Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.
Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.
1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”
The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.
Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.
To sum up the most common drivers for someone asking about Security Automation and Orchestration:
- A high volume of alerts and incidents and the challenge in managing them
- A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
- Regulatory mandates for incident response and breach notification
- An overstretched security operations team
- Reporting risk and the operational performance of the CSIRT and SOC to an executive audience
One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.
The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.
The latest ransomware attack that broke out last Friday, affecting more than 200,000 computers across 150 countries by Sunday, once again highlighted the need for improved preparedness to respond to large-scale cyber incidents by implementing advanced security automation and orchestration solutions capable of containing the damage from such events. In this case, the attackers exploited a vulnerability in Windows Server Message Block (SMB) protocol, which had been discovered and kept quiet for exclusive use by the National Security Agency (NSA).
WannaCry, as the virus is called, is delivered via an email attachment and when executed, paralyzes computers running vulnerable Windows operating systems by encrypting their files. Once it encrypts a computer’s hard disk, WannaCry then spreads to vulnerable computers connected to the same network, and also beyond, via the Internet. This is in many ways a typical ransomware attack, infecting computers with a virus that has the ability to spread quickly to other vulnerable systems; however, the infection in this instance, and the speed at which it spread, was more intense than any other such attack in recent memory. The consensus among cyber security experts around the world is that the damage from this attack could have been reduced to a minimum, and more serious consequences could have been avoided, if organizations had been better prepared and had more effective cyber incident response plans and solutions in place.
Early Detection and Damage Containment via Automation and Orchestration
When affected by an attack such as WannaCry, after an organization’s computer system has been breached, the best thing that the organization can do is try to keep the incident under control by preventing the infection from spreading. There are various security solutions designed to achieve this end, but an automation and orchestration platform is arguably the best suited for the task. When an infected computer is detected, this platform can quickly isolate it in the early stages of an attack, blocking traffic to and from it to contain its spread, and thus reduce the business impact to a minimum.
Recovery and Remediation
Once containment is achieved, the platform provides organizations with the ability to quickly remediate the incident by guiding cybersecurity professionals through the entire process, using pre-defined playbook actions for a faster and more effective execution. The playbook actions can suggest the best remediation and recovery methods, and how to enforce them in the most effective manner. For instance, how to restore files and update the appropriate firewall rules.
All of the above is only a fraction of the capabilities of a typical automation and orchestration platform, a security tool that has become critical for any organization seeking to avoid the immense cost and long-lasting consequences of cyber-attacks such as WannaCry.
Cyber-attacks such as this one are only expected to become more common and more sophisticated in the future, and for this reason WannaCry should serve as an example of why now is the time for organizations serious about cyber security to focus on improving preparedness and containment capabilities through investment in advanced security automation and orchestration.
Security Orchestration and Automated Response (SOAR) is a relatively new cyber security solution category. The aim of these platforms is to provide a centralized software solution to manage the complete lifecycle of a cyber incident, orchestrate security products to a determined goal, and respond to cyber incidents in an automated or semi-automated fashion. The SOAR category is of particular interest to Security Operations Center Teams, as this product is now seen as the backbone of incident management.
Given the differences that can exist between Security Operations Center or Cyber Incident Response teams, it’s rare to find items that share a commonality between the incident response organizations when evaluating incident response solutions. Given that, the following seem to share a common focus during the evaluation process:
In no particular order:
1. Supervised Active Intelligence™
This is a methodology that best describes one of our most powerful features within IncMan™, the ability to arm your SOC teams with selected intelligence related to a cyber incident. This feature provides targeted information and is provided directly to the assigned investigator. This information is paramount to starting a cyber investigation, and we see on a daily basis that cyber incidents without this information have a very slow reaction time. However, the most important factor is your teams take steps that are guided by the intelligence generated within an IncMan playbook as they work through their playbook actions.
2. Intelligent Correlation Engine
As per the Supervised Active Intelligence feature, within our IncMan platform, the intelligence will be captured and build upon the growing information around cyber incidents. This information is analyzed by IncMan, providing a visual representation of how an incident has progressed and if any other incidents share common features. I.e. they affected the same users, or same machine types, patterns that have emerged etc. We visualize this information over a timeline, allowing the SOC team the ability to correlate the cyber security incidents to business events or even basic tracking how malware has traversed through several machines and at what rate.
3. Extended Knowledge base with your own intelligence or from others
We understand as an organization how important it is to use multiple sources of external intelligence. This has allowed us to provide the ability to extend the IncMan knowledge base with the information required by your SOC team. For example, some clients use the knowledge base to add additional fraud intelligence and prevention information. We natively support TAXII and other feeds using the STIX format of intelligence sharing. Alternatively, if you are a part of an intelligence sharing network, IncMan permits the API connection.
Another feature which we often see utilized by CSO’s and CISO’s alike is regarding the knowledge base and Cyber Incident linking capabilities. We allow tagging and linking of knowledge base articles with cyber incidents to aid reporting and impact visibility to the stake holders.
4. Integrating your environment
As mentioned earlier, IncMan allows the use of your current environment and the products you already have readily available. As our client, we want to bring you from “Zero to Hero” in the shortest time span possible with pre-configured integrations that are enabled within minutes. With IncMan you choose how you want to leverage your existing products. The crucial point is we know every environment is a mixture of multiple moving parts and we can integrate with your existing framework to ensure maximum availability while minimizing response time and resource expenditures.
Playbooks can be thought of in the context of American football. The term playbook was created to give a visual meaning to orchestrating team members for a single goal, given a scenario presented to a team or organization. The three distinct teams are as follows
– Defense, and containment for cyber incident response
– Special Teams for enrichment and providing both teams with more information and field position for American football
– The offense for mitigating incidents and going on the offensive to put the company in a positive, advantageous position given the situation that is presented in front of them.
For those of you not into the American Football analogy; Playbooks give your teams meticulous control over pre-defined workflows to drive policy and procedures in a repeatable, consistent and enforced manner. This allows for enrichment, containment, and mitigation driven through one product – IncMan.