SOAR - Security Orchestration, Automation and Response

The term “SOAR” applies to products and services in IT that help with the definition, standardization, and automation of incident response systems.

A solution stack is an ordered collection of software that makes it possible to complete a particular task.  There are a lot of different types of solution stacks. Here are a few examples: A server stack includes the software required for basic server functioning.  A Web stack includes the software required for Web app development.  An application stack includes all the application programs required to perform a given task.  A software stack includes the software required for a given task. (Software stacks include infrastructure software, rather than just applications.)  A storage stack is a type of software stack that includes servers, networking components and server virtualization components.   A virtualization stack is the collection of resources that, along with the hypervisor, make up the Microsoft Hyper-V environment.

A security event is a change in the everyday operations of a network or information technology service indicating that a security policy may have been violated or a security safeguard may have failed. In a computing context, events include any identifiable occurrence that has significance for system hardware or software. Security events are those that may have significance to the security of systems or data.

The first indication of an event may come from a software-defined alert or by end users notifying a help desk that, for example, network services have slowed down. As a rule, an event is a relatively minor occurance or situation that can be resolved fairly easily and events that require an IT administrator to take action are classified as incidents. A help desk ticket from a single user reporting that they think they have contracted a virus is a security event, because it could indicate a security issue. If evidence of the virus is found on the user's computer, however, it can be considered a security incident. 

According to a report from threat detection vendor Damballa, organizations surveyed had an average of 10,000 security events a day. Security products such as antivirus software can reduce the number of security events and many incidence response processes can be automated to make the workload more manageable. Events that don't require action by an administrator may be handled automatically by security information and event management (SIEM) products.

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Ideally, incident response activities are conducted by the organization's computer security incident response team (CSIRT), a group that has been previously selected to include information security and general IT staff as well as C-suite level members. The team may also include representatives from the legal, human resources and public relations departments. The incident response team follows the organization's incident response plan (IRP), which is a set of written instructions that outline the organization's response to network events, security incidents and confirmed breaches.

Incident response is all about planning ahead and having a flight plan before it is necessary. Rather than being an IT-centric process, it is an overall business function that helps ensure an organization can make quick decisions with reliable information. Not only are technical staff from IT and security departments involved, so too are representatives from other core aspects of the business.

Importance of incident response

Any incident that is not properly contained and handled can, and usually will, escalate into a bigger problem that can ultimately lead to a damaging data breach, large expense or system collapse. Responding to an incident quickly will help an organization minimize losses, mitigate exploited vulnerabilities, restore services and processes and reduce the risks that future incidents pose.

Incident response enables an organization to be prepared for the unknown as well as the known and is a reliable method for identifying a security incident immediately when it occurs. Incident response also allows an organization to establish a series of best practices to stop an intrusion before it causes damage.

Incident response is a crucial component of running a business as most organizations rely on sensitive information that would be detrimental if comprised. Incidents could range from simple malware infections to unencrypted employee laptops that are put into the wrong hands to compromised login credentials and database leaks. Any of these incidents can have both short term and long term effects that can impact the success of the entire organization.

Additionally, security incidents can be expensive as businesses could face regulatory fines, legal fees and data recovery costs. It could also affect future profits as untreated incidents are correlated with lower brand reputation, customer loyalty and customer satisfaction.

While organizations cannot eradicate incidents completely, incident response processes do help minimize them. Emphasis should be placed on what can be done in advance to brace for the impact of a security incident. While hackers will always continue to exist, a team can be prepared to prevent and respond to their attacks. That is why having a functional, effective incident response approach is important for all types of organizations.

Types of security incidents

There are various types of security incidents and ways to classify them. What may be considered an incident for one organization might not be as critical for another. The following are a few examples of common incidents that can have a negative impact on businesses:

·        A distributed denial of service (DDoS) attack against critical cloud services.

·        A malware or ransomware infection that has encrypted critical business files across the corporate network.

·        A successful phishing attempt that has led to the exposure of personally-identifiable information (PII) of customers.

·        An unencrypted laptop known to have sensitive customer records that has gone missing.

Security incidents that would typically warrant the execution of formal incident response procedures are considered both urgent and important. That is, they are urgent in nature and must be dealt with immediately and they impact important systems, information or areas of the business.

