compatible software programs that allow an organization to collect data
about security threats from multiple sources and respond to low-level security
human assistance. The goal of using a SOAR stack is to improve the
efficiency of physical and digital security operations. The term, which
was coined by the research firm Gartner, can be applied to compatible
products and services that help define, prioritize, standardize and
orchestration and automation, security incident response platforms (SIRP),
and threat intelligence platforms (TIP).
stack is an ordered collection of software that makes it possible to
complete a particular task. There are a lot of different types of
Here are a few examples: A
includes the software required for basic server functioning. A
includes the software required for Web app development. An application
stack includes all the application programs required to perform a given
task. A software stack includes the software required for a given task.
(Software stacks include infrastructure software, rather than just
is a type of software stack that includes servers,
is the collection of resources that, along with the
make up the Microsoft Hyper-V environment.
A security event is
a change in the everyday operations of a
or information technology service indicating that a
may have been violated or a security safeguard may have failed. In a
include any identifiable occurrence that has significance for system
hardware or software. Security events are those that may have
significance to the security of systems or data.
The first indication of an event may
come from a software-defined alert or by end users notifying a
that, for example, network services have slowed down. As a rule, an
event is a relatively minor occurance or situation that can be resolved
fairly easily and events that require an IT administrator to take action
are classified as incidents. A help desk ticket from a single user
reporting that they think they have contracted a virus is a
security event, because it could indicate a security issue. If evidence
of the virus is found on the user's computer, however, it can be
According to a report from threat
detection vendor Damballa, organizations surveyed had an average of
10,000 security events a day. Security products such as antivirus
software can reduce the number of security events and many incidence
response processes can be
automated to make the workload more manageable. Events that
don't require action by an administrator may be handled automatically by
security information and event management (SIEM)
Incident response is an
organized approach to addressing and managing the aftermath of a
security breach or cyberattack, also known as an IT incident, computer
The goal is to handle the situation in a way that limits damage and
reduces recovery time and costs.
Ideally, incident response activities
are conducted by the organization's computer
security incident response team (CSIRT),
a group that has been previously selected to include information
security and general IT staff as well as C-suite level members. The team
may also include representatives from the legal, human resources and
public relations departments. The incident response team follows the
organization's incident response plan (IRP), which is a set of written
instructions that outline the organization's response to network events,
security incidents and confirmed breaches.
Incident response is all about
planning ahead and having a flight plan before it is necessary. Rather
than being an IT-centric process, it is an overall business function
that helps ensure an organization can make quick decisions with reliable
information. Not only are technical staff from IT and security
departments involved, so too are representatives from other core aspects
of the business.
Importance of incident response
Any incident that is not properly
contained and handled can, and usually will, escalate into a bigger
problem that can ultimately lead to a damaging data
breach, large expense or
system collapse. Responding to an incident quickly will help an
organization minimize losses, mitigate exploited vulnerabilities,
restore services and processes and reduce the risks that future
Incident response enables an
organization to be prepared for the unknown as well as the known and is
a reliable method for identifying a security incident immediately when
it occurs. Incident response also allows an organization to establish a
series of best practices to stop an intrusion before it causes damage.
Incident response is a crucial
component of running a business as most organizations rely on sensitive
information that would be detrimental if comprised. Incidents could
range from simple
infections to unencrypted employee laptops that are put into the wrong
hands to compromised login credentials and database leaks. Any of these
incidents can have both short term and long term effects that can impact
the success of the entire organization.
Additionally, security incidents can
be expensive as businesses could face regulatory fines, legal fees and
costs. It could also affect future profits as untreated incidents are
correlated with lower brand reputation, customer loyalty and customer
While organizations cannot eradicate
incidents completely, incident response processes do help minimize them.
Emphasis should be placed on what can be done in advance to brace for
the impact of a security incident. While hackers will always continue to
exist, a team can be prepared to prevent and respond to their attacks.
That is why having a functional,
effective incident response approach
is important for all types of organizations.
Types of security incidents
various types of security incidents
and ways to classify them. What may be considered an incident for one
organization might not be as critical for another. The following are a
few examples of common incidents that can have a negative impact on
distributed denial of service (DDoS)
attack against critical cloud services.
A malware or
infection that has encrypted critical business files across the
attempt that has led to the exposure of personally-identifiable
unencrypted laptop known to have sensitive customer records that has
Security incidents that would
typically warrant the execution of formal incident response procedures
are considered both urgent and important. That is, they are urgent in
nature and must be dealt with immediately and they impact important
systems, information or areas of the business.
