Security Experts:

Five Strategies for Extending Automation and Orchestration Beyond the SOC

Automation and Orchestration Are More Than Just the Latest Security Buzzwords

Until recently, the benefits of automation and orchestration have largely been limited to the Security Operations Center (SOC), but today the capabilities extend far beyond. Today, security, orchestration, automation and response (SOAR) technology makes it possible for maturing cyber security programs to find effective workarounds to the ever-present cybersecurity skills and resource shortage. 

These organizations leverage automation and orchestration for critical security operations tasks, such as gathering threat intelligence, executing response playbooks, and triggering actions across multiple security solutions as part of an incident response process. The technology also supports the streamlining and automating of important investigation and case management functions that historically have taken a lot of time and manual effort – all actions that take place outside of the SOC.

In this article, I’ve outlined five areas in which SOAR platforms are successfully helping to replace manual techniques with streamlined or even fully automated processes.

Scheduled Reporting

Reporting is one of the many tasks that take skilled security personnel away from what they do best. SOAR platforms can reduce the time that is commonly wasted on manually gathering and entering data into forms by streamlining and automating reporting.

Reports can include SOC metrics, such as:

- Time from detection to containment to eradication

- Percentage of incidents escalated to Tier-2 analysts

- Number of false positives trending

As well as threat metrics, such as:

- Most common or emerging exploits

- Top attackers by source

- Most frequently attacked destinations

For the greatest possible benefit, reports should not only be generated automatically, but shared with necessary parties automatically. Some SOAR platforms can distribute reports to predetermined stakeholders as part of a weekly report, or based on a threshold, such as when the percentage of recurring incidents is deemed too high.

Automation and Orchestration for Security Operations

Good metrics tell a story, and they are best received when that story is about something that the stakeholders care about and adds value. Many SMB cybersecurity programs are built without proper planning on how progress will be communicated to stakeholders. Value added key metrics like mean time to detect (MTTD) and mean time to respond (MTTR) speak directly to security operations process efficiency and facilitate cybersecurity program maturity. 

Rule-Based Notifications

Reporting isn’t the only information that can be automatically distributed. SOAR technology can generate notifications triggered by predetermined conditions within a specific case. For example, if a senior employee who has access to sensitive data becomes the subject of an investigation, a notification will be automatically sent to authorized personnel. By automating this investigative policy, an organization reduces human error (e.g. forgetting to carry out the policy) and investigation time, while demonstrating its commitment to credible, well managed investigations. 

Organizations using SOAR technology can provide added value with internal and external cyber security threat intelligence feeds.  By integrating threat intel, SOC analysts are able to generate rules or signatures and create rule-based notifications based on that intelligence. 

Rule-based notifications can also be leveraged to protect “crown jewels”, meaning assets that have been determined through risk assessments to be critical to the organization. For example, the presence of any crown jewel in an incident can be set as a trigger for automatic notifications to senior security personnel to ensure the incident gets appropriate attention.

Automated Link Analysis

Link analysis is another important part of an investigation. By connecting entities within a case, investigators can uncover linked incidents, evidence, and other commonalities that can help expand the scope of a case while establishing and confirming relationships. 

One of the most effective uses of link analysis is an advanced form of remediation. The incident handling team reviews linked incidents and evidence, identifies common patterns, and works on mitigation at a strategic level. These changes may be massive shifts in technology or even complete re-architecture. 

In the past, this type of examination required investigators to manually enter evidence or entities into the link analysis tool, taking up a lot of time. Today, link analysis can be done on the fly through the proper orchestration and automation tools. When an incident responder or investigator is processing a case, their SOAR platform can create links between entities in the background, so that the relationships can be viewed immediately. Integration with relevant platforms, like an Active Directory, can contribute to this process by automatically enriching the entities with additional data.

Automated Task & SLA Generation

When an incident hits, it’s not realistic to expect an analyst to manually create all of the downstream tasks that might be needed. That’s why SOAR platforms are increasingly touting automated task generation, task assignment, and SLA-based alert capabilities. These features help codify repeatable processes, so that teams aren’t left scrambling to develop a plan when an incident strikes.

For example, when a malware playbook is triggered, it will automatically generate and assign tasks with SLA deadlines to all the implicated groups, such as the forensics team. Alerts can be automatically triggered whenever the SLA deadlines are in danger of being missed.

Audit Trail

As I mentioned earlier, the automation and orchestration of security actions are intended to help solve the cybersecurity skills and resource shortage, but they don’t necessarily help with compliance documentation. That’s why the most comprehensive SOAR platforms are designed to support journaling and evidence management by documenting every action in an audit trail —including those that are automated.

Virtually all compliance regulations are based upon documentation, so without a strong audit trail, one cannot prove compliance. By tracking every incident, action and outcome, organizations can ensure a foundation of data that can be used to meet their compliance requirements, be they PCI DSS, HIPAA, NERC/FERC, 23 NYCRR 500, or any other.

Robust SOAR platforms can record information about actions taken, including details of the action, the assigned resource, and the time it occurred. Journaling is pivotal in complex incidents where the incident takes place over an extended period and records of the activity become a reliable source of corporate information. 

Automation and orchestration are more than just the latest security buzzwords. Their value is being recognized as essential capabilities in the SOC, and as you can see, this is only just the beginning. The principles of automation and orchestration are necessary to counter the skills and resource gap, and their impact is amplified when applied across the broader picture of cybersecurity, compliance, risk and case management. 

view counter
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.