Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Security orchestration, automation, and response (SOAR) platforms have become a reality for offloading well-defined tasks within the security operations center (SOC). However, deploying a SOAR tool successfully requires careful planning around technology
integrations, use cases and key performance indicators (KPIs). We recommend starting small and going for quick wins initially, adding on more use cases and integrations as your familiarity with the platform improves.
In this piece, we provide guidance on how to get the most from automation within your security operations center (SOC).
Automation, and specifically SOAR, can present challenges to security teams, including:
At a high level, most of this can be avoided by:
Finding use cases and quick wins might be the most difficult task. The trick is to start small. For example, consider building your new SOAR platform around these three use cases:
Endpoint attacks: Have the SOAR platform ingest threat feed data from endpoint detection tools such as Cylance, Carbon Black, CrowdStrike, etc., and then run queries for machines and endpoint names with malicious indicators. The SOAR
platform could then cross-reference retrieved files and hashes with SIEM data and verify whether any indicators were picked up and resolved by SIEM actions. The SOAR platform can also notify analysts if SIEM actions have already resolved any malicious
Failed user logins: When the number of failed logins on an end-user device exceeds the allowed maximum, the SOAR platform could automatically inform the affected user and ask them to confirm whether they made the attempts. If the user
says yes, the SOAR platform can reset the password and send a new email to the affected user with revised login credentials. If the user says no, the SOAR platform can send a new email notifying them of the account takeover attempt. The SOAR platform
can also execute investigative actions, such as extracting the IP and location where the failed attempts were made from and quarantining the affected endpoint.
Phishing attacks: Alerts to suspected phishing emails come from a variety of detection sources, such as SIEMs and logging services, as well as end users who forward emails that look like they contain malicious content. The SOAR platform
can aggregate the suspected phishing emails and automatically trigger a process to inform affected end users about potential malicious emails being investigated. As part of the triage process, the SOAR platform can extract compromised indicators.
By looking at the header and content of the email – including the subject, email address and attachments – the SOAR platform can assign an incident severity value and check for reputation red flags by cross-referencing the data against
external threat intelligence databases. If any malicious indicators are found, the SOAR platform can inform affected users and provide instructions on what to do. The SOAR platform can also scan all email accounts and endpoints to identify other instances
of the malicious email and delete them. The SOAR platform can then add the malicious indicators to blacklists tracked by other security tools.
Defining clear KPIs is also important. When automating the SOC, KPIs should focus on the severity of incidents and how you respond, including mean time to repair, communication, establishing guard rails to prevent the incidents from happening again, and
Figure 1 shows an executive-level report of SOC KPIs where automation is needed to accomplish a good portion of the actions.
As you build out your integrations and use cases, it’s also important to test everything carefully. Consider setting everything up first in a sandbox environment, so you can be sure nothing breaks when you kick off the automation.
A quick win can help get you off to a solid start - again, consider the idea of endpoint attacks or phishing. Both have a lot of visibility and will help you drive more resources and projects from an executive level. You will need resources with Python
and scripting skills that report to or support the SOC. They can lay out the framework and then hand over the results to an analyst.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.