SOAR - Security orchestration and automation checklist and How to choose the right vendor
Faced up against the well-chronicled global skills shortage, the ceaseless bombardment of security alerts and the hodgepodge of security tools unable to communicate with each other, security operations professionals likely feel as if the deck is stacked against them.
But security orchestration, automation and response (SOAR) platforms have arrived on the scene to address this burgeoning problem of having too many disparate security tools firing off alerts without the adequate in-house talent to address them.
SOAR enables SecOps teams to integrate disconnected technologies and processes into a more cohesive security ecosystem, allowing staff to work more efficiently against the growing onslaught of cyber threats.
And if you aren’t already an adopter, you may be soon. Gartner predicts that “[b]y year-end 2020, 30% of organizations with a security team larger than five people will leverage SOAR tools for orchestration and automation reasons, up from less than 5% today.”
As a result, companies should exercise due diligence and have a clear criteria list when selecting a security orchestration vendor to ensure maximum value from their investment. While most providers likely have their own unique features, there are several core pieces of functionality you’ll want to look for in choosing the optimal solutions for your needs.
1. Integration of disparate security solutions
The ability to integrate disparate security solutions is a basic characteristic of security orchestration, though not all SOAR solutions are created equal. As the SOAR market consolidates due to acquisitions, some SOAR products may lose their value if their available integrations become limited.
Vendor neutrality is key here. Look for a SOAR provider that not only supports many of the widely used security tools but also makes the integration of the tools fast and easy. In addition, consider a platform that allows you to create orchestrated and automated processes for these tools you have already invested in, from alerting and triage to investigation to remediation and collaboration.
Here are some specific questions you should ask a prospective SOAR vendor:
· How many integrations do you support?
· Do you support both on-premises and cloud-based environments for those integrations?
· How quickly can you add or build new integrations?
· Will we be able to create/customize our own integrations?
2. Automated processes with playbooks
The right technologies are crucial to the success of security operations teams, but their effectiveness is only as good as the processes in place for using them. A key ingredient to any successful SecOps program is having a good set of playbooks that help security analysts create consistent, repeatable and automated response processes for accomplishing tasks and determining tools that come into play if a threat alert is raised. For example, the process for malware alerts is likely different than one for phishing alerts or data exfiltration, etc.
While the basis behind playbooks is to allow for the automation of various use cases, their functionality should be used for more than just putting tools into automated processes. Try to partner with a vendor that provides a breadth of features for playbook creation and customization.
Questions to ask:
· Do you include standard playbooks to help get our team started?
· Can your playbooks be customized to meet our organization’s needs and desired levels of automation?
· How easy will it be for our team to create new playbooks?
· Does your platform support tests and simulations to ensure playbook effectiveness?
3. Visual investigations
While some alerts and cases can be fully automated and then closed, most require human analysis. To understand a threat, security analysts normally draw out key pieces of information from the huge pile of raw data they’ve manually collected from alerts, logs, threat intelligence and other sources. These analysts then lay the pieces out to obtain an overview of the situation, build a storyline and perhaps discover relationships among events.
While this investigation technique is effective in visualizing a threat storyline, the common practice relies heavily on manual and time-consuming methods, such as laying things out on a whiteboard. Look for a security orchestration vendor whose solution mirrors an analyst’s visual investigation process: reinforced with graphs, timelines, flows and representations of relevant entities, which can significantly speed up investigation and response times.
Questions to ask:
· What is your solution’s visual investigation capabilities?
· Does the solution just run the playbook and hope the analyst figures things out or does it also provide insights and guide the analyst toward solving the puzzle?
· How would our analysts build the timeline of a security event?
· How are relationships among entities (IPs, users files, etc.) represented?
· What level of detail is provided about each entity and how?
4. The SOC workbench
Console switching is unavoidable in security operations, especially because analysts typically run multiple tools and handle different cases at the same time. Depending on the moment, one screen might be isolating hosts, while another screen might be blacklisting executables, with a third screen focusing on correlation and trending, and so on. Having to switch from console to console while prioritizing cases is not only time consuming, but also confusing.
