Automation, Orchestration and Response – Evolution of Incident Management

The cybersecurity world is constantly growing. It never stands still, there is always some kind of threat, hack or vulnerability happening, making it nigh on impossible to keep track. Cybersecurity is like a high-stakes game where the bad guys get endless ‘lives’ during an attack and yet a single mistake from the good guys can cause a breach.

Nowadays, everybody uses SIEM (Security Information and Event Management) technology to consolidate alerts from their detection products into a single list of priority actions. Yet until recently there were no technologies designed to organise the responses to these alerts. These response activities are the most tedious work within a SOC and employ a wide range of products ranging from an antivirus to Firewalls, IDS/IPS, sandboxes, and forensic tools.

But the good news is that we now have SOAR.

SOAR (Security Orchestration, Automation and Response) solutions truly represent an effort to act as a consultant, guiding response activities across many products. Orchestration and automation vendors accomplish this by building connectors against each security product’s APIs. Take Phantom, now acquired by Splunk, for example. The SOAR vendor boasts third-party apps for “over 670+ APIs across more than 135 security technologies”.

SOAR takes control of six key functions in the Security Operations Centre (SOC) to help you work smarter, respond faster, and strengthen your defences:

  1. Automation: Automation enables you to work smarter by executing actions across your security infrastructure in seconds, versus hours or more if performed manually.
  2. Orchestration: A SOAR flexible app model supports hundreds of apps and thousands of APIs, enabling you to connect and coordinate complex workflows across your team and tools.
  3. Collaboration: SOAR helps you increase situational awareness and drive efficient communications across your team.
  4. Case Management: Events can be aggregated and escalated to Cases under SOAR making them easy to track.
  5. Event Management: With Event Management, you can rapidly triage events in an automated, semi-automated, or manual fashion.
  6. Dashboards and Reporting: Dashboards combine all the critical information needed to understand the current state of your security operations and Reports provide executive level and detailed technical reporting for any event or case.

Let’s take a look at some of these functions in more detail to see how they can streamline the SOC and deliver advanced security control.

 

Orchestration

Orchestration is the ability to coordinate informed decision making and formalise and automate responsive actions based on measurement of the risk posture and the state of an environment. It is the way that disparate security systems are connected to deliver greater visibility and enable responses to be automated. It coordinates the immense volumes of alert data into a manageable workflow.

 

Automation

Automation allows multiple tasks (commonly called “playbooks”) to execute numerous tasks on either partial or full elements of a security process. The security operations teams can build out relatively sophisticated processes with automation to improve accuracy and time to action. For example, a SIEM could check if an IP address has been seen or block an IP address on a firewall or intrusion detection and prevention system (IDPS), or a URL on a secure web gateway. It can then create a ticket in your ticketing system or connect to Windows Active Directory, and lock or reset the password for a user’s account.

 

Incident management and collaboration

Incident management and collaboration comprises several activities, i.e.

  • Alert processing and triage
  • Journaling and evidentiary support
  • Case management and workflow
  • Analytics and incident investigation support
  • Management of threat intelligence

SOAR tools are designed to facilitate all of the above activities, making threat identification, investigation, escalation and management quicker and more efficient.

 

Dashboards and reporting

SOAR tools are expected to generate reports and dashboards for at least three classes of persona: analyst, SOC director and chief information security officer (CISO). As well as providing security intelligence, these dashboards and reports can also be used to develop analyst skills within the SOC.

Rishi Bhargava, CEO of incident response platform provider Demisto, describes his company’s product as a collaboration platform for “enhanced learning among analysts.” The vision is to replicate what your most skilled practitioners do and walk junior analysts through these effective playbooks. Some even take it a step further than humans working together by incorporating machine learning into the mix. Bhargava adds that Demisto’s machine learning “enables analysts to escalate their knowledge levels.”

With the use of analytics, orchestration, and automation technologies as well as SOC services that perform much of the triaging of alerts before they reach the analyst’s screen, the Tier 1 analyst can become more of an actual analyst (Tier 2), “Instead of a looking after sea of alerts, they can spend time being thoughtful about things they are looking at and make better decisions and apply more context.”

 

The role of the people

Regardless of which automation system businesses choose, it is important to remember that automation is not some miracle solution where implementing it in the business guarantees full protection; human involvement remains paramount. So, automation should never be a replacement for your IT security teams but instead a complement to help make the workload easier. The two can then work in tandem to keep your business safe.

With an automated system in place, the IT security team can be left to manually ensure that everything is up to date with the latest drivers and patches. This saves a lot of precious time and energy for the team. Introducing automation also allows IT managers to customise the search criteria for the automated agents allowing for more accurate cybersecurity tailored for the specific needs of the business. Whether this is set to target the most recurring issues or to remediate specific issues brought in by new systems, it will allow IT teams to cover any holes automation has left behind.

Written by Vinaya Sheshadri, Principal Security Consultant at RiverSafe