Understanding the Difference Between SOCs and CSIRTs

Building an effective security strategy in organizations today requires the right combination of experts, processes, tools and technologies. Luckily, there are many different ways in which you can organize them to fit your company’s needs.

The two types of teams most often mentioned today are Security Operations Centers (SOCs) and Computer Security Incident Response Teams (or CSIRTs). SOCs and CSIRTs have distinctive roles and responsibilities, so deciding which one is better for your organization’s security program isn’t always easy. This blog post will focus on explaining their main objectives and how they differ in structure, which may help you to decide which one is more suitable for your organization’s internal infrastructure and strategy, especially if you are looking to set one up in the near future as your business expands.  

Security Operations Center (SOC)

The term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that.

A SOC is the “brain” of a security organization, as it acts as the center of all roles and responsibilities, with the main goal of protecting information within the organization. Its main tasks are:

  • Prevention
  • Detection
  • Incident management / response
  • Reporting
  • Anything that involves managing and protecting information within the company

Furthermore, the SOC also monitors people, technology and tools, and processes involved in all aspects of cybersecurity. Often companies have a SOC before they decide to establish a separate CSIRT. The end objective of every SOC is to monitor and take care of every cyber activity that takes place and ultimately ensure the organization is protected against any type of attack.

The SOC is also responsible for incident response if there is no formal CSIRT established within the organization. If there is, the SOC helps the CSIRT in responding faster and more efficiently to a cyber threat.

The SOC is responsible for the following:

  • Monitoring the security of users, systems, and applications
  • Prevention, detection, and response to security threats
  • Creating and managing procedures
  • Integration of security systems with other tools

What makes a SOC unique and different from other units within the organization is its centralized role with a strong focus on combining techniques, skills, and technology, by utilizing tools to increase the protection of the company against threats. It’s also important to underline that even though incident prevention and management is not its specialty, a SOC may still cover these events as well, being a department that covers all things related to cyber security.

Computer Security Incident Response Team (CSIRT)

CSIRT is a centralized department within an organization whose main responsibilities include receiving, reviewing, and responding to security incidents. CSIRTs may work under SOCs, or function individually, depending on the organization’s needs and structure.

The main goal of a CSIRT is to minimize and control the consequences from an incident. It’s not just addressing the attack itself, their role involves communicating with boards, executives, and clients about the incident.

Some of its main responsibilities include:

  • Prevention, detection, and response to security threats
  • Ranking alerts and tasks
  • Investigating and conducting forensics on incidents
  • Coordinating strategies
What do CSIRTs do?

The basis of every CSIRT is providing incident management. The CSIRT is the central point of contact in the event of a security incident. Depending on how fast a CSIRT team responds to an incident, it can limit the damage from the incident by providing rapid response and recovery solutions. This ensures the workflow is uninterrupted and lowers the overall costs.

Incident management presupposes three functions: reporting, analysis and response. With this being said, the CSIRT activities usually involve the following:

  • Understanding incidents – CSIRTs must be aware of the nature of the incident and the consequences that might arise from it. A repository helps teams gain insights of the patterns of a certain cyber attack and this could lead to future activities that could prevent the occurrence of such attacks.
  • Handling negative impact – CSIRTs carry out elaborate research of a certain problem and recommend solutions for it.
  • Assist other departments – CSIRT teams distribute alerts across the organizations on the latest threats and risks.
  • Compose security strategies
Does my organization need a CSIRT?

The CSIRT within an organization may be a formal unit or an ad-hoc team, depending on the company’s needs. If your organization is not facing a cyber threat on a regular basis, the need for a CSIRT might not be as big as for larger organizations, or companies in high-risk industries, such as healthcare, finance or government. In industries such as these, responding to threats happens daily and there’s a need for a formal, full-time CSIRT.

Whatever the needs of your organization, don’t forget that a CSIRT team will evolve with time. What might start as an ad-hoc team may develop into a full functioning department as the business expands and progresses.

