Automating incident response with security orchestration

Enriching incident response data

Incident response is generally a time-intensive activity, requiring the direct attention of skilled, experienced responders who can apply judgment to the situation. While this work will likely continue to require skilled human analysts, SOAR programs can automatically enrich the information provided to these analysts as they conduct their work. This approach allows automated workflows to supplement alerts from security information and event management (SIEM) systems with additional information, sparing analysts the tedious and time-consuming activity of retrieving information from multiple systems.

For example, many incident response efforts begin with an alert from an intrusion detection and prevention system. After receiving these alerts, analysts triage them and often consult other systems as they seek to determine whether the alert requires further investigation or intervention. SOAR systems might improve this work by automating incident response through the gathering of additional information before the analyst reviews the alert. Examples include the following:

• Obtaining reputation, ownership/registration and geolocation information about network addresses and domain names involved in the alert.
• Consulting the SIEM for log information from the targeted system, identity and access management systems, firewalls, network devices and other information sources that may be relevant to the attack.
• Triggering vulnerability scans to identify security issues on the target system that may have been exploited during the attack.

An analyst reviewing an alert could certainly perform each of these actions, but SOAR systems remove those steps, allowing analysts to simply review the results, determine whether additional action is required and move on to the next alert.

Automating incident response efforts

SOAR activities may also extend beyond assisting a human analyst to actively respond to some security incidents. In the 24/7 world of cybersecurity, prompt response is crucial to containing the damage a security incident causes. SOAR approaches to incident response may automate some or all of the incident response playbook followed by analysts in the wake of common security events.

For example, if a system on the local network demonstrates symptoms of compromise, such as reaching out to a known malware command-and-control network, the SOAR system may trigger an automated playbook response. This response may include triggering a malware scan on the target system, removing it from production networks and placing it on a quarantine network for further investigation, and scanning network traffic logs for signs of lateral compromise of other networked systems. All of these steps can take place immediately upon detection without human intervention. This rapid action serves to limit the impact of the incident and restore normal operations as quickly as possible.

Incident response is a difficult and time-consuming task. Security orchestration, automation and response programs provide some relief from the burden of incident response by enriching the information provided to analysts and even automating incident response actions to contain damage and remediate compromises.