In part I, we discussed the SOAR (Security Orchestration, Automation, and Response) and how it’s different from SIEM. In part II, the e-InnoSec team is exploring SOAR and Threat Intelligence.
How SOAR works?
A SOAR platform can automatically respond to security alerts, with all the tools and technologies needed seamlessly orchestrated together. The most appropriate response steps and actions are then executed through the triggering of various playbooks and runbooks to suit different threats. The aim is an auto-response to all alerts while freeing up valuable analyst time to work on higher priority or complex tasks, such as threat analytics.
SOAR approach aims at increased efficiency, efficacy and consistency within security operations and incident response. Three components:
Threat intelligence is organized, analyzed, and refined information about potential or current security attacks. This knowledge is used to make informed decisions regarding the organization’s response to prevent or mitigate cyber attacks.
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to make informed decisions regarding the subject’s response to that menace or hazard.” — Gartner
The cybersecurity industry faces numerous challenges, including an overwhelming volume of threats, increasingly persistent threat actors, false positives, and false alarms across multiple and unconnected security systems. Organizations are under increasing pressure to manage security vulnerabilities in the constantly evolving threat landscape and are facing a serious shortage of skilled professionals.
Threat Intelligence and SOAR
Effective automation and orchestration can only reliably work if an organization has the right tools that can also correlate internal data with information provided by external threat intelligence sources to make decisions on how to act. The SOAR value add is in the automation and orchestration process which will be quick with identification, containment, detection, and response.
A machine algorithm or rule using data can tell how to act, but false alarms or false positives are a constant plague for security professionals. These false positives prove to be time-consuming and impact productive time. With the help of the right external intelligence along with internal data, the SOAR can respond quickly and provide the right direction.
Below are a few examples of how important threat intelligence is for SOAR to act correctly.
Endpoint devices management is one of the more difficult tasks for security and the number of alerts from the logs is overwhelming. The threat intelligence solution helps the security team rapidly access the risk of new indicators and respond to threats.
SOAR automation will lead to analyzing SIEM data, querying the tool, gathering more information on malicious activity, killing the activity, removing infected files and updating signatures as well as actions to be performed for repeat attacks so that malicious activity is not repeated.
Phishing is a technique used to obtain sensitive information by impersonating oneself as a trustworthy entity in an electronic communication. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers, and Social Security numbers.
The threat of intelligence will help identify clusters and patterns for related threats and campaigns, and provide information about phishing strategies and techniques employed by cybercriminals. A SOAR solution with the knowledge of threat intelligence is able to inform the end-users about the malicious emails, check the email headers for the subject, date, and the sender’s email, content, and assign severity, block other users from receiving emails from the identified source, block the sender, update the necessary signatures, etc. According to Gartner’s SOAR market guide, “by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.” The reason for this dramatic increase is the fact that security operations centers (SOCs) cannot keep up with today’s evolving threat landscape. They are understaffed, overworked, and constantly bombarded with alarms from various sources, including security information and event management (SIEM) systems.