Hunt for a vendor with an interface that minimizes the amount of switching required and that pushes the most critical cases to the top so your team can improve its focus and prioritize bringing down response and resolution times.
Questions to ask:
· What is the breadth of activity our team can manage through the interface?
· How does the platform prioritize and assign cases?
· How difficult is it to understand the user interface? Is there a certain skill level required or can our analysts become expert users quickly?
· Are there any collaboration capabilities included in the platform?
5. Case management and alert grouping
While advanced log aggregation tools and SIEMs can help bring together the data you need in one place, you still may be challenged to extract the true positives and weed out the false negatives. Plus, on any given day, a security operations center might be besieged with hundreds or even thousands of alerts.
If each alert becomes its own case to be worked by an analyst, think about the management impact and collaboration required to effectively handle them. Analysts working cases containing multiple related alerts can manage, triage and close these as a single effort. At the very least, alerts need to be correlated using threat intelligence and other data sources to understand what’s really happening before being able to proceed with incident response and remediation.
Questions to ask:
· Does your platform group related alerts into manageable cases?
· How do you determine if alerts are related or not?
· How are cases created from alerts?
· Does the solution use machine learning for alert prioritization and analyst assignment?
6. Reporting
Your SOAR vendor should be able to help you understand how your SOC is performing. From there, you can make informed decisions about everything from processes and tooling to caseloads and staffing. Because different stakeholders will want to look at different metrics and KPIs depending on their role, your chosen solution should be able to provide the information they require without burdening your security analysts.
Questions to ask:
· Do you support turnkey and automated reporting?
· What are your dashboarding capabilities? Do they offer templates or the ability to customize?
· Can we schedule reports to automatically run and be distributed on a set schedule?
Security orchestration solutions can elevate a SOC’s capabilities, efficiency and effectiveness. However, careful examination in selecting your ultimate partner can maximize the value of your investment.
In summary, look for a vendor that will streamline your security operations, reduce missed and uninvestigated alerts, speed up response, enable the creation of consistent and predictable processes, allow better transparency of metrics, and increase your SOCs ability to improve over time.
How SOAR can increase the value of your security team
Over the past few years, the cybersecurity industry has rapidly transformed. The exploding number and growing complexity of cyberattacks has forced organizations to spend billions of dollars annually on cybersecurity measures in an effort to keep pace with increasingly sophisticated threats and rising threat levels.
However, for many companies, recent research from ESG shows that cybersecurity represents the most significant area where organizations have a troublesome shortage of skills and tools as 51 percent claimed their organization had a problematic shortage of cybersecurity skills.
Making matters worse, ESG reports have witnessed an alarming and steady growth since 2014. In 2018, 51 percent claimed their organization had a problematic shortage of cybersecurity skills.
The majority of cybersecurity professionals claim their organization is impacted by the skills shortage. Securities teams are being faced with hundreds of thousands of potential threats daily, and most security teams spend most of their time dealing with whatever vulnerability pops up that day, leaving little time for training, planning, strategy, etc.
Making matters worse, security teams waste the precious little time they do have analyzing and responding to alarms that may not actually be “real” attacks. When normal or non-threatening activity is mistakenly identified as anomalous or malicious, that false positive can result in thousands of alerts that need to be investigated. If your security analysts are constantly evaluating false alerts, they aren’t able to spend the proper time working to mitigate legitimate threats.
Based on ESG’s and other industry research, it is apparent that the cybersecurity skills shortage is only getting worse. Your security operations (SecOps) team needs to be be working smarter, not harder.
Today, threat detection is no longer where failures typically occur. There are myriad high-quality detection solutions available that are quite proficient at identifying vulnerabilities. Instead, security breaches occur most often because businesses haven’t had access to solutions that could occupy the space directly after SIEM or other detection solutions in the security ecosystem.
Detection solutions allow security analysts and IT professionals to know that a possible attack is occurring, but identification is only the first step in the incident response process. With hundreds or thousands of threat alerts with varying degrees of complexity occurring on a daily basis, it’s become nearly impossible for security teams to manually address each event in a rigorous manner. And because resource constrained security teams are only able to sufficiently investigate 25 percent of security alerts, “real” threats can quickly become real problems.
