When it comes to Security Orchestration, Automation and Response (SOAR), the use cases will vary depending on a number of factors, such as the enterprise-specific internal environment, the industry or vertical the enterprises serve and even the legal and regulatory compliance that need to be met.
In this blog post we will cover five of the most common use cases for a Security Orchestration Automation and Response (SOAR) solution and how by utilizing this technology, a security alert and potential incident can be quickly detected, responded to and resolved without having a major impact on the organization.
It is key to point out that a use case is only limited by the creativity of the organization itself. A Security Orchestration Automation and Response SOAR platform, such as IncMan SOAR from DFLabs, should be able to cater for any scenario and use case that is required.
Phishing emails have become one of the most critical issues faced by organizations over the past several years. Some of the most recent high-profile data breaches have resulted from carefully crafted phishing emails. Security Orchestration, Automation and Response (SOAR) is perfectly positioned to enable automatic triage and examination of suspected phishing emails by extracting artifacts from the email, then performing additional enrichment on these artifacts and if necessary, containing the malicious email and any malicious payloads.
Suspicious emails may be received via any one of the numerous email scanning solutions available today, or via a monitored email address provided to end users to submit suspicious emails to. Once the email is received, SOAR can extract artifacts, such as header information, email addresses, URLs and even attachments. What happens next will largely depend on the organizations’ individual technology integrations. The extracted information may be submitted to various threat reputation and intelligence services, SIEM, EDR or network appliance logs may be queried, and attachments may be detonated in a sandbox. Once the available information has been enriched, if determined to be malicious, automated or semi-automated containment actions may be taken, such as quarantining or deleting the phishing email, searching for and deleting other instance of the phishing email in other user’s accounts, blocking IP addresses or URLs, banning executables from running or quarantining the user’s workstation.
Regardless of the integrations used, utilizing SOAR to examine and respond to phishing emails can reduce the time to investigate these pervasive threats from hours to minutes, automatically containing the attack and minimizing risk to the organization.
The influx of detection technologies means that organizations are facing a constant barrage of alerts. Many of these alerts are generated due to traffic that one detection technology or another has deemed to be potentially malicious. This is usually based on some type of threat indicator, which may or may not be reliable. It is often left up to the organization to further triage and investigate each of these alerts to determine if they are a false positive or an actual potential security event.
Alerts regarding malicious traffic may be received by a SOAR directly, or after being ingested and forwarded by a SIEM. In either case, the advantage of using a SOAR to automate and orchestrate actions surrounding these types of events comes from the automatic enrichment, as well as potential containment of the detected indicators. Under normal circumstances, analysts would use whatever data enrichment tools are available, such as threat intelligence, reputation services, IT asset inventories and tools such as nslookup and whois. Analysts would then determine if the indicators appeared to be malicious, at which point containment and further investigation would begin. Using SOAR technology, it is simple to codify a process such as this into an automated workflow, automatically performing data enrichment as soon as the alert is received. A SOAR solution can also automate the process of searching for additional instances of the same indicator across the organization, alerting analysts to any additionally detected occurrences. Automated or semi-automated containment is also possible; for example, blocking an IP address or URL via the firewall or proxy, or isolating a host pending further investigation.
Alerts regarding potentially malicious traffic are common-place and often sit in the queue for some time before they are investigated. While most are false positives or low priority, any one of these could be the only indicator of a potentially serious data breach. Security Orchestration, Automation and Response (SOAR) Technology allows immediate triage and response to each of these alerts almost instantaneously, automating the mundane, repeatable processes while allowing analysts to focus on the most significant alerts.
Security Orchestration Automation and Response was not intended to be a vulnerability management platform and will never replace the robust vulnerability management systems available today. However, there are some aspects of a good vulnerability management program that a SOAR platform can streamline. In larger enterprises, vulnerability management is often a task performed outside the security team. This can lead to potential risk as the security team may not be aware of vulnerabilities that exist within the infrastructure.
