In part, we discussed the SOAR (Security Orchestration, Automation, and Response) and how it’s different from SIEM. In part II, we explored SOAR and Threat Intelligence. Here in part III, we are sharing use cases.
How SOAR works?
A SOAR platform can automatically respond to security alerts, with all the tools and technologies needed seamlessly orchestrated together. The most appropriate response steps and actions are then executed through the triggering of various playbooks and runbooks to suit different threats. The aim is an auto-response to all alerts while freeing up valuable analyst time to work on higher priority or complex tasks, such as threat analytics.
SOAR approach aims at increased efficiency, efficacy and consistency within security operations and incident response. Three components:
SOAR Use Cases
After receiving a potential threat notification, a SOAR tool gathers and analyzes security data from the SIEM, correlates data to identify priority and criticality, and automatically generates incidents for investigation. The SOAR platform also queries the other tools for any diagnosis, consequences, and remediations tied to the vulnerability. The SOAR tool can create a repository of threats, incidents, historical responses and decisions, and their outcomes.
The forensic investigation involved requires a manual gathering of forensic incident data which is time-consuming. A SOAR playbook will assist in automatically collecting the contextual information from your disparate tools, providing your SOC team with everything needed for the investigation.
Insider Threat Detection
An insider threat activity frequently emulates normal behavior, hence is increasingly difficult to detect. SOAR orchestration allows you to integrate multiple tools for rapid insider threat detection and response. Security automation then allows a play book to trigger automatically, leading to the process of investigation, triage, and response process, as well as sending alerts for human intervention if required.
Failed Access Attempts
The SOAR can track failed access attempts and initiative confirmation from the user if the failed exceed limit is set in the system via email or mobile confirmation. Based on the play book, it could send a password reset request and email confirming password change, etc. If the user responds to failed login attempts negatively then SOAR will lock the account, initiate information gathering process to know the IP, location, etc.
SSL Certificate Management
The playbooks within SOAR allows the SOAR to query the endpoints for SSL certificates for expiry, etc. In case of any issues with the certificate, it will initiate email communication with the user and manager to initiate the process to make updates. It will even follow-up regularly or at a set frequency to query the endpoints and provide confirmation on changes.
Endpoint devices management is one of the more difficult tasks for security and the number of alerts from the logs are overwhelming. The threat intelligence solution helps the security team rapidly access the risk of new indicators and respond to threats. SOAR automation will lead to analyzing SIEM data, querying the tool, gathering more information on malicious activity, killing the activity, removing infected files and updating signatures as well as actions to be performed for repeat attacks so that malicious activity is not repeated.
The SOAR platform ingests data from SIEMs, email boxes, threat intelligence feeds, and malware analysis tools, and then extracts any files that need to be detonated. The SOAR platform also uploads the file to the malware analysis tool, which detonates the malware and generates a report. If the file is found to be malicious, the SOAR platform updates relevant watchlists and takes further action such as quarantining infected endpoints, opening tickets and reconciling data from other third-party threat feeds.
According to Gartner’s SOAR market guide, “by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.” The reason for this dramatic increase is the fact that security operations centers (SOCs) cannot keep up with today’s evolving threat landscape. They are understaffed, overworked, and constantly bombarded with alarms from various sources, including security information and event management (SIEM) systems.