Another important aspect of understanding incident response is defining the difference between threats and vulnerabilities. A threat is an indication or stimulus, such as a criminal hacker or dishonest employee that is looking to exploit a vulnerability for a malicious or financial gain. A vulnerability is a weakness in a computer system, business process or user that can be easily exploited. Threats exploit vulnerabilities which, in turn, create business risk. The potential consequences include unauthorized access to sensitive information assets, identity theft, systems taken offline and legal and compliance violations.

Incident response plan

An incident response plan is the set of instructions an incident response team follows when an event actually occurs. If developed correctly, it should include procedures for detecting, responding to and limiting the effects of a security incident.

Incident response plans usually include directions on how to respond to potential attack scenarios, including data breaches, denial of service/distributed denial of service attacks, network intrusions, malware outbreaks or insider threats.

Without an incident response plan in place, an organization may not detect the attack or it may not follow proper protocol to contain the threat and recover from it when a breach is detected. A formally documented IR plan helps businesses respond rather than react. When incident response procedures are not developed in advance, the resulting efforts end up making the situation worse, including looking on professional and ultimately being indefensible if lawyers get involved.

The process of executing an incident response plan

There are six key phases of an incident response plan:

1.    Preparation: Preparing users and IT staff to handle potential incidents should they should arise.

2.    Identification: Determining whether an event qualifies as a security incident.

3.    Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage.

4.    Eradication: Finding the root cause of the incident and removing affected systems from the production environment.

5.    Recovery: Permitting affected systems back into the production environment and ensuring no threat remains.

6.    Lessons learned: Completing incident documentation, performing analysis to learn from the incident and potentially improving future response efforts.

Additionally, best practices indicate that incident response plans follow a common framework, which includes:

·        An overview of the plan.

·        A list of roles and responsibilities.

·        A list of incidents requiring action.

·        The current state of the network infrastructure and security safeguards.

·        Detection, investigation and containment procedures.

·        Steps toward eradication.

·        Steps toward recovery.

·        The breach notification process.

·        A list of follow-up tasks.

·        A call list.

·        Incident response plan testing.

·        Any revisions.

An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders.

The plan should identify and describe the roles and responsibilities of the incident response team members who are responsible for testing the plan and putting it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover breached information.

Every organization’s incident response plan can be tailored to specific business risks and needs that have been identified. However, all incident response plans should outline factors involving who, what, when, why and how as they relate to security incidents and confirmed breaches.

What does an incident response team do?

A good incident response program requires putting together a cross-functional team from diverse parts of the business. Without the right people in place, any attempted incident response efforts will likely be ineffective. The team not only helps to execute the incident response plan but also aids with ongoing oversight and maintenance including the day-to-day administration of technical controls. Each team member should have clearly defined duties and goals. These are actions that not only take place during an incident but also before an incident occurs and afterwards as well. The incident response team may involve members of the organization’s overall security committee.

Who is responsible for incident response?

To properly prepare for and address incidents across the business, an organization should form an incident response team. This team is responsible for analyzing security events and responding appropriately. An incident response team may include:

·        An incident response manager, usually the director of IT, who oversees and prioritizes actions during the detection, analysis and containment of an incident. The incident response manager also conveys the special requirements of high-severity incidents to the rest of the organization.

·        Security analysts who support the manager and work directly with the affected network to research the time, location and details of an incident. Triage analysts filter out false positives and keep an eye out for potential intrusions. Forensic analysts recover key artifacts (residue left behind that can provide clues about an intruder) as well as maintain the integrity of evidence and the investigation.

·        Threat researchers that provide threat intelligence and context for an incident. They scour the internet and identify information that may have been reported externally. Threat researchers combine this data with an organization's records of previous incidents to build and maintain a database of internal intelligence. If this level of expertise does not exist in house, it can be outsourced.

Management support is key to securing the necessary resources, funding, staff and time commitment for incident response planning and execution. Many incident response teams include the Chief Information Security Officer (CISO), the Chief Information Officer (CIO) or another C-suite executive, who acts as a leader and evangelist for the group. An outside consultant who specializes in incident response can be a good addition to the team when needed.

The incident response team may also include a human resources representative, especially if the investigation reveals that an employee is involved with an incident. Audit and risk management specialists can develop vulnerability assessments and threat metrics and also encourage best practices across the organization.

