat reputation service has deemed the destination IP address to be potentially malicious, the Runbook will continue by using an additional Enrichment action to query the organization’s IT asset inventory. Although this information will not be utilized by the automated Runbook, it will play an important role in the process shortly.
Next, the Runbook will query a database of known-good hosts for the destination IP address. In this use case, it is assumed that this external database has been preconfigured by the organization and contains a list of all known-good, whitelisted, external hosts by IP address, hostname and domain. If the destination IP address does not exist in the known-good hosts’ database, the security analyst will be prompted with a User Choice decision. This optional special condition within IncMan will pause the automatic execution of the Runbook, allow the security analyst to review the previously gathered Enrichment information and allow the security analyst to make a conditional flow decision. In this case, the User Choice decision asks the security analyst if they wish to block the destination IP address. If the analyst chooses to block the destination IP address, a Containment action will utilize McAfee Web Gateway to block the IP until further investigation and remediation can be conducted.
If you want to learn more about how to contain threats, block malicious traffic and halt data exfiltration utilizing Security Orchestration, Automation and Response (SOAR) technology, get in touch with one of the team today to request your live one to one demo.
When it comes to Security Orchestration, Automation and Response (SOAR), the use cases will vary depending on a number of factors, such as the enterprise-specific internal environment, the industry or vertical the enterprises serve and even the legal and regulatory compliance that need to be met.
In this blog post we will cover five of the most common use cases for a Security Orchestration Automation and Response (SOAR) solution and how by utilizing this technology, a security alert and potential incident can be quickly detected, responded to and resolved without having a major impact on the organization.
It is key to point out that a use case is only limited by the creativity of the organization itself. A Security Orchestration Automation and Response SOAR platform, such as IncMan SOAR from DFLabs, should be able to cater for any scenario and use case that is required.
Phishing emails have become one of the most critical issues faced by organizations over the past several years. Some of the most recent high-profile data breaches have resulted from carefully crafted phishing emails. Security Orchestration, Automation and Response (SOAR) is perfectly positioned to enable automatic triage and examination of suspected phishing emails by extracting artifacts from the email, then performing additional enrichment on these artifacts and if necessary, containing the malicious email and any malicious payloads.
Suspicious emails may be received via any one of the numerous email scanning solutions available today, or via a monitored email address provided to end users to submit suspicious emails to. Once the email is received, SOAR can extract artifacts, such as header information, email addresses, URLs and even attachments. What happens next will largely depend on the organizations’ individual technology integrations. The extracted information may be submitted to various threat reputation and intelligence services, SIEM, EDR or network appliance logs may be queried, and attachments may be detonated in a sandbox. Once the available information has been enriched, if determined to be malicious, automated or semi-automated containment actions may be taken, such as quarantining or deleting the phishing email, searching for and deleting other instance of the phishing email in other user’s accounts, blocking IP addresses or URLs, banning executables from running or quarantining the user’s workstation.
Regardless of the integrations used, utilizing SOAR to examine and respond to phishing emails can reduce the time to investigate these pervasive threats from hours to minutes, automatically containing the attack and minimizing risk to the organization.
The influx of detection technologies means that organizations are facing a constant barrage of alerts. Many of these alerts are generated due to traffic that one detection technology or another has deemed to be potentially malicious. This is usually based on some type of threat indicator, which may or may not be reliable. It is often left up to the organization to further triage and investigate each of these alerts to determine if they are a false positive or an actual potential security event.
Alerts regarding malicious traffic may be received by a SOAR directly, or after being ingested and forwarded by a SIEM. In either case, the advantage of using a SOAR to automate and orchestrate actions surrounding these types of events comes from the automatic enrichment, as well as potential containment of the detected indicators. Under normal circumstances, analysts would use whatever data enrichment tools are available, such as threat intelligence, reputation services, IT asset inventories and tools such as nslookup and whois. Analysts would then determine if the indicators appeared to be malicious, at which point containment and further investigation would begin. Using SOAR technology, it is simple to codify a process such as this into an automated workflow, automatically performing data enrichment as soon as the alert is received. A SOAR solution can also automate the process of searching for additional instances of the same indicator across the organization, alerting analysts to any additionally detected occurrences. Automated or semi-automated containment is also possible; for example, blocking an IP address or URL via the firewall or proxy, or isolating a host pending further investigation.