A SOAR solution can be used to ensure that the security team is made aware of any new vulnerabilities within the organization. This allows the security team to proactively examine the vulnerable host, when appropriate, to ensure that there is no evidence of exploitation, place any appropriate additional safeguards in place, and subject the host to increased monitoring until the vulnerability has been mitigated.
Beyond notifying the security team, a Security Orchestration, Automation and Response SOAR solution may also be used to further enrich vulnerability and host information. For example, a SOAR solution could be used to query a database of vulnerabilities to gather additional information on the vulnerability, query Active Directory or CMDB for asset information, or query a SIEM or EDR for events. Based on vulnerability, host or event information, the case could be automatically upgraded or reassigned, or the host could even be temporarily isolated until appropriate mitigation tasks could be performed.
While suitable testing and deployment of patches are critical in an enterprise environment, existing vulnerabilities present an ongoing risk to the organization. It is crucial that the security team are aware of these risks and take the proper steps to ensure that the vulnerability has not and will not be exploited until it can be properly addressed. A Security Orchestration, Automation and Response (SOAR) solution can be utilized to ensure that the security team remains informed of all current vulnerabilities and can efficiently evaluate the possible risk of each vulnerability in order to take proper risk mitigation actions.
Managed Security Service Providers (MSSPs) face many of the same issues as Computer Security Incident Response Teams (CSIRTs) and Security Operations Centers (SOCs), but on a much larger scale. In addition to these shared challenges, MSSPs also face some unique issues which the SOAR technology can address. MSSPs must work within the confines of strict service level agreements (SLAs). Failing to meet these SLAs could result in loss of business, loss of reputation and even the potential for legal action. Automating and orchestrating actions with a Security Orchestration, Automation and Response SOAR solution allows MSSPs to work more efficiently, ensuring that all SLAs are met. In addition, MSSPs are constantly under pressure to prove to customers that these SLAs are being met, that they are taking appropriate, timely actions and that they are continuing to provide value to their customers. The advanced metrics and audit logs of a SOAR addresses these needs by providing a robust set of metrics suitable for both analysts and executives alike.
MSSPs must also find a method to manage each customers data securely and in a segregated manner. At the same time, MSSPs must also ensure that each customer is provided access to their data to ensure transparency and to allow seamless teamwork between the MSSP and the customer’s internal teams. Security Orchestration, Automation and Response (SOAR) accomplishes these tasks by providing individual tenants for each customer, physically segregating each customers data to ensure confidentiality while allowing the MSSP access across customer tenants for ease of use.
Although not strictly an orchestration and automation function, case management is an important part of the incident response process and is another function that SOAR can help streamline. Many organizations struggle with managing the vast amounts of disparate information that is gathered during a security incident. Spreadsheets and shared documents are simply not sufficient for managing a complex cyber incident.
Not only does SOAR maintain all information and enriched data gathered from automated and orchestrated activities, it also maintains a detailed audit log of all actions taken during the response. A full-featured SOAR solution should also allow for detailed task management, allowing incident managers to create, assign and monitor tasks assigned to all analysts taking part in the response. In addition, a full-featured SOAR should also allow users to track assets involved in the incident and maintain a detailed chain of custody for all physical and logical evidence.
A Security Orchestration, Automation and Response (SOAR) with full case management functionality will help ensure the smooth and efficient handling of an incident from identification through remediation, providing responders will the information they need right at their fingertips and allowing them to focus on the task at hand.
If you would like to see a SOAR solution in action and discuss your specific use cases, request a live demo today.
In our previous two blogs, we looked at some of the most common problems a Security Orchestration, Automation and Response (SOAR) Technology is designed to solve and the three pillars of a SOAR solution. We will round out this three-part series by taking a more detailed look at some of the most critical SOAR Technology components any SOAR solution should possess. While some of these components may be more critical than others to individual organizations, each plays an important role in the overall function of a SOAR solution and should be considered when evaluating different platforms.
