SOAR platforms help automate cybersecurity tasks
Security orchestration, automation, and response (SOAR) platforms are driving efforts to automate cybersecurity functions. These systems build on the information gathering and correlation capabilities of security information and event management (SIEM) technologies by adding automated response capabilities. When a SOAR platform detects that certain conditions are met, it can immediately trigger a playbook of activities designed to meet those conditions.
For example, if an endpoint detection and response (EDR) system notifies a SOAR platform that malware has been detected on an end-user device, the SOAR platform can automatically trigger a series of actions, in particular:
Changing the network configuration to place this system on an isolated VLAN where it cannot communicate with any other device, containing the damage caused by the infection
Trigger the EDR platform to remedy the malware infection, restore the system to good working condition
Run a vulnerability scan which analyzes the system configuration to confirm that it no longer poses a threat to itself or the network
Modify the network configuration again at the end of these tasks to restore normal system access
All of these actions, which previously could require hours of effort from cybersecurity professionals, can happen quickly when automated through a SOAR platform.
TO FIND: This is what it takes to secure the cloud.
Workflows triggered by SOAR playbooks also don’t need to be strictly sequential. The above workflow could be improved by adding conditional steps that occur based on the results of previous steps. For example, step 3 can be modified to perform different actions based on the results of the vulnerability scan. If the scan reveals that the system is fixed, the workflow can proceed to step 4 and automatically restore normal operations.
If, on the other hand, the analysis reveals that the automated remediation failed, the system could remain on the quarantined VLAN and the SOAR platform could open a ticket in the system’s IT service management platform. organization to trigger a human investigation and response.
When Implementing Automation, Start Small
Once you have a SOAR platform in place, you can integrate it with many of your existing security tools to perform various routine tasks. It’s normally a good idea to start small and focus on efforts that have the highest return potential in terms of time savings and pose the lowest risk to the organization. Let’s look at three ways SOAR platforms can quickly add value to an organization.
• Automate malware incident response efforts. We have already discussed malware response as a great example of the effectiveness of SOAR platforms. Given the burden that responding to malware places on security teams, automating these responses should be a top priority for any SOAR implementation effort.
• Gather information for incident responders. Incident responders spend a lot of time gathering information when trying to triage and respond to cybersecurity events. SOAR platforms can automate much of this work by accessing other systems and sources of information to gather basic facts before escalating an event to a human analyst for investigation. For example, if SOAR suspects that a system is connecting to a botnet, the system may collect network traffic logs, threat intelligence data, user information, and other records to prepare a case that analysts can use when investigating the incident.
• Deal with phishing messages. Every organization is inundated with phishing messages and most have a standardized workflow when users report these messages to administrators. Cybersecurity analysts can immediately delete the message from other users’ inboxes, add destination systems in links to a domain name system blackhole, identify systems that have visited the link, and run malware on them, block future messages from the same source, and perform other related acts. All of these tasks can be automated using SOAR technology.
These three use cases are just starting points based on the types of automation that will benefit most organizations. As teams deploy SOAR technology, they should think about the pain points they encounter and identify the organization-specific use cases that will bring the most value to their teams.