Final Thoughts

Regardless of the final choice, which will depend on a number of individual requirements and factors, (including but not limited to the size of the organization, the number of threats it faces, the industry and the company’s security program maturity), don’t forget that whatever team is established, it is always important to clearly define roles and responsibilities, have efficient processes in place that can be automated, and implement the right tools and technologies that will help your team do their job more effectively. Set up correctly, SOCs and CSIRTs will facilitate the organization to respond to all security alerts and react faster to the ever-evolving cyber security incidents.

Automatic Observable Harvesting With IncMan SOAR

As soon as the first indicator of compromise is located, the most common next step is to try to pivot from that indicator to find additional indicators or evidence on the network. While it is sometimes necessary to perform your own research to determine what additional additional indicators may be present, it is common to make use of previous research when looking for new indicators to hunt for.

This is especially true when dealing with an indicator of malicious software.  Perhaps you have found a host communicating with an IP address known to be associated with a particular malware variant; the logical next step would be to search for communication with other IPs, domains and URLs the malware may be associated with, along with looking for the host-based activity the malware is known to use.

For example, suppose an IDS alerted on the IP address 144.202.87[.]106.  A quick search on VirusTotal indicates that this IP address may be malicious, however, it does not provide much information which could be used to pivot to other indicators.  So where does every good analyst turn at this point? Google, of course! A quick Google search for the IP address returns several results, including a blog post from MalwareBytes on the Hidden Bee miner. 

Along with a detailed analysis of the Hidden Bee miner, the post also includes several other IP addresses and URLs which analysts observed in this attack.  Now we have some data to pivot and hunt with!

This entire analysis from the MalwareBytes team can easily be added into DFLabs’ IncMan SOAR platform by copying and pasting the blog into the Additional Info section of the incident.  In addition to allowing this information to be accessed by the working on this incident, adding this text to the Additional Info field has an additional advantage we have not yet discussed; Automatic Observable Harvesting.

When text is added to a field such as the Additional Info fields in IncMan, Automatic Observable Harvesting will automatically parse through the text and attempt to harvest observables from the unstructured text.

In the case of the Hidden Bee analysis from MalwareBytes, Automatic Observable Harvesting automatically harvested four IP addresses, a URL and a domain from the unstructured text and added them to the observables section.

While six observables may not take long to manually enter into the platform, it is not uncommon to find detailed malware analysis that contains dozens of IP addresses, hash values, domains, and other observables. Entering this many observables into IncMan manually in order to take advantage of IncMan’s automation and orchestration features on the new observables would be a time-consuming process. Automatic Observable Harvesting performs this task automatically.

Once these new observables are added into IncMan, analysts can take advantage of IncMan’s automation and orchestration features to begin performing additional enrichment on the observables, as well as searching across any internal data sources for evidence of the observables and blocking them if needed.

If you would like to see IncMan SOAR from DFLabs in action, including its Automatic Observable Harvesting functionality, get in touch to arrange and see one to one demo now.

Security Automation vs Security Orchestration – What’s the Difference?

The terms security automation and security orchestration  are often used almost interchangeably nowadays in the IT ecosystem. But it’s very important to note that these terms have completely different meanings and purposes. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.

When automation emerged in the security field, it became a crucial asset for security teams that were already exhausted from time-consuming, repetitive, low-level tasks. Orchestration was the next step for better time and resource management for teams, as it helped professionals respond to issues faster, and prioritize important tasks with defined and consistent processes and workflows.

Security orchestration vs. security automation – the difference

When we speak about automation, it’s often wrongly assumed to mean automating an entire process, which is not always correct. The proper definition of security automation is setting a single security operations-related task to run on its own, without the need for human intervention (or a task could be semi-automated if some form of human decision is required).

On the other hand, orchestration, in essence, refers to making use of multiple automation tasks across one or more platforms. This means that automation tasks are part of the overall orchestration process, which covers larger, more complex scenarios and tasks. With this being said, we can say that orchestration means the automated coordination and management of systems, middleware, and services. Security orchestration uses multiple automated and semi-automated tasks to automatically execute a complex process or workflow, and these can consist of multiple automated tasks or systems.