1. Customizability and Flexibility
No two security programs will be alike; this is especially true when you cross vertical lines. For a SOAR solution to be effective, it should be capable of being the single tool on top of the security stack. A SOAR solution should be able to be implemented in a manner that is optimized for CSIRT teams, as well as SOCs, MSSPs and security teams. Data input from a multitude of sources, including machine to machine, email, user submissions and manual input should be supported. The importance of security metrics means that customers should be able to customize not only the values available in the solution but also what attributes are tracked as well.
The number of security solutions, commercial, open source, and developed in-house means that any viable SOAR solution must be flexible enough to support a multitude of security products. Any SOAR solution will support many security products out of the box, however, the likelihood that all the organization’s security products will be supported by default is low. For that reason, it is crucial that a SOAR solution has a flexible option in place that allows customers to easily create bi-directional integrations with security products which are not supported by default.
2. Process Workflows
One of the key benefits of a SOAR solution is being able to automate and orchestrate process workflows to achieve force multiplication and reduce the burden of repetitive tasks on analysts. To achieve these benefits, a SOAR solution must be able to support flexible methods for implementing process workflows. The implementation of these workflows must be flexible enough to support almost any process which may need to be codified within the solution. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks to be completed by an analyst. Flow controlled workflows should support multiple types of flow control mechanisms, including those which allow for an analyst to make a manual decision before the workflow continues.
3. Incident Management
Incident response is a complex process. Orchestration and automation of security products provide obvious value to any security program, but to maximize the time and monetary investment in a SOAR solution, a comprehensive SOAR solution should include additional features to manage the entire incident response lifecycle. This should include basic case management functionality, such as tracking cases, recording actions taken during the incident and providing reporting on critical metrics and KPIs. This should also include other ancillary functions such as detailed task tracking, evidence, and chain of custody management, asset management, and report management.
4. Threat Intelligence
Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. Because a SOAR solution has access to not only the indicators but also the rest of the incident information which can provide the additional context, it is in a unique position to gather actionable threat intelligence.
A proactive security program requires threat intelligence to be properly correlated to discover attack patterns, potential vulnerabilities and other ongoing risks to the organization. This correlation should be done automatically and it should be immediately clear if an ongoing incident may share common factors with any previous incidents. Because threat intelligence can consist of a vast amount of data, visual correlation is also an important factor when assessing threat intelligence capabilities.
5. Collaboration and Information Sharing
Incident response is not one player sport. Response to a security incident will likely include multiple individuals and potentially multiple teams and even organizations. To be effective in a team environment, a SOAR solution must support seamless collaboration and information sharing among team members in a controlled manner.
Collaboration and information sharing must also be possible outside of the organization itself. This is especially true in the context of threat intelligence. Open sharing of threat intelligence, when possible, it a critical tool in fighting cybercrime. There are numerous avenues available to share threat intelligence, open, closed and industry-specific. The majority of these threat intelligence sharing programs utilize one of the open standards for threat intelligence, such as STIX/TAXII, OpenIOC or MISP, and each of these standards should be supported by a SOAR solution.
For more information on any of these topics covered in this three-part series, please check out our whitepaper “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Earlier this year I was talking to a colleague about the state of SOC operations and how I was looking forward to going to the SANS Security Operations Summit in New Orleans in July. The folks who attend SANS events are at the top of their game and let’s be honest, SANS provides some of the best training in our industry, so what’s not to love?
The conversation quickly turned to how to provide better scalability within SOC operations. Given that our teams are confronted with an increased number of alerts coming from more sophisticated actors on a daily basis, how do we keep up? We spoke about the need for better security automation to enrich the information available at the onset of an incident and how malware has been automating since the Morris worm 30 years ago.
At one point she asked me how best we can handle the transfer of incident handling “tribal knowledge” from the senior Incident Response personnel to the junior members, given the daily workload they carry. I thought about it for a moment and threw out that perhaps increased spending for machine learning or AI could help bridge the knowledge gap. She then asked, “Couldn’t we take that money and invest in knowledge transfer within the team instead?”. That simple and simultaneously complex question got me to thinking about how we can better utilize existing resources to provide that knowledge transfer in an environment as dynamic and rapidly changing as an Incident Response organization.