Considering the increasingly sophisticated and dangerous threat landscape as well as the growing cybersecurity skills shortage, the problems security teams face are a vital threat to countries relying on technology to support their economy, critical infrastructure and society at large. So how can companies across every industry address this challenge, increase the value of their security teams and better protect their most sensitive data?
Enter security orchestration, automation and response (SOAR) technologies. SOAR creates a more streamlined method of detecting and responding to cyberthreats by integrating a company’s entire toolkit of security resources with its existing people and processes and automating time-consuming, manual tasks for faster, more effective incident response.
By augmenting threat detection solutions with automation and orchestration, organizations are able to increase the incident response capabilities of their security teams. This is accomplished by delivering access to centralized, enhanced event context using all existing tools and data sources, and rapidly resolving repetitive, manually intensive tasks. These can include actions like submitting data to threat intelligence platforms, sending out email notifications, generating incident reports, opening support tickets, etc., that consume a large percentage of a security operations staff’s time.
SOAR makes SecOps decision-making easier than ever, supporting vital security activities, including better prioritizing security operations activities, formalizing triage and incident response processes, and automating containment workflows. SOAR technologies can be used to create automated workflows that continuously search for potential threats throughout the network, automatically investigate alerts and centralize investigation findings for improved security understanding.
SOAR collects and centralizes a comprehensive set of data from security detection tools, threat intel feeds, third-party data sources and internal IT asset databases to deliver relevant event context to analysts so that they can quickly assess and determine the level of risk is when compared to other alarms in the queue. Through playbooks and pre-defined workflows, SOAR helps any security team more quickly investigate, triage and remediate security incidents based on best practices.
By automating the first, repeatable (and often tedious) steps in the incident response process, security teams can quickly make a decision based on the automated investigation. Not only do SOAR technologies significantly speed time to resolution, they allow SecOps teams to focus on more complicated and critical issues that require a greater level of domain expertise.
In the end, by helping SecOps teams to standardize and scale critical security processes, SOAR significantly improves incident response management, not only reducing mean time to resolution (MTTR), but also freeing up more time for security teams to concentrate on more critical tasks. Ultimately, SOAR improves the value of security teams and better protects organizations’ most sensitive data by empowering SecOps teams to implement better, faster and more effective security operations and incident response processes.
Security orchestration, automation, and response, or SOAR, is a stack of compatible software solutions intended to help companies collect valuable data. The information collected using SOAR allows organisations to understand security threats coming from various sources and respond to low-level events often without human input. The goal of a SOAR stack is to enhance the efficiency of the digital and physical business security operations.
The term “SOAR” applies to products and services in IT that help with the definition, standardisation, and automation of incident response systems. Today, we’re going to be looking at some of the most popular and well-regarded SOAR solutions in the marketplace.
10. ThreatConnect
ThreatConnect is a company in the IT security landscape that’s committed to helping businesses reduce their workloads and make more informed decisions about their future. The ThreatConnect intelligence-driven automation and orchestration tool offers companies faster, more repeatable, and more innovative processes in a single platform.
Additionally, the ThreatConnect playbooks are available to automate virtually any cybersecurity task using simple drag-and-drop functionality. Triggers like phishing emails and IP address indicators automatically transfer data to apps to perform a range of functions. These vary from blocks to malware analysis. Once enabled, these triggers can run in real-time to provide detailed information to business leaders.
9. Cybersponse
The Cybersponse brand has a dedicated CyOPs platform called “CyberSponse” which provides holistic enterprise-ready security orchestration and automation tools to modern companies. Designed to empower today’s security operation teams, the CyOPs solution gives today’s leaders the power to work smarter. One way it does so is by offering almost real-time responses to errors and issues.
Similar to ThreatConnect, the Cybersponse team also offer a range of playbooks that companies can access to automatically pull alerts from their SIEM environment. CyOPs also offers alert triage using various threat intelligence feeds while blocking malicious indicators using email gateway and firewall integrations.
8. Ayehu
A leading provider of enterprise-grade IT process automation solutions, Ayehu is one of the most reliable companies on the market when it comes to SOAR technology. The brand was mentioned in Gartner’s most recent publication on leading vendors of security automation, analytics, and reporting tools.