Security Orchestration aims to streamline and optimize repeatable processes and ensure correct execution of tasks. Anytime a process becomes repeatable and tasks can be automated, orchestration can be used to optimize the process and eliminate redundancies.

Main purpose

Automation and orchestration can be best understood by differentiating between a single task and a complete process. Automation only handles a single task, while orchestration makes use of a more complex set of tasks and processes. When a task is automated, it speeds things up, especially when it comes to repeating basic tasks. But optimizing a process is not possible with simple automation, as it only handles a single task. A process is not limited to a single function, so optimization is only possible with orchestration. If done right, orchestration achieves the main goal of speeding up the entire process from start to finish.

Benefits

By now, we believe you’re aware of the core difference of security automation vs security orchestration, but bare in mind that these two are not completely inseparable and are used in conjunction with each other. As we’ve been discussing so far, security orchestration is not possible without automation. Now let’s go through the main benefits of both orchestration and automation:

Automation makes many time-consuming tasks run smoothly without (or with little) human intervention, thus allowing organizations to take a more proactive approach in protecting their infrastructure from increasing volumes of security alerts and potential incidents, which would take far too many man-hours to be able to complete.

The primary goal of orchestration is to optimize a process. While security automation is limited to automating a particular task, orchestration goes way beyond this. With automation providing the necessary speed to the processes, orchestration, on the other hand, provides a streamlined approach and process optimization.

What happens when these two work together?
  • Better utilization of assets, allowing the organization to be more efficient and effective
  • Improved ROI on existing security tools and technologies
  • Increased productivity – all tasks are automated and orchestrated between themselves
  • Reduced security analyst fatigue from alert and task overload
  • Processes remain consistent due to standardization of activities.
Final thoughts

Orchestration and automation work together to empower security teams, allowing them to be more effective, and ultimately focus on incident analysis and important investigations, rather than on manual, time-consuming and repetitive tasks. Having all of the tools to hand within a centralized, single and intuitive orchestration platform can only benefit your security operations team. This ultimately means more time for analysts and incident respondents to focus on issues that require a level of human intervention for a higher level of investigation for mitigation and remediation.

Both of these concepts: security automation and security orchestration relate to each other, and it’s often very difficult to differentiate between them. As we discussed in detail regarding this confusion, one last piece of advice would be to look at these in their fundamental difference, which lies in their varying individual goals. Automation is all about codification and orchestration is all about systematization of processes. The adequate differentiation between these two principles will help you to achieve a streamlined and accurate execution of your incident response processes and tasks.

Are you ready to see the real benefits of security automation and orchestration in action? Contact us and request to see a live demo of IncMan SOAR to see how it can transform your SOC today.

National Cybersecurity Awareness Month – Understanding the Benefits of Implementing SOAR Technology

About National Cybersecurity Awareness Month (NCSAM)

Every year since 2004, October has been recognized and celebrated as National Cybersecurity Awareness Month (NCSAM). NCSAM was created in a united effort between the Department of Homeland Security and the National Cyber Security Alliance to raise awareness on a variety of cybersecurity issues. NCSAM has grown exponentially over the years, reaching consumers, small and medium-sized businesses, corporations, government entities, the military, educational institutions, and young people nationally and internationally. NCSAM was designed with one goal, to engage and educate the public as well as the private sector partners through a series of events and initiatives with the goal of raising awareness about cybersecurity in order to increase the resiliency of the nation in the event of facing cyber incidents. This unified effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come.

What’s New in 2018

This year, National Cybersecurity Awareness Month (NCSAM) focuses on internet security as a shared responsibility among consumers, businesses and the cyber workforce. NCSAM 2018 aims to “shine a spotlight on the critical need to build a strong, cyber-secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected.” The month is divided into four week-long topics:

Week 1 (Oct. 1–5): Make Your Home a Haven for Online Safety
Week 2 (Oct. 8–12): Millions of Rewarding Jobs — Educating for a Career in Cybersecurity
Week 3 (Oct. 15–19): It’s Everyone’s Job to Ensure Online Safety at Work
Week 4 (Oct. 22–26): Safeguarding the Nation’s Critical Infrastructure

Staying Safe Online

This month, organizations should make it a priority to build on their existing cybersecurity knowledge and practices, better understand the current cyber threats impacting their industry. With the spotlight on security, NCSAM is a great time to review current cybersecurity strategies and map out strategic actions that could be undertaken to secure the organization’s infrastructure as much as possible.