Alerts regarding potentially malicious traffic are common-place and often sit in the queue for some time before they are investigated. While most are false positives or low priority, any one of these could be the only indicator of a potentially serious data breach. Security Orchestration, Automation and Response (SOAR) Technology allows immediate triage and response to each of these alerts almost instantaneously, automating the mundane, repeatable processes while allowing analysts to focus on the most significant alerts.
Security Orchestration Automation and Response was not intended to be a vulnerability management platform and will never replace the robust vulnerability management systems available today. However, there are some aspects of a good vulnerability management program that a SOAR platform can streamline. In larger enterprises, vulnerability management is often a task performed outside the security team. This can lead to potential risk as the security team may not be aware of vulnerabilities that exist within the infrastructure.
A SOAR solution can be used to ensure that the security team is made aware of any new vulnerabilities within the organization. This allows the security team to proactively examine the vulnerable host, when appropriate, to ensure that there is no evidence of exploitation, place any appropriate additional safeguards in place, and subject the host to increased monitoring until the vulnerability has been mitigated.
Beyond notifying the security team, a Security Orchestration, Automation and Response SOAR solution may also be used to further enrich vulnerability and host information. For example, a SOAR solution could be used to query a database of vulnerabilities to gather additional information on the vulnerability, query Active Directory or CMDB for asset information, or query a SIEM or EDR for events. Based on vulnerability, host or event information, the case could be automatically upgraded or reassigned, or the host could even be temporarily isolated until appropriate mitigation tasks could be performed.
While suitable testing and deployment of patches are critical in an enterprise environment, existing vulnerabilities present an ongoing risk to the organization. It is crucial that the security team are aware of these risks and take the proper steps to ensure that the vulnerability has not and will not be exploited until it can be properly addressed. A Security Orchestration, Automation and Response (SOAR) solution can be utilized to ensure that the security team remains informed of all current vulnerabilities and can efficiently evaluate the possible risk of each vulnerability in order to take proper risk mitigation actions.
Managed Security Service Providers (MSSPs) face many of the same issues as Computer Security Incident Response Teams (CSIRTs) and Security Operations Centers (SOCs), but on a much larger scale. In addition to these shared challenges, MSSPs also face some unique issues which the SOAR technology can address. MSSPs must work within the confines of strict service level agreements (SLAs). Failing to meet these SLAs could result in loss of business, loss of reputation and even the potential for legal action. Automating and orchestrating actions with a Security Orchestration, Automation and Response SOAR solution allows MSSPs to work more efficiently, ensuring that all SLAs are met. In addition, MSSPs are constantly under pressure to prove to customers that these SLAs are being met, that they are taking appropriate, timely actions and that they are continuing to provide value to their customers. The advanced metrics and audit logs of a SOAR addresses these needs by providing a robust set of metrics suitable for both analysts and executives alike.
MSSPs must also find a method to manage each customers data securely and in a segregated manner. At the same time, MSSPs must also ensure that each customer is provided access to their data to ensure transparency and to allow seamless teamwork between the MSSP and the customer’s internal teams. Security Orchestration, Automation and Response (SOAR) accomplishes these tasks by providing individual tenants for each customer, physically segregating each customers data to ensure confidentiality while allowing the MSSP access across customer tenants for ease of use.
Although not strictly an orchestration and automation function, case management is an important part of the incident response process and is another function that SOAR can help streamline. Many organizations struggle with managing the vast amounts of disparate information that is gathered during a security incident. Spreadsheets and shared documents are simply not sufficient for managing a complex cyber incident.
Not only does SOAR maintain all information and enriched data gathered from automated and orchestrated activities, it also maintains a detailed audit log of all actions taken during the response. A full-featured SOAR solution should also allow for detailed task management, allowing incident managers to create, assign and monitor tasks assigned to all analysts taking part in the response. In addition, a full-featured SOAR should also allow users to track assets involved in the incident and maintain a detailed chain of custody for all physical and logical evidence.
A Security Orchestration, Automation and Response (SOAR) with full case management functionality will help ensure the smooth and efficient handling of an incident from identification through remediation, providing responders will the information they need right at their fingertips and allowing them to focus on the task at hand.
If you would like to see a SOAR solution in action and discuss your specific use cases, request a live demo today.
In our previous two blogs, we looked at some of the most common problems a Security Orchestration, Automation and Response (SOAR) Technology is designed to solve and the three pillars of a SOAR solution. We will round out this three-part series by taking a more detailed look at some of the most critical SOAR Technology components any SOAR solution should possess. While some of these components may be more critical than others to individual organizations, each plays an important role in the overall function of a SOAR solution and should be considered when evaluating different platforms.