I thought this topic was interesting enough to make it my focus for my upcoming speaking engagement at SANS.
As we already know an increased workload coupled with an industry-wide shortage of skilled responders is heavily impacting operational performance in Security Operations Centers (SOC) globally and an integral part of the solution is formulating a methodology to ensure that crucial knowledge is retained and transferred between incident responders. By utilizing Security Orchestration, Automation and Response (SOAR) technology, security teams can combine traditional methods of knowledge transfer with more modern techniques and technologies.
Join me at the SANS Security Operations Summit on July 30, 2018 at Noon for an informal “Lunch and Learn” session to discuss how we ensure that the Incident Response knowledge possessed by our senior responders can be consistently and accurately passed along to the more junior team members while simultaneously contributing to the Incident Response process. I look forward to meeting you there.
If you are not attending the summit, don’t worry, you can visit our website to find out more information about the benefits of utilizing a SOAR solution with DFLabs’ IncMan SOAR platform. Alternatively, if you would like to have a more in-depth discussion, you can arrange a demo to see IncMan live in action.
In our first blog in this series, we looked at some of the key drivers for Security Orchestration, Automation and Response (SOAR) adoption and what problems SOAR technology can help solve. Now, let’s look at the 3 core pillars which define what a SOAR solution is: Orchestration, Automation and Measurement.
The Core Pillars of a SOAR Solution: Orchestration, Automation, and Measurement
The number of technologies involved in today’s advanced security and incident response programs is exponentially more than it was even five years ago. While this has become necessary to effectively detect and respond to the current range and complexity of today’s threats, it has created its own problem; coordinating these into one seamless process. Switching between these multiple technologies, what Gartner refers to as “context switching”, can create enormous inefficiencies in an organization’s security program.
Technology integrations are the most common method used to support technology orchestration. There are numerous methods which can be used to integrate technologies through a SOAR solution, including common communication mechanisms such as syslog and email, as well as more complex, bidirectional integration methods such as API calls. Although technology is typically the primary focus of orchestration, it is equally important to consider the orchestration of people and processes in a holistic security program. Technology should be supported by effective processes, which should enable people to respond appropriately to security events. A strictly technology-centric security program is no longer adequate; people and processes must also be orchestrated properly to ensure that a security program is operating at its maximum efficiency.
Although the concepts of orchestration and automation are closely related, the goals they seek to achieve are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching to support faster, more informed decision making, security automation is intended to reduce the time these processes take by automating repeatable processes and applying machine learning to appropriate tasks.
The key to successful automation is the identification of predictable, repeatable processes which require minimal human intervention to perform. Automation should act as a force multiplier for security teams, reducing the mundane actions that must be manually performed and allowing analysts to focus on those actions which require human intervention. Although some processes may be fully automated, a SOAR technology solution must also support automation which allows for human intervention at critical decision points.
Because a SOAR solution sits at the crossroads of the incident response process, it is in an ideal location to collect a trove of information. Measurement of security information is key for making informed tactical and strategic security decisions. Proper measurement is what turns raw incident information into critical intelligence. Measurement of both tactical and strategic information is useless without proper display and visualization. A SOAR solution must support multiple methods for displaying and visualizing all information in an effective and easy to digest manner.
Stay tuned for our final blog in this series, where we will discuss the some of the critical components and functionality that a SOAR solution should contain. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Increasing Adoption of SOAR Solutions
Over the past several years, Security Orchestration, Automation and Response (SOAR) has gone from being viewed as a niche product to one gaining traction across almost all industry verticals. Today, more and more private organizations, MSSPs and governments are turning to SOAR Technology to address previously unsolved problems in their security programs. SOAR is about taking action: “Automate. Orchestrate. Measure”. Organizations are implementing a SOAR solution to improve their incident response efficiency and effectiveness by orchestrating and automating their security operations processes. Gartner estimates that by 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.