Even though preventing every single attack is an impossible mission, all stakeholders within any organization, regardless of their position, capability or involvement within cybersecurity should aim to increase their security knowledge, as one phishing attack could have devastating consequences. Working towards increasing levels of awareness and training, strengthening partnerships and defenses, exchanging valuable information, and with advancing technology will help organizations to protect their brands and valuable assets.

With that being said, we know from experience that today cyber attacks are inevitable and regardless of the vast number of preventative measures we take to protect ourselves, our businesses and our infrastructure are still at risk.  We can never be 100% certain that they are fully secure. Therefore it is key that organizations also have an appropriate and in-depth incident response plan in place in order to be able to respond efficiently and effectively to any type of incident that should unfortunately occur.

How SOAR Technology Helps To Improve Incident Response

Effective cyber defense demands a team effort where employees, end users, and enterprises recognize their shared role in reducing cybersecurity risks. As the ever-evolving cybersecurity landscape poses new challenges, companies are pushed even more to combat the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are a potential target. Security operations teams need to be prepared to respond to existing as well as to new types of cyber threats, in order to fully defend and protect their company assets.

As prevention is becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response and the processes and workflows that should be implemented in order to minimize the impact. The main reasons why companies are failing at Incident Response is due to a number of factors including but not limited to inadequate resources, lack of skilled analysts, failure to manage phases, task overload and more.

Adopting a complete and comprehensive Security Orchestration, Automation and Response (SOAR) solution can go a long way towards preventing and mitigating the consequences of cyber incidents. The deployment of a SOAR solution can help alleviate a number of current security operations challenges (including the growing number of alerts, increased workloads and repetitive tasks, current talent shortage and competition for skilled analysts, lack of knowledge transfer and budget constraints), while improving the overall organization’s security posture by eliminating the most-common scenarios of resource-constrained security teams struggling to identify critical cyber incidents.

Some of the key benefits of using a Security Orchestration, Automation and Response (SOAR) solution are outlined below.

Top 10 Benefits of Adopting a SOAR Solution
  • Acts as a force multiplier for security teams
  • Automates manual repetitive processes to avoid alert fatigue
  • Responds to all security alerts eliminating false positives
  • Decreases the time to detect, remediate and resolve incidents
  • Simplifies incident response and investigation processes
  • Integrates with existing security operations tools and technologies
  • Improves the overall efficiency and effectiveness of existing security programs
  • Reduces operational costs and improves ROI
  • Minimizes the risk and damage resulting from incidents
  • Meets legal and regulatory compliance (e.g. NIST and GDPR) including incident reporting and breach notification
Security Orchestration, Automation and Response With DFLabs IncMan SOAR Platform

DFLabs’ IncMan SOAR platform provides a complete and comprehensive solution to streamline the full incident response lifecycle. IncMan SOAR, is designed for SOCs, CSIRTs and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks, all from within one single, intuitive platform. IncMan SOAR is easy to implement and use, allowing you to leverage the capabilities of your existing security infrastructure and assets.

Take this October’s national cybersecurity awareness month seriously and do your part in learning something new which could help your organization to better protect itself. Contact us today to organize a bespoke demonstration and to discuss your individual requirements.

SANS 2018 SOC Survey – How Does Your SOC Stack Up?

Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs.  With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.

This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”!  This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.  

You can download the full report here. DFLabs is joining the SANS team for a live webinar to discuss the results in more detail (16th August at 1:00 PM EDT).  

SANS 2018 SOC Survey Highlights

Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization.  So, how does your SOC stack up against the 2018 survey results?

Here are the key findings.

