We are taking you to another website now.

Adoption of SOAR - Realities and Approach

 

Rajesh Pandey
Senior Cyber Security Analyst with Tata Consultancy Services
29 September 2020

Security landscape is ever evolving, with new threats discovered every day and ever-increasing capabilities of attackers. It is a tough task to protect our organizations against such threats. To make the matters worse, attacks have become complex and more frequent by the use of new technologies like IOT, etc.

To handle these threats the CISOs or Security Managers have to be more vigilant and proactive in defense, but are bogged down by problems of SOC operations like:

  • Lack of skilled work force and budgets.

  • Deluge of more and more alerts from an ever-increasing set of security tools and event sources.

  • Disjointed threat handling procedures and process and with high response time.

Security Orchestration, Automation and Response (SOAR) platforms have emerged to address these challenges and optimize the entire incident response lifecycle, from detection, through investigation, to remediation workflows, automating playbooks, and centralizing incident response.

Enterprises face the following challenges while implementing SOAR:

  • Pervasive and Accelerated Automation: Enterprises try to automate the whole incident response process. It may not be efficient to automate all tasks and some may require manual intervention. Also, without due testing and workflow analysis, it is not prudent to consider full fledged automation.

  • Ill-defined Incident Handling Process: Improper segregation of tasks and stakeholders.

  • Mismatch in in-house skillset for SOAR implementation: Lack of people with development and security experience.

  • Feeding all alerts to SOAR: Decreases efficiency of both tool and process.

Taking into account all the issues that may adversely affect the efficiency and reliability of SOAR, proper implementation of SOAR is necessary to realize the return on investment. Best Practices and Approach for SOAR Implementation.

Define automation goals

Enterprises must focus on defining the goals of automation as realistically as possible after review of the current processes and prioritize the challenges. Clear goals, intended to be achieved from automation (like reducing response time, saving person hours), will enable faster return on investment and overall efficiency. It is also important to define metrics to measure if the automation achieves the desired results.

Differentiate between tasks that can be completely automated and those requiring human intervention

As incident-handling processes have multiple tasks, some tasks can be automated while others can be completed by “human action”. There should be clarity of tasks that can be automated and their desired outcome. For example, in an incident handling process for potential account compromise, only some part of investigation may need automation and the decision to suspend/lock the account can reside with the security investigator.

Automate operational tasks first

Prioritize tasks that are cumbersome, time consuming, and repetitive. It is always prudent to start automating the easier tasks first and check their efficiency and correctness before automating tasks related to decision making.

Feed critical, high priority/high fidelity events

Always feed critical/high fidelity/priority events or alerts to SOAR platform, so that such events are processed on priority. Some tasks like alert/event escalation, prioritization can be carried out by SOAR platform, once the decision or analytical tasks are automated.

Custom code as last resort

Certain actions or integrations in incident handling automation require creation of custom actions requiring custom codes. It is always prudent to use these custom codes sparingly as they are cumbersome to maintain and change. Try to achieve most of the required functionality using the inbuilt components for playbook/workflow creation in SOAR Platform.

Backup of playbooks/workflow and version control

Define processes for backup and sharing of workflows, to assure the availability of playbooks at the time of disruption. Proper version control is important to deploy correct and updated playbooks in operation.

Continuous review

Review the process and efficiency of the automation periodically based on the metrics gathered to improve the process and workflow to reflect changes or improvements.

Automation/SOAR platforms can prevent and respond to most of the new threats and attacks though enterprises must not substitute the need for other technologies and awareness of security threats and IT hygiene.

For more information, please contact us at cybersecurity@tcs.com.

About the author(s)
Rajesh Pandey
Senior Cyber Security Analyst with Tata Consultancy Services

Rajesh Pandey is a senior Cyber Security Analyst with wider experience in SIEM solutions, Data Analytics, Incident Handling and Response (IRH) and Security Orchestration, Automation and Response (SOAR). He has been a prominent member of Center of Cyber excellence and has led various technology deployments, Risk Assessment and Cyber Resiliency programs for a diverse range of business groups.

×