Including the organization's general counsel can ensure that the collected evidence maintains its forensic value in case the organization decides to take legal action. Attorneys also provide advice about liability issues when an incident affects vendors, customers and/or the general public. Finally, a public relations specialist is essential for keeping in touch with team leaders and to ensure accurate and consistent information is disseminated to the media, customers, stockholders and other interested parties.

Incident response plan management

Incident response is not unlike any other aspect of information security. It requires thoughtful planning, ongoing oversight and clear metrics so that efforts can be properly measured. Ongoing management initiatives include setting and overseeing incident response goals, periodically testing the incident response plan ensure its effectiveness and training all the necessary parties on applicable incident response procedures. Specific metrics used to measure the effectiveness of incident response initiatives might include:

·        Number of incidents detected.

·        Number of incidents missed.

·        Number of incidents requiring action.

·        Number of repeat incidents.

·        The remediation timeframe.

·        Number of incidents that led to breaches.

Additionally, incident response goals might include areas involving:

·        Routine incident response plan reviews and updates.

·        The planning and execution of incident response test scenarios.

·        Integration with related security initiatives, such as security awareness, employee training and vulnerability and penetration testing.

·        The reporting of security events to executive leadership or outside parties.

·        The procurement of additional technologies that can provide enhanced network visibility and control.

Incident response plans vs. business continuity plans

With the goals of keeping the business running and minimizing the impact of unforeseen events, incident response could be considered part of the business continuity process. Given what is at stake and the different variables involved, such as people, technologies and business processes, incident response should have the highest levels of visibility within the organization. An incident response plan is dedicated to incidents and breaches impacting networks and computers, applications and databases and related information assets. Therefore, most organizations are best served by keeping the incident response plan in a standalone document – separate from yet referenced in the business continuity plan. The most important thing is to ensure the incident response plan is easily accessible by all team members when it is needed.

What business continuity planning includes

Tools for incident response

There are numerous tools and methodologies that can be used to assist with incident response and are typically categorized by prevention, detection or response functionalities. Certain organizations follow the military-derived OODA loop for incident response. The OODA loop is a methodology that encourages a business to observe, orient, decide and act when an incident occurs, all of which IR tools can assist with.

For example, an organization can gain the necessary visibility into an incident with packet analysis, system resource monitoring and file integrity examination technologies. Insight can be gained into the threats by using real-time threat indicators and threat intelligence services. Even further, there are tools that can provide forensics details such as source location, incident technical information and event replays. There are also tools that allow an organization to act against a threat by stopping it from spreading or minimizing the impact it has on the computing environment.

While incident response is a process, technology can be used to automate and streamline specific incident response functions to help minimize detection times and system errors. Service providers focused on developing incident response technology typically offer products in the following categories:

·        Employee awareness and training.

·        Endpoint security management.

·        Firewall, intrusion prevention and DoS mitigation.

·        Forensics analysis.

·        Net flow and traffic analysis.

·        Security incident and event management (SIEM).

·        Vulnerability management.

In essence, incident response tools provide organizations with both visibility and control. They also provide professionals with the necessary information so that they know what to do, or not do, once anomalous behavior is discovered. Finally, incident response tools help with direct response efforts – allowing organizations to take action in order minimize the risks involved.

Most technology products in the incident response sector are commercial and require proper budgeting for capital and operating expenditures. Alternatively, there are a number of open source software offerings that could be tailored to meet a specific organization’s requirements. When choosing the open source approach, it is important to weight how much effort will be involved, how efficiently it will be able to scale and how effective it will be long term.

Once incident response tools are put into place, it is important to ensure that there is enough staff and expertise to keep it maintained and updated. Having the necessary resources is critical for the initial design and implementation of the technology as well as the ongoing administration and troubleshooting.

Finally, executives must remember that incident response tools cannot comprise the entire incident response program. While tools and automation may play a large role, they should still only be one component of the overall incident response requirements.

Security orchestration, automation, and response, or SOAR, is a stack of compatible software solutions intended to help companies collect valuable data. The information collected using SOAR allows organisations to understand security threats coming from various sources and respond to low-level events often without human input. The goal of a SOAR stack is to enhance the efficiency of the digital and physical business security operations. 

The term “SOAR” applies to products and services in IT that help with the definition, standardisation, and automation of incident response systems. Today, we’re going to be looking at some of the most popular and well-regarded SOAR solutions in the marketplace used by SecureScrypt. 