  • Only half of SOCs (54%) use any form of metrics to measure their performance
  • There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
  • Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
  • The most meaningful event correlation is still primarily carried out manually
  • Over half of respondents (54%) did not consider their SOC a security provider to their business
  • The most common architecture is a single central SOC (39%)
  • Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
  • Top shortcomings to SOC performance included:
    • – Shortage of skilled staff (62%)
    • – Inadequate automation and orchestration (53%)
    • – Too many unintegrated tools (48%)

What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.

With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.   

Defining and Measuring SOC-cess

What is “SOC-cess” and how can we determine what an efficient and effective SOC is?  SANS definition of SOC-cess is as follows.

SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions.  The response activities of SOC represent the reactive side of operations.”

I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor.  Of those SOCs surveyed, the top three metrics measured included:

  1. Number of incidents handled
  2. Average time from detection to containment to the eradication of an incident
  3. Number incidents closed in a single shift

Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.

Summary of Findings

Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.

Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.

There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.

Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.

How Can DFLabs Help?

A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.

Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.

Five Critical Components of SOAR Technology

In our previous two blogs, we looked at some of the most common problems a Security Orchestration, Automation and Response (SOAR) Technology is designed to solve and the three pillars of a SOAR solution. We will round out this three-part series by taking a more detailed look at some of the most critical SOAR Technology components any SOAR solution should possess. While some of these components may be more critical than others to individual organizations, each plays an important role in the overall function of a SOAR solution and should be considered when evaluating different platforms.

1. Customizability and Flexibility

No two security programs will be alike; this is especially true when you cross vertical lines. For a SOAR solution to be effective, it should be capable of being the single tool on top of the security stack. A SOAR solution should be able to be implemented in a manner that is optimized for CSIRT teams, as well as SOCs, MSSPs and security teams. Data input from a multitude of sources, including machine to machine, email, user submissions and manual input should be supported. The importance of security metrics means that customers should be able to customize not only the values available in the solution but also what attributes are tracked as well.

The number of security solutions, commercial, open source, and developed in-house means that any viable SOAR solution must be flexible enough to support a multitude of security products. Any SOAR solution will support many security products out of the box, however, the likelihood that all the organization’s security products will be supported by default is low. For that reason, it is crucial that a SOAR solution has a flexible option in place that allows customers to easily create bi-directional integrations with security products which are not supported by default.  

2. Process Workflows

One of the key benefits of a SOAR solution is being able to automate and orchestrate process workflows to achieve force multiplication and reduce the burden of repetitive tasks on analysts. To achieve these benefits, a SOAR solution must be able to support flexible methods for implementing process workflows. The implementation of these workflows must be flexible enough to support almost any process which may need to be codified within the solution. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks to be completed by an analyst. Flow controlled workflows should support multiple types of flow control mechanisms, including those which allow for an analyst to make a manual decision before the workflow continues.  

3. Incident Management

Incident response is a complex process. Orchestration and automation of security products provide obvious value to any security program, but to maximize the time and monetary investment in a SOAR solution, a comprehensive SOAR solution should include additional features to manage the entire incident response lifecycle. This should include basic case management functionality, such as tracking cases, recording actions taken during the incident and providing reporting on critical metrics and KPIs. This should also include other ancillary functions such as detailed task tracking, evidence, and chain of custody management, asset management, and report management.  

4. Threat Intelligence

Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. Because a SOAR solution has access to not only the indicators but also the rest of the incident information which can provide the additional context, it is in a unique position to gather actionable threat intelligence.

A proactive security program requires threat intelligence to be properly correlated to discover attack patterns, potential vulnerabilities and other ongoing risks to the organization. This correlation should be done automatically and it should be immediately clear if an ongoing incident may share common factors with any previous incidents. Because threat intelligence can consist of a vast amount of data, visual correlation is also an important factor when assessing threat intelligence capabilities.

5. Collaboration and Information Sharing

Incident response is not one player sport. Response to a security incident will likely include multiple individuals and potentially multiple teams and even organizations. To be effective in a team environment, a SOAR solution must support seamless collaboration and information sharing among team members in a controlled manner.  

