Security landscape is ever evolving, with new threats discovered every day and ever-increasing capabilities of attackers. It is a tough task to protect our organizations against such threats. To make the matters worse, attacks have become complex and more frequent by the use of new technologies like IOT, etc.
To handle these threats the CISOs or Security Managers have to be more vigilant and proactive in defense, but are bogged down by problems of SOC operations like:
Lack of skilled work force and budgets.
Deluge of more and more alerts from an ever-increasing set of security tools and event sources.
Disjointed threat handling procedures and process and with high response time.
Security Orchestration, Automation and Response (SOAR) platforms have emerged to address these challenges and optimize the entire incident response lifecycle, from detection, through investigation, to remediation workflows, automating playbooks, and centralizing incident response.
Enterprises face the following challenges while implementing SOAR:
Pervasive and Accelerated Automation: Enterprises try to automate the whole incident response process. It may not be efficient to automate all tasks and some may require manual intervention. Also, without due testing and workflow analysis, it is not prudent to consider full fledged automation.
Ill-defined Incident Handling Process: Improper segregation of tasks and stakeholders.
Mismatch in in-house skillset for SOAR implementation: Lack of people with development and security experience.
Feeding all alerts to SOAR: Decreases efficiency of both tool and process.
Taking into account all the issues that may adversely affect the efficiency and reliability of SOAR, proper implementation of SOAR is necessary to realize the return on investment. Best Practices and Approach for SOAR Implementation.
Define automation goals
Enterprises must focus on defining the goals of automation as realistically as possible after review of the current processes and prioritize the challenges. Clear goals, intended to be achieved from automation (like reducing response time, saving person hours), will enable faster return on investment and overall efficiency. It is also important to define metrics to measure if the automation achieves the desired results.
Differentiate between tasks that can be completely automated and those requiring human intervention
As incident-handling processes have multiple tasks, some tasks can be automated while others can be completed by “human action”. There should be clarity of tasks that can be automated and their desired outcome. For example, in an incident handling process for potential account compromise, only some part of investigation may need automation and the decision to suspend/lock the account can reside with the security investigator.
Automate operational tasks first
Prioritize tasks that are cumbersome, time consuming, and repetitive. It is always prudent to start automating the easier tasks first and check their efficiency and correctness before automating tasks related to decision making.
Feed critical, high priority/high fidelity events
Always feed critical/high fidelity/priority events or alerts to SOAR platform, so that such events are processed on priority. Some tasks like alert/event escalation, prioritization can be carried out by SOAR platform, once the decision or analytical tasks are automated.
Custom code as last resort
Certain actions or integrations in incident handling automation require creation of custom actions requiring custom codes. It is always prudent to use these custom codes sparingly as they are cumbersome to maintain and change. Try to achieve most of the required functionality using the inbuilt components for playbook/workflow creation in SOAR Platform.
Backup of playbooks/workflow and version control
Define processes for backup and sharing of workflows, to assure the availability of playbooks at the time of disruption. Proper version control is important to deploy correct and updated playbooks in operation.
Review the process and efficiency of the automation periodically based on the metrics gathered to improve the process and workflow to reflect changes or improvements.
Automation/SOAR platforms can prevent and respond to most of the new threats and attacks though enterprises must not substitute the need for other technologies and awareness of security threats and IT hygiene.
For more information, please contact us at firstname.lastname@example.org.
About the author(s)
Rajesh Pandey is a senior Cyber Security Analyst with wider experience in SIEM solutions, Data Analytics, Incident Handling and Response (IRH) and Security Orchestration, Automation and Response (SOAR). He has been a prominent member of Center of Cyber excellence and has led various technology deployments, Risk Assessment and Cyber Resiliency programs for a diverse range of business groups.