In this three-part blog, we will discuss the key drivers for SOAR adoption and what problems a SOAR solution can help solve. In the next blog, the second part of this three-part blog, we will discuss the three pillars of Security Orchestration, Automation and Response (SOAR). Finally, we will round out the series by discussing the critical components and functionality that a SOAR solution should contain.
Five Key Problems SOAR Technology Helps to Solve
Like many new product categories, Security Orchestration, Automation and Response (SOAR) technology was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To define the product category more accurately, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address.
- Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less
As the number and sophistication of threats has grown over the past decade, there has been an explosion in the number of security applications in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data. Although it may not be as difficult to find security analysts as it once was, a truly skilled security analyst is still somewhat of a rare breed. Intense competition for these skill analysts means that organizations must often choose between hiring one highly skilled analyst, or several more junior analysts.
- Valuable analyst time is being consumed sorting through a plethora of alerts and performing mundane tasks to triage and determine the veracity of the alerts
Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams. Each one of these alerts must be manually verified and triaged by an analyst. Alerts which are determined to be valid then require additional manual research and enrichment before any real action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in.
- Security incidents are becoming more costly, meaning that organizations must find new ways to further reduce the mean time to detection and the mean time to resolution
The cost of the average incident has increased steadily year on year. The immediate cost of an incident due to lost sales, employee time spent, consulting hours, legal fees and lawsuits is relatively easy to quantify. The financial loss due to reputational damage, however, can be much more difficult to accurately measure. Reducing the time to detect and resolve potential security incidents must be an absolute priority. Each hour that a security incident persists is effectively money out of the door.
- Tribal knowledge is inherently difficult to codify, and often leaves the organization with personnel changes
Employee retention is an issue faced by almost every security team. Highly skilled analysts are an extremely valuable resource for which competition is always high. Each time an organization loses a seasoned analyst, some tribal knowledge is lost with them and they are replaced with an analyst who, even if they possess the same technical skills, will lack this tribal knowledge for at least a period of time. Training new analysts takes time, especially when processes are manual and complex. Documenting security processes is a complex, but critical task for all security teams.
- Security operations are inherently difficult to measure and manage effectively
Unlike other business units which may have more concrete methods for measuring the success or failure of a program, security metrics are often much more abstract and subjective. Traditional approaches to measuring return on investment are often not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security product or program requires a measurement process specially designed to meet these unique requirements.
About DFLabs IncMan SOAR
DFLabs is an award-winning and recognized global leader in Security Orchestration, Automation and Response (SOAR) technology. Its pioneering purpose-built platform, IncMan SOAR, enables SOCs, CSIRTs, and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks. IncMan SOAR drives intelligence-driven command and control of security operations, by orchestrating the full incident response and investigation lifecycle and empowers security analysts, forensic investigators and incident responders to respond to, track, predict and visualize cyber security incidents. As its flagship product, IncMan SOAR has been adopted by Fortune 500 and Global 2000 organizations worldwide.
Schedule a live demo with one of our cyber security specialists here and see DFLabs IncMan SOAR platform in action. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Stay tuned for our next blog in this series, where we will discuss the three pillars of SOAR technology.
Faced with a growing threat landscape, a shortage of skilled cyber security professionals, and non-technical employees who lack awareness of cyber security best practices, to name a few, CISOs are continuously confronted with a number of existing and new challenges. To mitigate some of these challenges by eliminating security threats and minimizing security gaps, they must make some critical strategic decisions within their organizations.
Even though we are only at the beginning of April, 2018 is already proving to be a year of increasing cyber incidents, with security threats spanning across a range of industry sectors, impacting both the private and public sectors alike. We have seen many data breaches including Uber, Facebook and Experian that have made it clear that no organization, not even the corporate giants, are safe from these cyber threats and attacks. We are now also seeing newly evolving threats affecting the popular and latest smart devices including products such as Alexa and Goоgle Home. New technology not fully tested, or security vulnerabilities from IoT devices being brought into the workplace, now bring additional concerns for CISOs and their security teams, as they try to proactively defend and protect their corporate networks.