Collaboration and information sharing must also be possible outside of the organization itself.  This is especially true in the context of threat intelligence. Open sharing of threat intelligence, when possible, it a critical tool in fighting cybercrime. There are numerous avenues available to share threat intelligence, open, closed and industry-specific. The majority of these threat intelligence sharing programs utilize one of the open standards for threat intelligence, such as STIX/TAXII, OpenIOC or MISP, and each of these standards should be supported by a SOAR solution.

For more information on any of these topics covered in this three-part series, please check out our whitepaper “Security Orchestration, Automation, and Response (SOAR) Technology” here.

Leveraging SOAR Technology to Facilitate Knowledge Transfer in Security Operations

Earlier this year I was talking to a colleague about the state of SOC operations and how I was looking forward to going to the SANS Security Operations Summit in New Orleans in July. The folks who attend SANS events are at the top of their game and let’s be honest, SANS provides some of the best training in our industry, so what’s not to love?

The conversation quickly turned to how to provide better scalability within SOC operations. Given that our teams are confronted with an increased number of alerts coming from more sophisticated actors on a daily basis, how do we keep up? We spoke about the need for better security automation to enrich the information available at the onset of an incident and how malware has been automating since the Morris worm 30 years ago.

At one point she asked me how best we can handle the transfer of incident handling “tribal knowledge” from the senior Incident Response personnel to the junior members, given the daily workload they carry. I thought about it for a moment and threw out that perhaps increased spending for machine learning or AI could help bridge the knowledge gap. She then asked, “Couldn’t we take that money and invest in knowledge transfer within the team instead?”. That simple and simultaneously complex question got me to thinking about how we can better utilize existing resources to provide that knowledge transfer in an environment as dynamic and rapidly changing as an Incident Response organization.

I thought this topic was interesting enough to make it my focus for my upcoming speaking engagement at SANS.

As we already know an increased workload coupled with an industry-wide shortage of skilled responders is heavily impacting operational performance in Security Operations Centers (SOC) globally and an integral part of the solution is formulating a methodology to ensure that crucial knowledge is retained and transferred between incident responders. By utilizing Security Orchestration, Automation and Response (SOAR) technology, security teams can combine traditional methods of knowledge transfer with more modern techniques and technologies.

Join me at the SANS Security Operations Summit on July 30, 2018 at Noon for an informal “Lunch and Learn” session to discuss how we ensure that the Incident Response knowledge possessed by our senior responders can be consistently and accurately passed along to the more junior team members while simultaneously contributing to the Incident Response process. I look forward to meeting you there.

If you are not attending the summit, don’t worry, you can visit our website to find out more information about the benefits of utilizing a SOAR solution with DFLabs’ IncMan SOAR platform.  Alternatively, if you would like to have a more in-depth discussion, you can arrange a demo to see IncMan live in action.

3 Core Pillars of a SOAR Solution

In our first blog in this series, we looked at some of the key drivers for Security Orchestration, Automation and Response (SOAR) adoption and what problems SOAR technology can help solve. Now, let’s look at the 3 core pillars which define what a SOAR solution is: Orchestration, Automation and Measurement.

The Core Pillars of a SOAR Solution: Orchestration, Automation, and Measurement

Security Orchestration

The number of technologies involved in today’s advanced security and incident response programs is exponentially more than it was even five years ago. While this has become necessary to effectively detect and respond to the current range and complexity of today’s threats, it has created its own problem; coordinating these into one seamless process. Switching between these multiple technologies, what Gartner refers to as “context switching”, can create enormous inefficiencies in an organization’s security program.

Technology integrations are the most common method used to support technology orchestration. There are numerous methods which can be used to integrate technologies through a SOAR solution, including common communication mechanisms such as syslog and email, as well as more complex, bidirectional integration methods such as API calls. Although technology is typically the primary focus of orchestration, it is equally important to consider the orchestration of people and processes in a holistic security program. Technology should be supported by effective processes, which should enable people to respond appropriately to security events. A strictly technology-centric security program is no longer adequate; people and processes must also be orchestrated properly to ensure that a security program is operating at its maximum efficiency.