Another important aspect of
understanding incident response is defining the difference between
threats and vulnerabilities. A threat is an indication or stimulus, such
as a criminal hacker or dishonest employee that is looking to exploit a
vulnerability for a malicious or financial gain. A
is a weakness in a computer system, business process or user that can be
easily exploited. Threats exploit vulnerabilities which, in turn, create
business risk. The potential consequences include unauthorized access to
sensitive information assets,
systems taken offline and legal and compliance violations.
Incident response plan
An incident response plan is the set
of instructions an incident response team follows when an event actually
occurs. If developed correctly, it should include procedures for
detecting, responding to and limiting the effects of a security
Incident response plans usually
include directions on how to respond to potential attack scenarios,
including data breaches, denial of service/distributed denial of service
attacks, network intrusions, malware outbreaks or insider threats.
Without an incident response plan in
place, an organization may not detect the attack or it may not follow
proper protocol to contain the threat and recover from it when a breach
is detected. A
formally documented IR plan
helps businesses respond rather than react. When incident response
procedures are not developed in advance, the resulting efforts end up
making the situation worse, including looking on professional and
ultimately being indefensible if lawyers get involved.
The process of
executing an incident response plan
There are six key phases of an
incident response plan:
Preparation: Preparing users and IT staff to handle potential
incidents should they should arise.
Identification: Determining whether an event qualifies as a security
Containment: Limiting the damage of the incident and isolating
affected systems to prevent further damage.
Eradication: Finding the root cause of the incident and removing
affected systems from the production environment.
Permitting affected systems back into the production environment and
ensuring no threat remains.
learned: Completing incident documentation, performing analysis to
learn from the incident and potentially improving future response
Additionally, best practices indicate
that incident response plans
follow a common framework,
of the plan.
A list of
roles and responsibilities.
A list of
incidents requiring action.
state of the network infrastructure and security safeguards.
investigation and containment procedures.
A list of
A call list.
response plan testing.
An incident response plan can benefit
an enterprise by outlining how to minimize the duration of and damage
from a security incident, identifying participating stakeholders,
recovery time, reducing negative publicity and ultimately increasing the
confidence of corporate executives, owners and shareholders.
The plan should identify and describe
the roles and responsibilities of the incident response team members who
are responsible for testing the plan and putting it into action. The
plan should also specify the tools, technologies and physical resources
that must be in place to recover breached information.
Every organization’s incident response
plan can be tailored to specific business risks and needs that have been
identified. However, all incident response plans should outline factors
involving who, what, when, why and how as they relate to security
incidents and confirmed breaches.
What does an incident response team do?
A good incident response program
putting together a cross-functional
team from diverse parts of
the business. Without the right people in place, any attempted incident
response efforts will likely be ineffective. The team not only helps to
execute the incident response plan but also aids with ongoing oversight
and maintenance including the day-to-day administration of technical
controls. Each team member should have clearly defined duties and goals.
These are actions that not only take place during an incident but also
before an incident occurs and afterwards as well. The incident response
team may involve members of the organization’s overall security
Who is responsible for incident response?
To properly prepare for and address
incidents across the business, an organization should form an
incident response team.
This team is responsible for analyzing security events and responding
appropriately. An incident response team may include:
incident response manager, usually the director of IT, who oversees
and prioritizes actions during the detection, analysis and containment
of an incident. The incident response manager also conveys the special
requirements of high-severity incidents to the rest of the organization.
Security analysts who support the manager and work directly with the
affected network to research the time, location and details of an
incident. Triage analysts filter out false positives and keep an eye out
for potential intrusions. Forensic analysts recover key artifacts
(residue left behind that can provide clues about an intruder) as well
as maintain the integrity of evidence and the investigation.
Threat researchers that provide threat
context for an incident. They scour the internet and identify
information that may have been reported externally. Threat researchers
combine this data with an organization's records of previous incidents
to build and maintain a database of internal intelligence. If this level
of expertise does not exist in house, it can be outsourced.
Management support is key to
securing the necessary resources, funding, staff and time commitment for
incident response planning and execution. Many incident response teams
include the Chief Information Security Officer (CISO),
the Chief Information Officer (CIO)
or another C-suite executive, who acts as a leader and evangelist for
the group. An outside consultant who specializes in incident response
can be a good addition to the team when needed.
The incident response team may
also include a human resources representative, especially if the
investigation reveals that an employee is involved with an incident.
Audit and risk management specialists can develop vulnerability
assessments and threat
metrics and also encourage best practices across the organization.
Including the organization's general
counsel can ensure that the collected evidence maintains its forensic
value in case the organization decides to take legal action. Attorneys
also provide advice about liability issues when an incident affects
vendors, customers and/or the general public. Finally, a public
relations specialist is essential for keeping in touch with team leaders
and to ensure accurate and consistent information is disseminated to the
media, customers, stockholders and other interested parties.