This problem seems quite simple to identify in that corporate policies are not being updated fast enough to keep up with dynamic changes and advancements in technology, as well as to cope with the increasing sophistication of advancing threats, but managing this problem is seemingly more difficult. This generates an additional set of challenges for CISOs to enforce policies that still need to be written, while conquering internal corporate bureaucracy to get them created, modified or updated. This is just one challenge. Let’s now discuss a few more and some suggested actions to manage them.
How CISOs Can Overcome Their Challenges
CISOs in international corporations need to focus on global compliance and regulations to abide with a range of privacy laws, including the upcoming European Union’s General Data Protection Regulation (GDPR). This new regulation due to come into force on May 25th, 2018 has set the stage for protection of consumer data privacy and in time we expect to see other regulations closely follow suite. International companies that hold EU personal identifiable information inside or outside of the EU will need to abide by the regulation and establish a formalized incident response procedure, implement an internal breach notification process, communicate the personal data breach to the data subject without delay, as well as notify the Supervisory Authority within 72 hours, regardless of where the breach occurred. Organizations need to report all breaches and inform their affected customers, or face fines of up to 20 million Euros or four percent of annual turnover (whichever is higher). A new law called the Data Security and Breach Notification Act is also being worked on presently by the U.S. Senate to promote this protection for customers affected. This new legislation will impose up to a five year prison sentence on any individual that conceals a new data breach, without notifying the customers that had been impacted.
So how can CISOs proactively stay ahead of the growing number of cyber security threats, notify affected customers as soon as possible and respond within 72 hrs of a breach? The key is to carry out security risk assessments, implement the necessary procedures, as well as utilize tools that can help facilitate Security Orchestration, Automation and Response (SOAR), such as the IncMan SOAR platform from DLFabs. IncMan has capabilities to automate and prioritize incident response and related enrichment and containment tasks, distribute appropriate notifications and implement an incident response plan in case of a potential data breach. IncMan handles different stages of the incident response and breach notification process including providing advanced reporting capabilities with appropriate metrics and the ability to gather or share intelligence with 3rd parties. This timely collection of enriched threat intelligence helps expedite the incident response time and contribute to better management of the corporate landscape.
The Need to Harden New Technology Policies
Endpoint protection has also become a heightened concern for security departments in recent months, with an increasing number of organizations facing multiple ransomware and zero days attacks. New technologies used by employees within the organization, not covered by corporate policies, such as Bring Your Own Device (BYOD) and the Internet of things (IoT) have brought new challenges to the CISOs threat landscape. One example as we mentioned earlier are gadgets such as Alexa or Google Home, where users bring them into the office and connect them to the corporate WIFI or network without prior approval. When connected to the network, they can immediately introduce vulnerabilities and access gaps in the security network that can be easily exploited by hackers.
Devices that are not managed under corporate policies need to be restricted to a guest network that cannot exploit vulnerabilities and should not be allowed to use Wi-Fi Protected Access (WPA). CISOs need to ensure that stricter corporate policies are implemented to restrict and manage new technologies, as well as utilizing tools such as an Endpoint Protection Product (EPP) or Next-Generation Anti Virus (NGAV) solution to help prevent malware from executing when found on a user machine. NAGV tools can learn the behaviors of the endpoint devices and query a signature database of vaccines for exploits and other malware on real time to help expedite containment and remediation to minimize threats.
Maximizing Resources With Technology as a Solution
With the significant increase in the number of and advancing sophistication of potential cyber security threats and security alerts, combined with a shortage of cyber security staff with the required skill set and knowledge, CISOs are under even more pressure to protect their organizations and ask themselves questions such as: How do I effectively investigate incidents coming in from so many data points? How can I quickly prioritize incidents that present the greatest threat to my organization? How can I reduce the amount of time necessary to resolve an incident and give staff more time hunting emerging threats?