1. Customizability and Flexibility
No two security programs will be alike; this is especially true when you cross vertical lines. For a SOAR solution to be effective, it should be capable of being the single tool on top of the security stack. A SOAR solution should be able to be implemented in a manner that is optimized for CSIRT teams, as well as SOCs, MSSPs and security teams. Data input from a multitude of sources, including machine to machine, email, user submissions and manual input should be supported. The importance of security metrics means that customers should be able to customize not only the values available in the solution but also what attributes are tracked as well.
The number of security solutions, commercial, open source, and developed in-house means that any viable SOAR solution must be flexible enough to support a multitude of security products. Any SOAR solution will support many security products out of the box, however, the likelihood that all the organization’s security products will be supported by default is low. For that reason, it is crucial that a SOAR solution has a flexible option in place that allows customers to easily create bi-directional integrations with security products which are not supported by default.
2. Process Workflows
One of the key benefits of a SOAR solution is being able to automate and orchestrate process workflows to achieve force multiplication and reduce the burden of repetitive tasks on analysts. To achieve these benefits, a SOAR solution must be able to support flexible methods for implementing process workflows. The implementation of these workflows must be flexible enough to support almost any process which may need to be codified within the solution. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks to be completed by an analyst. Flow controlled workflows should support multiple types of flow control mechanisms, including those which allow for an analyst to make a manual decision before the workflow continues.
3. Incident Management
Incident response is a complex process. Orchestration and automation of security products provide obvious value to any security program, but to maximize the time and monetary investment in a SOAR solution, a comprehensive SOAR solution should include additional features to manage the entire incident response lifecycle. This should include basic case management functionality, such as tracking cases, recording actions taken during the incident and providing reporting on critical metrics and KPIs. This should also include other ancillary functions such as detailed task tracking, evidence, and chain of custody management, asset management, and report management.
4. Threat Intelligence
Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. Because a SOAR solution has access to not only the indicators but also the rest of the incident information which can provide the additional context, it is in a unique position to gather actionable threat intelligence.
A proactive security program requires threat intelligence to be properly correlated to discover attack patterns, potential vulnerabilities and other ongoing risks to the organization. This correlation should be done automatically and it should be immediately clear if an ongoing incident may share common factors with any previous incidents. Because threat intelligence can consist of a vast amount of data, visual correlation is also an important factor when assessing threat intelligence capabilities.
5. Collaboration and Information Sharing
Incident response is not one player sport. Response to a security incident will likely include multiple individuals and potentially multiple teams and even organizations. To be effective in a team environment, a SOAR solution must support seamless collaboration and information sharing among team members in a controlled manner.
Collaboration and information sharing must also be possible outside of the organization itself. This is especially true in the context of threat intelligence. Open sharing of threat intelligence, when possible, it a critical tool in fighting cybercrime. There are numerous avenues available to share threat intelligence, open, closed and industry-specific. The majority of these threat intelligence sharing programs utilize one of the open standards for threat intelligence, such as STIX/TAXII, OpenIOC or MISP, and each of these standards should be supported by a SOAR solution.
For more information on any of these topics covered in this three-part series, please check out our whitepaper “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Earlier this year I was talking to a colleague about the state of SOC operations and how I was looking forward to going to the SANS Security Operations Summit in New Orleans in July. The folks who attend SANS events are at the top of their game and let’s be honest, SANS provides some of the best training in our industry, so what’s not to love?
The conversation quickly turned to how to provide better scalability within SOC operations. Given that our teams are confronted with an increased number of alerts coming from more sophisticated actors on a daily basis, how do we keep up? We spoke about the need for better security automation to enrich the information available at the onset of an incident and how malware has been automating since the Morris worm 30 years ago.
At one point she asked me how best we can handle the transfer of incident handling “tribal knowledge” from the senior Incident Response personnel to the junior members, given the daily workload they carry. I thought about it for a moment and threw out that perhaps increased spending for machine learning or AI could help bridge the knowledge gap. She then asked, “Couldn’t we take that money and invest in knowledge transfer within the team instead?”. That simple and simultaneously complex question got me to thinking about how we can better utilize existing resources to provide that knowledge transfer in an environment as dynamic and rapidly changing as an Incident Response organization.
I thought this topic was interesting enough to make it my focus for my upcoming speaking engagement at SANS.
