When it comes to Security Orchestration, Automation and Response (SOAR), the use cases will vary depending on a number of factors, such as the enterprise-specific internal environment, the industry or vertical the enterprises serve, and even the legal and regulatory compliance that need to be met.
In this blog post, we will cover five of the most common use cases for a Security Orchestration Automation and Response (SOAR) solution and how by utilizing this technology, a security alert and potential incident can be quickly detected, responded to, and resolved without having a major impact on the organization.
It is key to point out that a use case is only limited by the creativity of the organization itself. A Security Orchestration Automation and Response SOAR platform, such as Cloud SOAR from Sumo Logic, should be able to cater to any scenario and use case that is required.
Phishing emails have become one of the most critical issues faced by organizations over the past several years. Some of the most recent high-profile data breaches have resulted from carefully crafted phishing emails. Security Orchestration, Automation and Response (SOAR) is perfectly positioned to enable automatic triage and examination of suspected phishing emails by extracting artifacts from the email, then performing additional enrichment on these artifacts and if necessary, containing the malicious email and any malicious payloads.
Suspicious emails may be received via any one of the numerous email scanning solutions available today, or via a monitored email address provided to end-users to submit suspicious emails to. Once the email is received, SOAR can extract artifacts, such as header information, email addresses, URLs, and even attachments. What happens next will largely depend on the organizations' individual technology integrations. The extracted information may be submitted to various threat reputation and intelligence services, SIEM, EDR or network appliance logs may be queried, and attachments may be detonated in a sandbox. Once the available information has been enriched, if determined to be malicious, automated or semi-automated containment actions may be taken, such as quarantining or deleting the phishing email, searching for and deleting other instance of the phishing email in other user’s accounts, blocking IP addresses or URLs, banning executables from running or quarantining the user’s workstation.
Regardless of the integrations used, utilizing SOAR to examine and respond to phishing emails can reduce the time to investigate these pervasive threats from hours to minutes, automatically containing the attack and minimizing risk to the organization.
Malicious network traffic
The influx of detection technologies means that organizations are facing a constant barrage of alerts. Many of these alerts are generated due to traffic that one detection technology or another has deemed to be potentially malicious. This is usually based on some type of threat indicator, which may or may not be reliable. It is often left up to the organization to further triage and investigate each of these alerts to determine if they are a false positive or an actual potential security event.
Alerts regarding malicious traffic may be received by a SOAR directly, or after being ingested and forwarded by a SIEM. In either case, the advantage of using a SOAR to automate and orchestrate actions surrounding these types of events comes from the automatic enrichment, as well as potential containment of the detected indicators. Under normal circumstances, analysts would use whatever data enrichment tools are available, such as threat intelligence, reputation services, IT asset inventories, and tools such as nslookup and whois. Analysts would then determine if the indicators appeared to be malicious, at which point containment and further investigation would begin. Using SOAR technology, it is simple to codify a process such as this into an automated workflow, automatically performing data enrichment as soon as the alert is received. A SOAR solution can also automate the process of searching for additional instances of the same indicator across the organization, alerting analysts to any additionally detected occurrences. Automated or semi-automated containment is also possible; for example, blocking an IP address or URL via the firewall or proxy, or isolating a host pending further investigation.
Alerts regarding potentially malicious traffic are commonplace and often sit in the queue for some time before they are investigated. While most are false positives or low priority, any one of these could be the only indicator of a potentially serious data breach. Security Orchestration, Automation and Response (SOAR) Technology allows immediate triage and response to each of these alerts almost instantaneously, automating the mundane, repeatable processes while allowing analysts to focus on the most significant alerts.
Security Orchestration Automation and Response was not intended to be a vulnerability management platform and will never replace the robust vulnerability management systems available today. However, there are some aspects of a good vulnerability management program that a SOAR platform can streamline. In larger enterprises, vulnerability management is often a task performed outside the security team. This can lead to potential risk as the security team may not be aware of vulnerabilities that exist within the infrastructure.
A SOAR solution can be used to ensure that the security team is made aware of any new vulnerabilities within the organization. This allows the security team to proactively examine the vulnerable host, when appropriate, to ensure that there is no evidence of exploitation, place any appropriate additional safeguards in place, and subject the host to increased monitoring until the vulnerability has been mitigated.
Beyond notifying the security team, a Security Orchestration, Automation and Response SOAR solution may also be used to further enrich vulnerability and host information. For example, a SOAR solution could be used to query a database of vulnerabilities to gather additional information on the vulnerability, query Active Directory or CMDB for asset information, or query a SIEM or EDR for events. Based on vulnerability, host or event information, the case could be automatically upgraded or reassigned, or the host could even be temporarily isolated until appropriate mitigation tasks could be performed.
While suitable testing and deployment of patches are critical in an enterprise environment, existing vulnerabilities present an ongoing risk to the organization. It is crucial that the security team are aware of these risks and take the proper steps to ensure that the vulnerability has not and will not be exploited until it can be properly addressed. A Security Orchestration, Automation and Response (SOAR) solution can be utilized to ensure that the security team remains informed of all current vulnerabilities and can efficiently evaluate the possible risk of each vulnerability in order to take proper risk mitigation actions.
Security Orchestration Automation and Response (SOAR) for MSSPs
Managed Security Service Providers (MSSPs) face many of the same issues as Computer Security Incident Response Teams (CSIRTs) and Security Operations Centers (SOCs) but on a much larger scale. In addition to these shared challenges, MSSPs also face some unique issues which the SOAR technology can address. MSSPs must work within the confines of strict service level agreements (SLAs). Failing to meet these SLAs could result in loss of business, loss of reputation, and even the potential for legal action. Automating and orchestrating actions with a Security Orchestration, Automation and Response SOAR solution allows MSSPs to work more efficiently, ensuring that all SLAs are met. In addition, MSSPs are constantly under pressure to prove to customers that these SLAs are being met, that they are taking appropriate, timely actions, and that they are continuing to provide value to their customers. The advanced metrics and audit logs of a SOAR addresses these needs by providing a robust set of metrics suitable for both analysts and executives alike.
MSSPs must also find a method to manage each customer's data securely and in a segregated manner. At the same time, MSSPs must also ensure that each customer is provided access to their data to ensure transparency and to allow seamless teamwork between the MSSP and the customer’s internal teams. Security Orchestration, Automation and Response (SOAR) accomplishes these tasks by providing individual tenants for each customer, physically segregating each customer's data to ensure confidentiality while allowing the MSSP access across customer tenants for ease of use.
Although not strictly an orchestration and automation function, case management is an important part of the incident response process and is another function that SOAR can help streamline. Many organizations struggle with managing the vast amounts of disparate information that is gathered during a security incident. Spreadsheets and shared documents are simply not sufficient for managing a complex cyber incident.
Not only does SOAR maintain all information and enriched data gathered from automated and orchestrated activities, but it also maintains a detailed audit log of all actions taken during the response. A full-featured SOAR solution should also allow for detailed task management, allowing incident managers to create, assign and monitor tasks assigned to all analysts taking part in the response. In addition, a full-featured SOAR should also allow users to track assets involved in the incident and maintain a detailed chain of custody for all physical and logical evidence.
A Security Orchestration, Automation and Response (SOAR) with full case management functionality will help ensure the smooth and efficient handling of an incident from identification through remediation, providing responders with the information they need right at their fingertips and allowing them to focus on the task at hand.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.