10. ThreatConnect

ThreatConnect is a company in the IT security landscape that’s committed to helping businesses reduce their workloads and make more informed decisions about their future. The ThreatConnect intelligence-driven automation and orchestration tool offers companies faster, more repeatable, and more innovative processes in a single platform. 

Additionally, the ThreatConnect playbooks are available to automate virtually any cybersecurity task using simple drag-and-drop functionality. Triggers like phishing emails and IP address indicators automatically transfer data to apps to perform a range of functions. These vary from blocks to malware analysis. Once enabled, these triggers can run in real-time to provide detailed information to business leaders.

9. Cybersponse 

The Cybersponse brand has a dedicated CyOPs platform called “CyberSponse” which provides holistic enterprise-ready security orchestration and automation tools to modern companies. Designed to empower today’s security operation teams, the CyOPs solution gives today’s leaders the power to work smarter. One way it does so is by offering almost real-time responses to errors and issues. 

Similar to ThreatConnect, the Cybersponse team also offer a range of playbooks that companies can access to automatically pull alerts from their SIEM environment. CyOPs also offers alert triage using various threat intelligence feeds while blocking malicious indicators using email gateway and firewall integrations. 

8. Ayehu 

A leading provider of enterprise-grade IT process automation solutions, Ayehu is one of the most reliable companies on the market when it comes to SOAR technology. The brand was mentioned in Gartner’s most recent publication on leading vendors of security automation, analytics, and reporting tools. 

Ayehu provides today’s organisations with a wide variety of IT process automation solutions to choose from so that they can resolve critical incidents, simplify workflows, and maintain greater control over their IT infrastructure. Major organisations across the globe trust Ayehu. As well as this, the company currently supports thousands of IT processes worldwide too. 

7. Rapid7 ( preferred for large organizations and enterprises)

Rapid7 offers SOAR strategies through InsightConnect, their security orchestration and automation solution. InsightConnect allows teams to accelerate and streamline their most time-intensive processes without needing any kind of coding background. There are more than 200 plugins available from Rapid7 to connect crucial tools and create custom workflows. This means teams are free to tackle a variety of challenges outside of repetitive tasks. 

FireEye’s SOAR solution is designed to help companies achieve more in less time while still allowing plenty of room for human decision making. With InsightConnect, you can go beyond relying on point-to-point integrations of your technology stack and start making decisions for real business growth. 

6. Swimlane

The Swimlane SOAR platform is another exceptional tool intended to help organisations manage the growing number of alerts and notifications in their security systems. With Swimlane, business leaders can automate crucial and time-consuming incident response processes. What’s more, the solution collects security data from almost all security platforms with minimal effort. Thus, it can automatically respond to alerts using playbooks and pre-set workflows. 

Swimlane executes perfectly optimised security-related tasks at machine-level speeds during the incident response process. This is from detection through to investigation and resolution. Consequently, this frees up business staff to focus on more advanced threat defence. 

5. FireEye

Security orchestration and automation practices are a fantastic way for businesses to improve their response times, reduce risk exposure, and update process consistency today. FireEye’s SOAR solution is intended to help companies get the most out of SOAR processes by simplifying and improving security operations from end-to-end. 

FireEye connects disparate tools to give teams better control over their incident response process while saving on time and resources. FireEye also drives organizations ahead of the competition, with real-world front-line investigation experience and repetitive task automation.

4. Splunk ( new in the business with SOAR, bought PHANTOM in 2018 to complement its platform)

The primary component of the Splunk SOAR system is the Visual Playbook Editor. The VPE allows developers and business teams to construct sophisticated yet simple Phantom Playbooks with drag-and-drop functionality. Even people without coding knowledge can build playbooks graphically while the VPE generates code behind the scenes in real-time. Splunk also offers canvas and function blocks so you can design specific automation processes for individual workflows. 

If you’re looking for a custom approach to managing your SOAR strategy, Splunk offers one of the most bespoke tools on the market. With Splunk, you can explore options to define security actions, filter data, and also make crucial decisions in real-time. 

1.           SolarWinds Security Event Manager (FREE TRIAL) ...

2.               Micro Focus ArcSight Enterprise Security Manager (ESM) ...

3.               Splunk Enterprise Security. ...

4.           LogRhythm Security Intelligence Platform. ...

5.           AlienVault Unified Security Management. ...

6.           RSA NetWitness. ...

7.                IBM QRadar.