As we already know an increased workload coupled with an industry-wide shortage of skilled responders is heavily impacting operational performance in Security Operations Centers (SOC) globally and an integral part of the solution is formulating a methodology to ensure that crucial knowledge is retained and transferred between incident responders. By utilizing Security Orchestration, Automation and Response (SOAR) technology, security teams can combine traditional methods of knowledge transfer with more modern techniques and technologies.
Join me at the SANS Security Operations Summit on July 30, 2018 at Noon for an informal “Lunch and Learn” session to discuss how we ensure that the Incident Response knowledge possessed by our senior responders can be consistently and accurately passed along to the more junior team members while simultaneously contributing to the Incident Response process. I look forward to meeting you there.
If you are not attending the summit, don’t worry, you can visit our website to find out more information about the benefits of utilizing a SOAR solution with DFLabs’ IncMan SOAR platform. Alternatively, if you would like to have a more in-depth discussion, you can arrange a demo to see IncMan live in action.
Increasing Adoption of SOAR Solutions
Over the past several years, Security Orchestration, Automation and Response (SOAR) has gone from being viewed as a niche product to one gaining traction across almost all industry verticals. Today, more and more private organizations, MSSPs and governments are turning to SOAR Technology to address previously unsolved problems in their security programs. SOAR is about taking action: “Automate. Orchestrate. Measure”. Organizations are implementing a SOAR solution to improve their incident response efficiency and effectiveness by orchestrating and automating their security operations processes. Gartner estimates that by 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.
In this three-part blog, we will discuss the key drivers for SOAR adoption and what problems a SOAR solution can help solve. In the next blog, the second part of this three-part blog, we will discuss the three pillars of Security Orchestration, Automation and Response (SOAR). Finally, we will round out the series by discussing the critical components and functionality that a SOAR solution should contain.
Five Key Problems SOAR Technology Helps to Solve
Like many new product categories, Security Orchestration, Automation and Response (SOAR) technology was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To define the product category more accurately, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address.
- Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less
As the number and sophistication of threats has grown over the past decade, there has been an explosion in the number of security applications in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data. Although it may not be as difficult to find security analysts as it once was, a truly skilled security analyst is still somewhat of a rare breed. Intense competition for these skill analysts means that organizations must often choose between hiring one highly skilled analyst, or several more junior analysts.
- Valuable analyst time is being consumed sorting through a plethora of alerts and performing mundane tasks to triage and determine the veracity of the alerts
Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams. Each one of these alerts must be manually verified and triaged by an analyst. Alerts which are determined to be valid then require additional manual research and enrichment before any real action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in.
- Security incidents are becoming more costly, meaning that organizations must find new ways to further reduce the mean time to detection and the mean time to resolution
The cost of the average incident has increased steadily year on year. The immediate cost of an incident due to lost sales, employee time spent, consulting hours, legal fees and lawsuits is relatively easy to quantify. The financial loss due to reputational damage, however, can be much more difficult to accurately measure. Reducing the time to detect and resolve potential security incidents must be an absolute priority. Each hour that a security incident persists is effectively money out of the door.
- Tribal knowledge is inherently difficult to codify, and often leaves the organization with personnel changes
Employee retention is an issue faced by almost every security team. Highly skilled analysts are an extremely valuable resource for which competition is always high. Each time an organization loses a seasoned analyst, some tribal knowledge is lost with them and they are replaced with an analyst who, even if they possess the same technical skills, will lack this tribal knowledge for at least a period of time. Training new analysts takes time, especially when processes are manual and complex. Documenting security processes is a complex, but critical task for all security teams.
- Security operations are inherently difficult to measure and manage effectively
Unlike other business units which may have more concrete methods for measuring the success or failure of a program, security metrics are often much more abstract and subjective. Traditional approaches to measuring return on investment are often not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security product or program requires a measurement process specially designed to meet these unique requirements.
About DFLabs IncMan SOAR
DFLabs is an award-winning and recognized global leader in Security Orchestration, Automation and Response (SOAR) technology. Its pioneering purpose-built platform, IncMan SOAR, enables SOCs, CSIRTs, and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks. IncMan SOAR drives intelligence-driven command and control of security operations, by orchestrating the full incident response and investigation lifecycle and empowers security analysts, forensic investigators and incident responders to respond to, track, predict and visualize cyber security incidents. As its flagship product, IncMan SOAR has been adopted by Fortune 500 and Global 2000 organizations worldwide.
Schedule a live demo with one of our cyber security specialists here and see DFLabs IncMan SOAR platform in action. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Stay tuned for our next blog in this series, where we will discuss the three pillars of SOAR technology.