When is Security Automation and Orchestration a Must-Have Technology? – Addressing Gartner’s SOAR Question

Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.

Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.

1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?

Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”

The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.

Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.

To sum up the most common drivers for someone asking about Security Automation and Orchestration:

  1.  A high volume of alerts and incidents and the challenge in managing them
  2.  A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
  3.  Regulatory mandates for incident response and breach notification
  4.  An overstretched security operations team
  5.  Reporting risk and the operational performance of the CSIRT and SOC to an executive audience

One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.

The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.

Remove the Menial Tasks Through Automation

Alert fatigue is the desensitization when overwhelmed with too much information. The constant repetition and sheer volume of redundant information are painful and arduous but sadly often constitutes the daily reality for many people working in cyber security. Mike Fowler (DFLabs’ VP of Professional Services) discusses several best practices to help with some of the challenges involved in this in his recent whitepaper “DFLabs as a Force Multiplier in Incident Response”. I am going to discuss another one, but looking at it from a slightly different angle.

Imagine the scenario where we have tens of thousands of alerts. Visualize these as Jigsaw pieces with a multitude of different shapes, sizes and colors and the additional dimension of different states. We have alerts from a firewall, anomalies from behavioral analytics, authentication attempts, data source retrieval attempts or policy violations. Now, there are a lot of ways to shift through this information, for example by using a SIEM’s to correlate the data and reduce the some of the alerts. The SIEM could identify and cross-reference the colors and shapes of the jigsaw pieces so to speak.

The next question once that I’ve got the all the pieces I need for the puzzle is how do I put this together? How do I complete the puzzle and unlock the picture?

The “what does the jigsaw picture?” question is something that will often puzzle the responders, pun intended. How do you prioritise and escalate incidents to the correct stakeholders? How do you apply the correct playbook for a specific scenario? How do you know which pieces of information to analyse to fit the jigsaw pieces together and make sure the puzzle looks correct?

Automation process can speed up putting that puzzle together, but making sure you automate the right things is just as critical. If skilled staff are running search queries that are menial, repetitive and require little cognitive skill to execute, you should ask yourself why they are performing these and not instead focused on analyzing the puzzle pieces to figure out how they fit together?

Remove the menial tasks. Allow automation to do the heavy lifting so your teams are not only empowered by the right information they need to successfully manage the response to an incident but also to give them more time to figure out the why, how and what of the threat.

We also welcome you to join us for a webinar hosted by Mike Fowler on this topic on the 6th of September.

A Weekend In Incident Response #4: How to Reduce the Noise of Cyber Threat Intelligence

Is Cyber Threat Intelligence Still Useful?

The importance of information in business in today’s modern world is invaluable. But, in some cases, having large amounts of information coming your way can actually hurt your business. This holds true particularly for organizations that are constantly dealing with the risk of cyber attacks, and every piece of information that could help them prevent those attacks can be of great use to them. This is where cyber threat intelligence comes in, as one of the crucial aspects of developing an effective cyber defense strategy.

But, with so many feeds from various sources at their disposal, determining which information is relevant and credible and distinguishing it from the data that is not essential in regard to a potential cyber threat has become a major challenge for many cyber security professionals. As a result, being able to reduce the noise coming from the flurry of threat intelligence is now key to creating successful security operations.

Overwhelming Amount of Cyber Threat Information

A new study recently conducted by Ponemon Institute LLC, and sponsored by Anomali, reveals that the amount of threat intelligence that cyber security professionals deal with is overwhelming, preventing them from tackling incidents more efficiently.

The study, titled The Value of Threat Intelligence: A Study of North American and United Kingdom Companies, surveyed more than 1,000 professionals from the cyber security industry, with 70 percent of them saying that threat intelligence is often “too voluminous and/or complex to provide actionable intelligence”. This is a figure that should raise a concern, considering that almost half of the respondents (46%) said that incident responders rely on threat data during the incident response process. Furthermore, according to the study, there is too much data to really make sense of if enterprises have a limited resource staff of security operations center analysts or threat analysts.

SIEM Integration Vs IR Orchestration

Cyber security experts agree that in order to be able to use cyber threat intelligence data in an effective and productive way, there must be an SIEM integration in place. However, while 62% of those surveyed said they were aware of this necessity, as many as 64% of them stated that putting such integration in place takes a lot of time and resources, making it a tough feat.

In my corporate experience, the companies that are actually integrating SIEM with CTI, represent a minority. The main challenge of such lack of integration is the impossibility of valorizing the TI Feeds, during an incident. But, there is a new technology trend that addresses this exact problem. There are platforms that are capable of sitting on top of the SIEM, integrating multiple tools from different vendors, which is one of the biggest challenges that threat analysts are faced with. This approach is usually taken during the incident triage phase, it is not intended to be a SIEM replacement but can help SOC and CSIRTs to reduce reaction time and related noise. Such platform fits the Incident Response and SOC Orchestration space, featuring multiple integrations that are easy to use and configure and, nowadays, are probably the only way to reach a near real time- and money-saver incident response, filling the gap that is created when the data sources are originated by different vendors. Such platforms support SIEM integration and could represent a great solution for all entities that are trying to create a successful and affordable cyber defense, by effectively reducing the noise of threat intelligence.

In one of my next columns, I will introduce this paradigm, along with its main potentials in the world of Security Operations and Incident Response. In the meanwhile, you can follow me on our LinkedIn Page, by clicking here.