They will need to assess their current organization security landscape and available resources, while assessing their skill level and maturity. Based on the company size it may even make business sense to outsource some aspects, for example by hiring a Managed Security Service Provider (MSSP) to manage alert monitoring, threat detection and incident response. CISOs should also evaluate the range of tools available to them and make the decision whether they can benefit from utilizing Security Orchestration, Automation and Response (SOAR) technology to increase their security program efficiency and effectiveness within their current structure.
Security Infrastructure and Employee Training Are Paramount
In summary, CISOs will be faced with more advancing challenges and increasing threats and these are only set to continue over the coming months. They should ensure that their security infrastructures follow sufficient frameworks such as NIST, ISO, SANS, PCI/DSS, as well as best practices for application security, cloud computing and encryption.
They should prepare to resource their security teams with adequate technology and tools to respond to threats and alerts and to minimize the impact as much as feasibly possible, with set policies and procedures in place. To enforce security best practices across all departments of the company, it is important that security decisions are fully understood and supported by the leadership team as well as human resources, with a range of corporate policies to meet the challenges of ever changing technologies.
CISOs need to promote security best practices and corporate policies, industry laws regulations and compliance by educating and training relevant stakeholders, starting with employees. The use of workshops, seminars, websites, banners, posters and training in all areas of the company will heighten people’s awareness to threats and exploits, increasing their knowledge, while also teaching them the best way to respond or to raise the alarm if there is a potential threat. The initial investment in education and training may be a burden on time and resources but in the long run will prove beneficial and could potentially prevent the company from experiencing a serious threat or penalty from non-compliance.
Completing a full analysis of current resources, skill sets and security tools and platforms will all play a part when deciding whether in-house or outsourced security operations is the best approach, but the benefits of using SOAR technology to leverage existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents, as well as to assist with important breach notification requirements, should not be overlooked.
DFLabs is excited to announce the latest release of its industry-leading Security Orchestration, Automation and Response platform, IncMan version 4.3. Solving customer’s problems and adding value to our customer’s security programs is one of our core goals here at DFLabs and this is reflected in our 4.3 release with over 100 enhancements, additions, and fixes; many suggested by customers, all designed to make the complex task of responding to potential security incidents faster, easier and more efficient.
IncMan 4.3 includes many new bidirectional integrations from a variety of product categories including threat intelligence, malware analysis, ticket management and endpoint protection, chosen to broaden the orchestration and automation capabilities of our customers. These new bidirectional integrations include:
- Atlassian Jira
- BMC Remedy
- Carbon Black Defense
- Cuckoo Sandbox
- McAfee Advanced Threat Defense
- McAfee Threat Intelligence Exchange
- Recorded Future
With IncMan 4.3, we have also greatly enhanced the flexibility of our R3 Rapid Response Runbooks with the addition of two new decision nodes; Filter and User Choice. Filter nodes allow users to further filter and refine information returned by previously executed integrations; for example, filtering IT asset information to include only servers, focusing on key assets first. Unlike automated Enrichment actions, automated Containment actions could have serious unintended impacts on the organization. User Choice nodes allow users to minimize this risk by allowing them to define critical junctions in the workflow at which a human must intervene and make a decision. For example, human verification may be required before banning a hash value across the enterprise or quarantining a host pending further analysis.
Improvements to our patent-pending Automated Responder Knowledge (DF-ARK) module allow IncMan to make even more intelligent decisions when suggesting response actions, and enhancements to IncMan’s correlation engine allow users a more advanced view of the threat landscape over time and across the organization. IncMan’s report engine has been significantly bolstered, allowing users to create more flexible reports for a variety of purposes than ever before. Finally, numerous changes have been made to IncMan’s Dashboard and KPI features, allowing users to create more actionable KPIs and gather a complete picture of the organization’s current state of security at a moment’s glance.
