InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
Security orchestration, automation, and response (SOAR) platforms have become a reality for offloading well-defined tasks within the security operations center (SOC). However, deploying a SOAR tool successfully requires careful planning around technology
integrations, use cases and key performance indicators (KPIs). We recommend starting small and going for quick wins initially, adding on more use cases and integrations as your familiarity with the platform improves.
In this piece, we provide guidance on how to get the most from automation within your security operations center (SOC).
Automation, and specifically SOAR, can present challenges to security teams, including:
At a high level, most of this can be avoided by:
ON-DEMAND WEBINAR: Alternatives & Enhancements to SIEM
Finding use cases and quick wins might be the most difficult task. The trick is to start small. For example, consider building your new SOAR platform around these three use cases:
Endpoint attacks: Have the SOAR platform ingest threat feed data from endpoint detection tools such as Cylance, Carbon Black, CrowdStrike, etc., and then run queries for machines and endpoint names with malicious indicators. The SOAR
platform could then cross-reference retrieved files and hashes with SIEM data and verify whether any indicators were picked up and resolved by SIEM actions. The SOAR platform can also notify analysts if SIEM actions have already resolved any malicious
Failed user logins: When the number of failed logins on an end-user device exceeds the allowed maximum, the SOAR platform could automatically inform the affected user and ask them to confirm whether they made the attempts. If the user
says yes, the SOAR platform can reset the password and send a new email to the affected user with revised login credentials. If the user says no, the SOAR platform can send a new email notifying them of the account takeover attempt. The SOAR platform
can also execute investigative actions, such as extracting the IP and location where the failed attempts were made from and quarantining the affected endpoint.
Phishing attacks: Alerts to suspected phishing emails come from a variety of detection sources, such as SIEMs and logging services, as well as end users who forward emails that look like they contain malicious content. The SOAR platform
can aggregate the suspected phishing emails and automatically trigger a process to inform affected end users about potential malicious emails being investigated. As part of the triage process, the SOAR platform can extract compromised indicators.
By looking at the header and content of the email – including the subject, email address and attachments – the SOAR platform can assign an incident severity value and check for reputation red flags by cross-referencing the data against
external threat intelligence databases. If any malicious indicators are found, the SOAR platform can inform affected users and provide instructions on what to do. The SOAR platform can also scan all email accounts and endpoints to identify other instances
of the malicious email and delete them. The SOAR platform can then add the malicious indicators to blacklists tracked by other security tools.
Defining clear KPIs is also important. When automating the SOC, KPIs should focus on the severity of incidents and how you respond, including mean time to repair, communication, establishing guard rails to prevent the incidents from happening again, and
Figure 1 shows an executive-level report of SOC KPIs where automation is needed to accomplish a good portion of the actions.
As you build out your integrations and use cases, it’s also important to test everything carefully. Consider setting everything up first in a sandbox environment, so you can be sure nothing breaks when you kick off the automation.
A quick win can help get you off to a solid start - again, consider the idea of endpoint attacks or phishing. Both have a lot of visibility and will help you drive more resources and projects from an executive level. You will need resources with Python
and scripting skills that report to or support the SOC. They can lay out the framework and then hand over the results to an analyst.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.