SOAR Platforms Help Automate Cybersecurity Tasks
Security orchestration, automation and response (SOAR) platforms are driving efforts to automate cybersecurity functions. These systems build on the information-gathering and correlation capabilities of security information and event management (SIEM) technologies by adding on automated response capabilities. When a SOAR platform detects that certain conditions are met, it can immediately trigger a playbook of activities designed to respond to those conditions.
For example, if an endpoint detection and response (EDR) system notifies a SOAR platform that malware was detected on an end-user device, the SOAR platform can automatically kick off a series of actions, including:
Modifying the network configuration to place that system on an isolated VLAN where it cannot communicate with any other devices, containing the damage caused by the infection
Triggering the EDR platform to remediate the malware infection, restoring the system to proper working order
Firing off a vulnerability scan that analyzes the system’s configuration to confirm that it no longer poses a threat to itself or the network
Modifying the network configuration again at the completion of these tasks to restore the system’s normal access
All those actions, which might previously have required hours of effort by cybersecurity professionals, can take place quickly when automated through a SOAR platform.
The workflows triggered by SOAR playbooks do not need to be strictly sequential in nature, either. The workflow above could be enhanced by adding conditional steps that occur based upon the results of prior steps. For example, Step 3 could be modified to take different actions depending on the results of the vulnerability scan. If the scan reveals that the system is remediated, the workflow could move on to Step 4 and automatically restore normal operations.
If, on the other hand, the scan reveals that the automated remediation was unsuccessful, the system could remain on the quarantined VLAN and the SOAR platform could open a ticket in the organization’s IT service management platform to trigger a human investigation and response.
When Implementing Automation, Start Small
Once you have a SOAR platform in place, you can integrate it with many of your existing security tools to perform a variety of routine tasks. It’s normally a good idea to start small and focus on efforts that have the highest potential payback in terms of time savings and pose the lowest risk to the organization. Let’s take a look at three ways SOAR platforms can quickly add value to an organization.
• Automate malware incident response efforts. We’ve already discussed malware response as a prime example of the effectiveness of SOAR platforms. Given the burden that malware response places on security teams, automating these responses should be a high priority for any SOAR implementation effort.
• Gather information for incident responders. Incident responders spend a lot of time gathering information as they attempt to triage and respond to cybersecurity events. SOAR platforms can automate much of this work by reaching into other systems and information sources to gather the basic facts before passing an event on to a human analyst for investigation. For example, if the SOAR suspects that a system is connecting to a botnet, the system can gather network traffic logs, threat intelligence data, user information and other records to prepare a dossier that analysts can use as they investigate the incident.
• Process phishing messages. Every organization is deluged by phishing messages and most have a standardized workflow when users report these messages to administrators. Cybersecurity analysts might immediately remove the message from the inboxes of other users, add destination systems in links to a Domain Name System blackhole, identify systems that visited the link and run malware scans on them, block future messages from the same source, and perform other related actions. All of these tasks can be automated using SOAR technology.
These three use cases are just starting points based on the types of automation that will benefit most organizations. As teams roll out SOAR technology, they should think about the pain points that they encounter and identify organization-specific use cases that will deliver the most value to their teams.