These are just some of the highlights of our latest IncMan release; IncMan 4.3 includes many other enhancements designed to streamline your orchestration, automation and response process. If you would like a demo of our latest release, please go to our demo request site. Stay tuned to our website for additional updates, feature highlights, and demos of our latest release.
Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.
Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.
1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”
The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.
Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.
To sum up the most common drivers for someone asking about Security Automation and Orchestration:
- A high volume of alerts and incidents and the challenge in managing them
- A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
- Regulatory mandates for incident response and breach notification
- An overstretched security operations team
- Reporting risk and the operational performance of the CSIRT and SOC to an executive audience
One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.
The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.
Security Orchestration and Automated Response (SOAR) is a relatively new cyber security solution category. The aim of these platforms is to provide a centralized software solution to manage the complete lifecycle of a cyber incident, orchestrate security products to a determined goal, and respond to cyber incidents in an automated or semi-automated fashion. The SOAR category is of particular interest to Security Operations Center Teams, as this product is now seen as the backbone of incident management.
Given the differences that can exist between Security Operations Center or Cyber Incident Response teams, it’s rare to find items that share a commonality between the incident response organizations when evaluating incident response solutions. Given that, the following seem to share a common focus during the evaluation process:
In no particular order:
1. Supervised Active Intelligence™
This is a methodology that best describes one of our most powerful features within IncMan™, the ability to arm your SOC teams with selected intelligence related to a cyber incident. This feature provides targeted information and is provided directly to the assigned investigator. This information is paramount to starting a cyber investigation, and we see on a daily basis that cyber incidents without this information have a very slow reaction time. However, the most important factor is your teams take steps that are guided by the intelligence generated within an IncMan playbook as they work through their playbook actions.
2. Intelligent Correlation Engine
As per the Supervised Active Intelligence feature, within our IncMan platform, the intelligence will be captured and build upon the growing information around cyber incidents. This information is analyzed by IncMan, providing a visual representation of how an incident has progressed and if any other incidents share common features. I.e. they affected the same users, or same machine types, patterns that have emerged etc. We visualize this information over a timeline, allowing the SOC team the ability to correlate the cyber security incidents to business events or even basic tracking how malware has traversed through several machines and at what rate.
3. Extended Knowledge base with your own intelligence or from others
We understand as an organization how important it is to use multiple sources of external intelligence. This has allowed us to provide the ability to extend the IncMan knowledge base with the information required by your SOC team. For example, some clients use the knowledge base to add additional fraud intelligence and prevention information. We natively support TAXII and other feeds using the STIX format of intelligence sharing. Alternatively, if you are a part of an intelligence sharing network, IncMan permits the API connection.
Another feature which we often see utilized by CSO’s and CISO’s alike is regarding the knowledge base and Cyber Incident linking capabilities. We allow tagging and linking of knowledge base articles with cyber incidents to aid reporting and impact visibility to the stake holders.
4. Integrating your environment
As mentioned earlier, IncMan allows the use of your current environment and the products you already have readily available. As our client, we want to bring you from “Zero to Hero” in the shortest time span possible with pre-configured integrations that are enabled within minutes. With IncMan you choose how you want to leverage your existing products. The crucial point is we know every environment is a mixture of multiple moving parts and we can integrate with your existing framework to ensure maximum availability while minimizing response time and resource expenditures.
Playbooks can be thought of in the context of American football. The term playbook was created to give a visual meaning to orchestrating team members for a single goal, given a scenario presented to a team or organization. The three distinct teams are as follows
– Defense, and containment for cyber incident response
– Special Teams for enrichment and providing both teams with more information and field position for American football
– The offense for mitigating incidents and going on the offensive to put the company in a positive, advantageous position given the situation that is presented in front of them.
For those of you not into the American Football analogy; Playbooks give your teams meticulous control over pre-defined workflows to drive policy and procedures in a repeatable, consistent and enforced manner. This allows for enrichment, containment, and mitigation driven through one product – IncMan.