Incident response plan management
Incident response is not unlike any
other aspect of information security. It requires thoughtful planning,
ongoing oversight and clear metrics so that efforts can be properly
measured. Ongoing management initiatives include setting and overseeing
incident response goals, periodically testing the incident response plan
ensure its effectiveness and training all the necessary parties on
applicable incident response procedures. Specific metrics used to
measure the effectiveness of incident response initiatives might
incidents requiring action.
incidents that led to breaches.
Additionally, incident response goals
might include areas involving:
incident response plan reviews and updates.
and execution of incident response test scenarios.
with related security initiatives, such as security awareness, employee
training and vulnerability and
reporting of security events to executive leadership or outside parties.
procurement of additional technologies that can provide enhanced network
visibility and control.
Incident response plans vs. business continuity plans
With the goals of keeping the business
running and minimizing the impact of unforeseen events, incident
response could be considered part of the
process. Given what is at stake and the different variables involved,
such as people, technologies and business processes, incident response
should have the highest levels of visibility within the organization. An
incident response plan is dedicated to incidents and breaches impacting
networks and computers, applications and databases and related
information assets. Therefore, most organizations are best served by
keeping the incident response plan in a standalone document – separate
from yet referenced in the business continuity plan. The most important
thing is to ensure the incident response plan is easily accessible by
all team members when it is needed.
continuity planning includes
Tools for incident response
There are numerous tools and
methodologies that can be used to assist with incident response and are
typically categorized by prevention, detection or response
functionalities. Certain organizations follow the military-derived
for incident response. The OODA loop is a methodology that encourages a
business to observe, orient, decide and act when an incident occurs, all
IR tools can assist with.
For example, an organization can gain
the necessary visibility into an incident with packet analysis, system
resource monitoring and file integrity examination technologies. Insight
can be gained into the threats by using real-time threat indicators and
threat intelligence services. Even further, there are tools that can
provide forensics details such as source location, incident technical
information and event replays. There are also tools that allow an
organization to act against a threat by stopping it from spreading or
minimizing the impact it has on the computing environment.
While incident response is a process,
technology can be used to automate and streamline specific incident
response functions to help minimize detection times and system errors.
Service providers focused on
developing incident response
technology typically offer
products in the following categories:
awareness and training.
and DoS mitigation.
Net flow and
incident and event management (SIEM).
In essence, incident response tools
provide organizations with both visibility and control. They also
provide professionals with the necessary information so that they know
what to do, or not do, once anomalous behavior is discovered. Finally,
incident response tools help with direct response efforts – allowing
organizations to take action in order minimize the risks involved.
technology products in the incident
response sector are
commercial and require proper budgeting for capital and operating
expenditures. Alternatively, there are a number of open source software
offerings that could be tailored to meet a specific organization’s
requirements. When choosing the open source approach, it is important to
weight how much effort will be involved, how efficiently it will be able
to scale and how effective it will be long term.
Once incident response tools are put
into place, it is important to ensure that there is enough staff and
expertise to keep it maintained and updated. Having the necessary
resources is critical for the initial design and implementation of the
technology as well as the ongoing administration and troubleshooting.
Finally, executives must remember that
incident response tools cannot comprise the entire incident response
program. While tools and automation may play a large role, they should
still only be one component of the overall incident response
Security orchestration, automation,
and response, or SOAR, is a stack of compatible software solutions
intended to help companies collect valuable data. The information
collected using SOAR allows organisations to understand security threats
coming from various sources and respond to low-level events often
without human input. The goal of a SOAR stack is to enhance the
efficiency of the digital and physical business security operations.
The term “SOAR” applies to products
and services in IT that help with the definition, standardisation, and
automation of incident response systems. Today, we’re going to be
looking at some of the most popular and well-regarded SOAR solutions in
the marketplace used by SecureScrypt.
a company in the IT security landscape that’s committed to helping
businesses reduce their workloads and make more informed decisions about
their future. The ThreatConnect intelligence-driven automation and
orchestration tool offers companies faster, more repeatable, and more
innovative processes in a single platform.
Additionally, the ThreatConnect
playbooks are available to automate virtually any cybersecurity task
using simple drag-and-drop functionality. Triggers like phishing emails
and IP address indicators automatically transfer data to apps to perform
a range of functions. These vary from blocks to malware analysis. Once
enabled, these triggers can run in real-time to provide detailed
information to business leaders.
brand has a dedicated CyOPs
platform called “CyberSponse” which provides holistic enterprise-ready
security orchestration and automation tools to modern companies.
Designed to empower today’s security operation teams, the CyOPs solution
gives today’s leaders the power to work smarter. One way it does so is
by offering almost real-time responses to errors and issues.
