Automation and Orchestration Are More Than Just the Latest Security Buzzwords
Until recently, the benefits of automation and orchestration have largely been limited to the Security Operations Center (SOC), but today the capabilities extend far beyond. Today, security, orchestration, automation and response (SOAR) technology makes it possible for maturing cyber security programs to find effective workarounds to the ever-present cybersecurity skills and resource shortage.
These organizations leverage automation and orchestration for critical security operations tasks, such as gathering threat intelligence, executing response playbooks, and triggering actions across multiple security solutions as part of an incident response process. The technology also supports the streamlining and automating of important investigation and case management functions that historically have taken a lot of time and manual effort – all actions that take place outside of the SOC.
In this article, I’ve outlined five areas in which SOAR platforms are successfully helping to replace manual techniques with streamlined or even fully automated processes.
Reporting is one of the many tasks that take skilled security personnel away from what they do best. SOAR platforms can reduce the time that is commonly wasted on manually gathering and entering data into forms by streamlining and automating reporting.
Reports can include SOC metrics, such as:
– Time from detection to containment to eradication
– Percentage of incidents escalated to Tier-2 analysts
– Number of false positives trending
As well as threat metrics, such as:
– Most common or emerging exploits
– Top attackers by source
– Most frequently attacked destinations
For the greatest possible benefit, reports should not only be generated automatically, but shared with necessary parties automatically. Some SOAR platforms can distribute reports to predetermined stakeholders as part of a weekly report, or based on a threshold, such as when the percentage of recurring incidents is deemed too high.
Good metrics tell a story, and they are best received when that story is about something that the stakeholders care about and adds value. Many SMB cybersecurity programs are built without proper planning on how progress will be communicated to stakeholders. Value added key metrics like mean time to detect (MTTD) and mean time to respond (MTTR) speak directly to security operations process efficiency and facilitate cybersecurity program maturity.
Reporting isn’t the only information that can be automatically distributed. SOAR technology can generate notifications triggered by predetermined conditions within a specific case. For example, if a senior employee who has access to sensitive data becomes the subject of an investigation, a notification will be automatically sent to authorized personnel. By automating this investigative policy, an organization reduces human error (e.g. forgetting to carry out the policy) and investigation time, while demonstrating its commitment to credible, well managed investigations.
Organizations using SOAR technology can provide added value with internal and external cyber security threat intelligence feeds. By integrating threat intel, SOC analysts are able to generate rules or signatures and create rule-based notifications based on that intelligence.
Rule-based notifications can also be leveraged to protect “crown jewels”, meaning assets that have been determined through risk assessments to be critical to the organization. For example, the presence of any crown jewel in an incident can be set as a trigger for automatic notifications to senior security personnel to ensure the incident gets appropriate attention.
Automated Link Analysis
Link analysis is another important part of an investigation. By connecting entities within a case, investigators can uncover linked incidents, evidence, and other commonalities that can help expand the scope of a case while establishing and confirming relationships.
One of the most effective uses of link analysis is an advanced form of remediation. The incident handling team reviews linked incidents and evidence, identifies common patterns, and works on mitigation at a strategic level. These changes may be massive shifts in technology or even complete re-architecture.
In the past, this type of examination required investigators to manually enter evidence or entities into the link analysis tool, taking up a lot of time. Today, link analysis can be done on the fly through the proper orchestration and automation tools. When an incident responder or investigator is processing a case, their SOAR platform can create links between entities in the background, so that the relationships can be viewed immediately. Integration with relevant platforms, like an Active Directory, can contribute to this process by automatically enriching the entities with additional data.
Automated Task & SLA Generation
When an incident hits, it’s not realistic to expect an analyst to manually create all of the downstream tasks that might be needed. That’s why SOAR platforms are increasingly touting automated task generation, task assignment, and SLA-based alert capabilities. These features help codify repeatable processes, so that teams aren’t left scrambling to develop a plan when an incident strikes.
For example, when a malware playbook is triggered, it will automatically generate and assign tasks with SLA deadlines to all the implicated groups, such as the forensics team. Alerts can be automatically triggered whenever the SLA deadlines are in danger of being missed.
As I mentioned earlier, the automation and orchestration of security actions are intended to help solve the cybersecurity skills and resource shortage, but they don’t necessarily help with compliance documentation. That’s why the most comprehensive SOAR platforms are designed to support journaling and evidence management by documenting every action in an audit trail —including those that are automated.
Virtually all compliance regulations are based upon documentation, so without a strong audit trail, one cannot prove compliance. By tracking every incident, action and outcome, organizations can ensure a foundation of data that can be used to meet their compliance requirements, be they PCI DSS, HIPAA, NERC/FERC, 23 NYCRR 500, or any other.
Robust SOAR platforms can record information about actions taken, including details of the action, the assigned resource, and the time it occurred. Journalin
g is pivotal in complex incidents where the incident takes place over an extended period and records of the activity become a reliable source of corporate information.
Automation and orchestration are more than just the latest security buzzwords. Their value is being recognized as essential capabilities in the SOC, and as you can see, this is only just the beginning. The principles of automation and orchestration are necessary to counter the skills and resource gap, and their impact is amplified when applied across the broader picture of cybersecurity, compliance, risk and case management.