Security Automation

Although the concepts of orchestration and automation are closely related, the goals they seek to achieve are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching to support faster, more informed decision making, security automation is intended to reduce the time these processes take by automating repeatable processes and applying machine learning to appropriate tasks.  

The key to successful automation is the identification of predictable, repeatable processes which require minimal human intervention to perform. Automation should act as a force multiplier for security teams, reducing the mundane actions that must be manually performed and allowing analysts to focus on those actions which require human intervention. Although some processes may be fully automated, a SOAR technology solution must also support automation which allows for human intervention at critical decision points.  

Measurement

Because a SOAR solution sits at the crossroads of the incident response process, it is in an ideal location to collect a trove of information. Measurement of security information is key for making informed tactical and strategic security decisions. Proper measurement is what turns raw incident information into critical intelligence. Measurement of both tactical and strategic information is useless without proper display and visualization. A SOAR solution must support multiple methods for displaying and visualizing all information in an effective and easy to digest manner.

Stay tuned for our final blog in this series, where we will discuss the some of the critical components and functionality that a SOAR solution should contain. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.

SOAR Technology – What Problems Are We Trying To Solve?


Increasing Adoption of SOAR Solutions

Over the past several years, Security Orchestration, Automation and Response (SOAR) has gone from being viewed as a niche product to one gaining traction across almost all industry verticals. Today, more and more private organizations, MSSPs and governments are turning to SOAR Technology to address previously unsolved problems in their security programs. SOAR is about taking action: “Automate. Orchestrate. Measure”. Organizations are implementing a SOAR solution to improve their incident response efficiency and effectiveness by orchestrating and automating their security operations processes. Gartner estimates that by 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.

In this three-part blog, we will discuss the key drivers for SOAR adoption and what problems a SOAR solution can help solve.  In the next blog, the second part of this three-part blog, we will discuss the three pillars of Security Orchestration, Automation and Response (SOAR). Finally, we will round out the series by discussing the critical components and functionality that a SOAR solution should contain.

Five Key Problems SOAR Technology Helps to Solve

Like many new product categories, Security Orchestration, Automation and Response (SOAR) technology was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To define the product category more accurately, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address.

  • Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less

As the number and sophistication of threats has grown over the past decade, there has been an explosion in the number of security applications in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data. Although it may not be as difficult to find security analysts as it once was, a truly skilled security analyst is still somewhat of a rare breed.  Intense competition for these skill analysts means that organizations must often choose between hiring one highly skilled analyst, or several more junior analysts.

  • Valuable analyst time is being consumed sorting through a plethora of alerts and performing mundane tasks to triage and determine the veracity of the alerts

Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams.  Each one of these alerts must be manually verified and triaged by an analyst.  Alerts which are determined to be valid then require additional manual research and enrichment before any real action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in.

  • Security incidents are becoming more costly, meaning that organizations must find new ways to further reduce the mean time to detection and the mean time to resolution

The cost of the average incident has increased steadily year on year. The immediate cost of an incident due to lost sales, employee time spent, consulting hours, legal fees and lawsuits is relatively easy to quantify. The financial loss due to reputational damage, however, can be much more difficult to accurately measure. Reducing the time to detect and resolve potential security incidents must be an absolute priority. Each hour that a security incident persists is effectively money out of the door.

  • Tribal knowledge is inherently difficult to codify, and often leaves the organization with personnel changes

Employee retention is an issue faced by almost every security team. Highly skilled analysts are an extremely valuable resource for which competition is always high. Each time an organization loses a seasoned analyst, some tribal knowledge is lost with them and they are replaced with an analyst who, even if they possess the same technical skills, will lack this tribal knowledge for at least a period of time. Training new analysts takes time, especially when processes are manual and complex.  Documenting security processes is a complex, but critical task for all security teams.

  • Security operations are inherently difficult to measure and manage effectively

Unlike other business units which may have more concrete methods for measuring the success or failure of a program, security metrics are often much more abstract and subjective. Traditional approaches to measuring return on investment are often not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security product or program requires a measurement process specially designed to meet these unique requirements.