Ayehu provides today’s organisations with a wide variety of IT process automation solutions to choose from so that they can resolve critical incidents, simplify workflows, and maintain greater control over their IT infrastructure. Major organisations across the globe trust Ayehu. As well as this, the company currently supports thousands of IT processes worldwide too.
7. Rapid7
Rapid7 offers SOAR strategies through InsightConnect, their security orchestration and automation solution. InsightConnect allows teams to accelerate and streamline their most time-intensive processes without needing any kind of coding background. There are more than 200 plugins available from Rapid7 to connect crucial tools and create custom workflows. This means teams are free to tackle a variety of challenges outside of repetitive tasks.
Rapid7’s InsightConnect is designed to help companies achieve more in less time while still allowing plenty of room for human decision making. With InsightConnect, you can go beyond relying on point-to-point integrations of your technology stack and start making decisions for real business growth.
6. Swimlane
The Swimlane SOAR platform is another exceptional tool intended to help organisations manage the growing number of alerts and notifications in their security systems. With Swimlane, business leaders can automate crucial and time-consuming incident response processes. What’s more, the solution collects security data from almost all security platforms with minimal effort. Thus, it can automatically respond to alerts using playbooks and pre-set workflows.
Swimlane executes perfectly optimised security-related tasks at machine-level speeds during the incident response process. This is from detection through to investigation and resolution. Consequently, this frees up business staff to focus on more advanced threat defence.
5. FireEye
Security orchestration and automation practices are a fantastic way for businesses to improve their response times, reduce risk exposure, and update process consistency today. FireEye’s SOAR solution is intended to help companies get the most out of SOAR processes by simplifying and improving security operations from end-to-end.
FireEye connects disparate tools to give teams better control over their incident response process while saving on time and resources. FireEye also drives organisations ahead of the competition, with real-world front-line investigation experience and repetitive task automation.
4. Splunk
The primary component of the Splunk SOAR system is the Visual Playbook Editor. The VPE allows developers and business teams to construct sophisticated yet simple Phantom Playbooks with drag-and-drop functionality. Even people without coding knowledge can build playbooks graphically while the VPE generates code behind the scenes in real-time. Splunk also offers canvas and function blocks so you can design specific automation processes for individual workflows.
If you’re looking for a custom approach to managing your SOAR strategy, Splunk offers one of the most bespoke tools on the market. With Splunk, you can explore options to define security actions, filter data, and also make crucial decisions in real-time.
3. DFLabs
The DFLabs company is a true market leader in cyber incident response, security, and data management. Delivering one of the world’s most impressive award-winning SOAR platforms, SOAR gives companies all the tools they need to make the most out of their security and automation efforts in virtually any environment.
The DFLabs SOAR platform, IncMan, serves CSIRTs, SOCs, and MSSPs that automate, measure, and orchestrate security operations and incident response processes in the same intuitive environment. By fusing intelligence, integrating leading security tools, and sharing knowledge via seamless workflows, IncMan SOAR allows for the easy detection and management of every security incident.
2. RSA
The RSA NetWitness Orchestrator is a state-of-the-art comprehensive security automation and orchestration solution intended to improve the effectiveness and efficiency of security operations. Hundreds of pre-configured and customisable playbooks are available to streamline and automate incident response and management.
RSA NetWitness supports interactive investigations among and between analysts, as well as offering complete incident management tools. The Orchestrator manages all the aspects of an incident lifecycle in a single common platform. This includes evidence collection, documentation, and SLA tracking. There’s also support for real-time execution.
1. LogRhythm
Finally, LogRhythm offers a SOAR solution for modern companies that can help to banish resource constraints and improve security measures at the same time. The SOAR solution from LogRhythm, SmartResponse, can automate workflows and accelerate threat qualification and investigation in any business environment. This makes it easier for companies to manage their time more effectively and also dedicate human resources to complex incident response tasks.
LogRhythm supports everything from endpoint quarantining, to the collection of machine data, suspension of network access, and more. With this simple, accessible tool, you can instantly upgrade your security automation strategy and get your business running more efficiently.