Security Orchestration, Automation and Response (SOAR) Description and Functional Components (Part 1)
30.10.2018
Read
In the world of globalization, technology is being capitalized on in every walk of life. People are transforming their routine works into machine-based automated tasks. The same is happening in the case of cybersecurity. SOAR solution, as one of the most effective cybersecurity solutions, provides security orchestration, automation, and response that help security analysts to manage and respond to numerous alarms at rapid speed. In fact, SOAR combines comprehensive data gathering, standardization, case management, workflow, and analytics to provide enterprises with the ability to implement defense-in-depth capabilities. SOAR has to perform a variety of activities and functions within the Security Operation Center (SOC). SOAR functional components incorporate Orchestration, Automation, Incident Management and collaboration, and dashboards and reporting. The following sections take a deep dive into the details of these components.
In the world of cybersecurity, no organization is completely protected against cyber-threats. Each company involves a risk posture at some or a large extent and some defence mechanisms. Organizations, in this scenario, has to improve its response actions in order to survive and thrive in the marketplace and prevent reputational damage. Orchestration, in fact, is the ability of an organization to coordinate informed decision making, formalize and automate response actions based on the measurement of a risk posture and defensive measures. Orchestration, as a component of SOAR, orchestrates all received alerts, analyze their criticality, coordinates incident response and remediation, and gauges the entire process. A good orchestration solution must incorporate six essential elements including KPI/Business Intelligence, Collaboration, Case Management, Context/Enrichment, Playbook Automation, and Interactive Investigation. More importantly, analysts as a manpower play their pivotal role in orchestration. The automated system alone does not adequate to prevent a subtle sign of a hack. Orchestration applies context by aggregating relevant data from numerous sources within your company's overall ecosystem to enrich individual alerts. With this context applied, security experts manage alerts of each individual system and then investigate and remediate security issues at the case level. Doing so saves a huge amount of time of security teams since multiple alerts are being addressed within a single case and all in one location. For example, we can see how orchestration is performed against the reported E-mail that may be suspicious. The SOC receives a malicious E-mail alert from the end user. The analysts confirm an authenticity of the mail through a threat intelligence. The DNS tools are used to know the origin of the E-mail. The analysts may employ a Sandbox to check the authenticity of attachments in the mail. The same process is required for every malicious E-mail. However, doing so manually is a time-consuming and herculean task. For this to be done effectively, orchestration plays a pivotal role. In fact, it automates the data collection into a single point each time a suspicious E-mail reported. The analysts simply review that data and decide whether the E-mail is harming or not. In the event of successful detection in the aftermath of an investigation, they begin a workflow (playbook) to perform an incident response process. Ticket system and Sandbox will play a crucial role in providing the automated process to check the E-mail and detect all messages with malicious attachment or link. After that, the E-mail is automatically quarantined. This system also involves an alerting system that certainly produces some noise as well on the eve of the incident.
As the name implies, cybersecurity automation is the process of handling numerous tasks (also known as “playbooks”) automatically without needing any manual intervention. Automation is performed through a machine-based security application. Automation, in fact, is the subset of orchestration. It can query logs, carry out IP scoring, and can provision or deprovision new users without needing the assistance of security management staff. In addition, when an automation tool acts as an orchestration tool, then it indeed automates tasks that will otherwise need the use of more than one security tool. If the malicious actors launch a malware against your company’s critical system or your communication is detected to a known suspicious host, your SOAR’s orchestrated and automated response will automatically shut it down or isolate the affected system to avoid the further damage. You also need to be aware of the second part of this article: SOAR Functional Components (Part 2).
