Cyber attacks rank first among global human-caused risks, according to the World Economic Forum's "Global Risks Report 2020." Given the value of their assets and the widening topology of digital infrastructure and big data, businesses face a pressing question: How should they respond to the increasing volume and variety of threats?
In response, many companies are automating foundational security operations center (SOC) tasks. Security orchestration, automation and response (SOAR) is a class of technologies designed to automate these basic security workflows.
SOAR encompasses the following functions in a SOC context:
- Security orchestration connects and coordinates heterogeneous tool sets in the SOC for more efficient threat ingestion, enrichment, monitoring and incident identification.
- Automation helps SOCs take a more proactive security stance by automatically triggering workflows, tasks and triages based on predefined parameters.
- Response accelerates general and targeted SOC reactions to lower-risk incidents, and supports analyst retort by enabling a single view to access, query and share threat intelligence.
Within these three categories are scores of ways automation accelerates manual tasks. The primary value of SOAR tools is in supporting human analysts to scale and automate repetitive and tedious tasks so SOC staff can focus on higher-level threats.
Below, examine six SOAR use cases that augment security analysts in enterprise SOCs.
1. Threat intelligence coordination
Each day, SOAR platforms ingest hundreds of thousands of indicators of compromise (IOC). IOCs are collected from internal and external threat intelligence feeds, malware analysis tools, endpoint detection and response platforms, SIEM systems, network detection and response tools, email inboxes, RSS feeds, regulatory bodies and other databases. SOAR platforms can coordinate, aggregate and surface alerts from those tools, as well as detect suspicious IOCs that emerge across them.
This article is part of
2. Case management
Potential threats can be detected by multiple tools. Thus, it can consume precious amounts of time for analysts to parse through disparate data associated with the same threat. SOAR in the SOC collates all the data toward a single story. This enables cases to be handled more rapidly and accelerates overall mean times to detect and respond, whether through automation or human intervention and analysis.
3. Vulnerability management
In the past, SOC analysts relied on manual management and inventory of security vulnerabilities. But by implementing SOAR, several SOC tasks can be automated to handle volume, monitoring and simple responses. Specifically, SOAR correlates data on threats across multiple security tools to calculate risk and prioritize the threat accordingly.
4. Automated enrichment for remediation
SOAR platforms accelerate the IOC enrichment process by tapping multiple enrichment databases or querying different threat intelligence tools for context. This enables SOC analysts to more accurately and efficiently parse, verify, triage and respond. This SOAR use case saves analysts significant time by more rapidly enriching huge volumes of IPs, URLs and hashes to check for malice -- without compromising on the depth of inquiry needed.
5. Threat hunting
Beyond ingestion and enrichment, SOAR platforms' detection of IOCs effectively serves as a form of proactive threat hunting. Threat hunting is a crucial task for human analysts -- but a time-consuming one, given the widening scope of threats. SOAR helps with tedium and scale by adding data sets for continual analysis. Additionally, SOAR assists with the threat hunting scope by probing for malware or suspicious domains and incorporating human in the loop decisioning at strategic points.
6. Incident response
Automating incident remediation and response processes is intended to target threats upstream to prevent downstream costs. SOAR in the SOC handles remediation and response for several common security threats, such as phishing, malware, denial of service, web defacement and ransomware.
Automated responses take myriad forms depending on the nature of the threat, including the following:
- auto-adding indicators to watchlists;
- auto-blocking malicious indicators;
- auto-quarantining indicators or compromised endpoints;
- auto-generating tickets;
- auto-blocking a suspicious email or IP address;
- auto-deleting suspicious emails from other mailboxes;
- auto-terminating user accounts;
- auto-triggering an antivirus scan or security compliance check; and
- auto-alerting specific analysts, employees, vendors, partners or customers.
Among the benefits of SOAR is the threat information coordination across vast security topologies, freeing up human analysts to focus on more complicated threats and supporting the entire lifecycle of threat intelligence. From ingestion and enrichment to detection, triage, response and containment, SOAR in the SOC is instrumental in gaining greater oversight and context.
SOAR is useful not only for automating security playbooks but optimizing them; it not only improves analysts' experience, but the SOC team's ability to communicate across the organization as well. With proper implementation in addition to cultural and industry considerations, implementing SOAR use cases can strengthen the foundation of an enterprise's security posture.