About DFLabs IncMan SOAR

DFLabs is an award-winning and recognized global leader in Security Orchestration, Automation and Response (SOAR) technology. Its pioneering purpose-built platform, IncMan SOAR, enables SOCs, CSIRTs, and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks. IncMan SOAR drives intelligence-driven command and control of security operations, by orchestrating the full incident response and investigation lifecycle and empowers security analysts, forensic investigators and incident responders to respond to, track, predict and visualize cyber security incidents.  As its flagship product, IncMan SOAR has been adopted by Fortune 500 and Global 2000 organizations worldwide.

Schedule a live demo with one of our cyber security specialists here and see DFLabs IncMan SOAR platform in action. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.

Stay tuned for our next blog in this series, where we will discuss the three pillars of SOAR technology.  

Understanding the Noise Using Security Orchestration, Automation and Response

“Noise” is a prevalent term in the cyber security industry. Here at DFLabs – Security Orchestration, Automation and Response Platform, we consistently receive feedback from vendor partners and clients that one of the major issues they face on daily basis is the ability to sift through the noise in order to understand and differentiate an actual critical problem from a lost cause.

What is “noise”?

Noise is a vast amount of information passed from security products that can have little or no meaning to the person receiving the information. Typically, lots of products are not tuned or adapted for certain environments and therefore would present more information than needed or required.

Noise is a problem to all of us in the cyber security industry, as there are meanings within these messages that are on many occasions simply ignored or passed over for higher priorities. For example, having policies and procedures that are incorrectly identified or adapted, or a product is not properly aligned within the network topology.

There is not one security product that can deal with every attack vector that organizations experience today. What’s more disturbing about this paradigm is that most of the tools and technologies within the security infrastructure do not talk to each other natively, yet all them have intelligence data that can overlay to enrich security operations and incident response teams.

Understanding the Noise Using Security Orchestration, Automation and Response

Cyber incident investigative teams spend a vast number of hours carrying out simple administrative tasks that could easily be relieved by introducing an effective security orchestration, automation and response  (SOAR) solution. Given the sheer volume of alerts, we can see from SIEM products on a day to day basis, a Security Orchestration Automation and Response SOAR tool can be used in conjunction to execute most, if not all of the human to machine actions, following best practice per type of incident and company guidelines, all through automated playbooks.

Re-thinking what information is being presented and how we deal with it is the biggest question. There are several ways to manage this:

  • Fully automating the noise worthy tasks.
    If these are consistently coming into your Security Operations Center (SOC) causing you to spend more time on administration than investigation, it may be prudent to schedule the tasks in this manner.
  • Semi-automation of tasks can give your SOC teams more control over how to deal with huge numbers.
    Automating 95% of these tasks and then having an analyst to provide the last sign off via manual look over, can heavily reduce time if your organization is against fully automating the process.
  • Leverage all of your existing products to provide better insight into the incident.
    For example, leverage an existing Active Directory to lock out or suspend a user account if they log in outside of normal business hours. Additionally, it’s possible to sandbox and snapshot that machine to understand what is happening. A key consideration here is to make sure not to disrupt work at every opportunity. It really is a balancing act, however, depending on their privilege you may want to act faster for some users compared to others depending on their role and responsibilities.

During the second half of 2018, the readiness and capability to respond to a variety of cyber incidents will continue to be at the top of every C-level agenda. By leveraging the security orchestration automation and response capabilities offered by DFLabs’ IncMan SOAR platform, stakeholders can provide 360-degree visibility during each stage of the incident response lifecycle. This provides not only consistency across investigations for personnel but encourages the implementation of Supervised Active Intelligence across the entire incident response spectrum.

At DFLabs we showcase our capacity to reduce the investigative time and incident dwell time, all while increasing incident handling consistency and reducing liability. Arming your SOC teams with information prior to the start of their incident investigation will help to drive focus purely on the incidents that need attention rather than the noise.

Please contact us to discuss how we can work together to grow your incident response capabilities or schedule a demonstration of how we can utilize what you already have and make it more effective and efficient.