Similar to ThreatConnect, the
Cybersponse team also offer a range of playbooks that companies can
access to automatically pull alerts from their SIEM environment. CyOPs
also offers alert triage using various threat intelligence feeds while
blocking malicious indicators using email gateway and firewall
A leading provider of enterprise-grade
IT process automation solutions, Ayehu is
one of the most reliable companies on the market when it comes to SOAR
technology. The brand was mentioned in Gartner’s most recent publication
on leading vendors of
security automation, analytics, and reporting tools.
Ayehu provides today’s organisations
with a wide variety of IT process automation solutions to choose from so
that they can resolve critical incidents, simplify workflows, and
maintain greater control over their IT infrastructure. Major
organisations across the globe trust Ayehu. As well as this, the company
currently supports thousands of IT processes worldwide too.
7. Rapid7 ( preferred for large organizations and enterprises)
Rapid7 offers SOAR strategies through
InsightConnect, their security orchestration and automation solution.
InsightConnect allows teams to accelerate and streamline their most
time-intensive processes without needing any kind of coding background.
There are more than 200 plugins available from Rapid7 to connect crucial
tools and create custom workflows. This means teams are free to tackle a
variety of challenges outside of repetitive tasks.
FireEye’s SOAR solution is
designed to help companies achieve more in less time while still
allowing plenty of room for human decision making. With InsightConnect,
you can go beyond relying on point-to-point integrations of your
technology stack and start making decisions for real business growth.
SOAR platform is another
exceptional tool intended to help organisations manage the growing
number of alerts and notifications in their security systems. With
Swimlane, business leaders can automate crucial and time-consuming
incident response processes. What’s more, the solution collects security
data from almost all security platforms with minimal effort. Thus, it
can automatically respond to alerts using playbooks and pre-set
Swimlane executes perfectly optimised
security-related tasks at machine-level speeds during the incident
response process. This is from detection through to investigation and
resolution. Consequently, this frees up business staff to focus on more
advanced threat defence.
Security orchestration and automation
practices are a fantastic way for businesses to improve their response
times, reduce risk exposure, and update process consistency today. FireEye’s
SOAR solution is intended
to help companies get the most out of SOAR processes by simplifying and
improving security operations from end-to-end.
FireEye connects disparate tools to
give teams better control over their incident response process while
saving on time and resources. FireEye also drives organizations ahead of
the competition, with real-world front-line investigation experience and
repetitive task automation.
4. Splunk ( new in the business with SOAR, bought PHANTOM in 2018 to
complement its platform)
The primary component of the Splunk
SOAR system is the Visual
Playbook Editor. The VPE allows developers and business teams to
construct sophisticated yet simple Phantom Playbooks with drag-and-drop
functionality. Even people without coding knowledge can build playbooks
graphically while the VPE generates code behind the scenes in real-time.
Splunk also offers canvas and function blocks so you can design specific
automation processes for individual workflows.
If you’re looking for a custom
approach to managing your SOAR strategy, Splunk offers one of the most
bespoke tools on the market. With Splunk, you can explore options to
define security actions, filter data, and also make crucial decisions in
company is a
true market leader in cyber incident response, security, and data
management. Delivering one of the world’s most impressive award-winning
SOAR platforms, SOAR gives companies all the tools they need to make the
most out of their security and automation efforts in virtually any
The DFLabs SOAR platform,
IncMan, serves CSIRTs, SOCs, and MSSPs that automate, measure, and
orchestrate security operations and incident response processes in the
same intuitive environment. By fusing intelligence, integrating leading
security tools, and sharing knowledge via seamless workflows, IncMan
SOAR allows for the easy detection and management of every security
NetWitness Orchestrator is
a state-of-the-art comprehensive security automation and orchestration
solution intended to improve the effectiveness and efficiency of
security operations. Hundreds of pre-configured and customisable
playbooks are available to streamline and automate incident response and
RSA NetWitness supports
interactive investigations among and between analysts, as well as
offering complete incident management tools. The Orchestrator manages
all the aspects of an incident lifecycle in a single common platform.
This includes evidence collection, documentation, and SLA tracking.
There’s also support for real-time execution.
Finally, LogRhythm offers
a SOAR solution for modern companies that can help to banish resource
constraints and improve security measures at the same time. The SOAR
solution from LogRhythm, SmartResponse, can automate workflows and
accelerate threat qualification and investigation in any business
environment. This makes it easier for companies to manage their time
more effectively and also dedicate human resources to complex incident
LogRhythm supports everything from
endpoint quarantining, to the collection of machine data, suspension of
network access, and more. With this simple, accessible tool, you can
instantly upgrade your security automation strategy and get your
business running more efficiently.