SOAR or not to SOAR?
Security, Orchestration, Automation and Response (SOAR) allow organizations to collect data about security threats from multiple sources to automate an appropriate response on repetitive tasks. As an analyst you need to juggle and pivot several times a day between multiple tools and devices to evaluate a huge amount information and deal with flood of repetitive tasks such as alerts, tickets, email, threat intelligence data, etc. The end goal is to centralize everything in one location to improve analysis using captured institutionalized knowledge.
If you are already using a SOAR tool, what were the main reasons to buy it and did it improve your ability to standardize response procedure in a digital workflow format and standardize best practice?
If you are not using SOAR but are considering implementing it, what are the main qualities you are looking for in this tool?
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
This makes everyone, not just the system, better prepared for an incident.
When you work across multiple customers you will be able to deploy common scenarios, detections and playbooks. So there is definitely benefits of scale. But the real gold is probably when you go “personal” - define, detect and respond to scenarios in an appropriate manner for each customer.
Anonymous
Feb 16th 2020
4 years ago
Anonymous
Feb 16th 2020
4 years ago
One of the valuable components we've seen is that we can automate responses using scripts and do it from inside the ticket. There's no question of what the analyst did and how they did it because it's documented. And if there were errors in the script, we should see that. It greatly simplifies IOC blocks because as long as there's proper integrations for all of your tools (sometimes they haven't been built yet), you can run a script for BlockIP ip=1.2.3.4 and have that script block in every security appliance in your environment. You can also use their playbooks to lead new analysts along the correct path of analysis/response. For some specific incident types, you may be able to auto-respond which reduces the amount of analyst work involved. But these scenarios need to be heavily tested out.
Can you script? Then you can build it. The flexibility is nice as long as you understand there will be some amount of maintenance for your custom scripts. In 5 years I bet most of the use cases will be fleshed out, but for now if they don't have it out of the box you can write it yourself and that's truly powerful.
With SOAR being immature there's definitely pain points worth pointing out. I can't tell you how many SOAR vendors I spoke with that tried to sell me on how integrations make everything wonderful. For Threat Intelligence, every vendor has their own purpose built UI for their data. Your SOAR doesn't have that. The way the SOAR displays the data is lowest common denominator and it's fairly feature poor for analysis. And in my experience you can't do a lot of UI customization to show the extra data you care about. I would love to have a link to the my threat intel provider's platform for that IOC so if I need to dig in it's just one click away, but I haven't seen anyone do that yet and my vendor hasn't taken my advice. Also, as a ticketing system the SOARs we've looked at are pretty immature or painful to use. I have heard of more than one shop using JIRA for ticketing and their SOAR for response.
After using a SOAR for a year and a half, my overall feeling is that at present they take a lot of work and they're still immature. But this is definitely where we're going in the future. You should be asking whether you have the manpower to make it work for you now or if you'd rather wait until the water is warmer in a few years.
Anonymous
Feb 19th 2020
4 years ago
answer is SOAR )
Anonymous
Feb 24th 2020
4 years ago
Anonymous
Mar 1st 2020
4 years ago
Anonymous
Mar 2nd 2020
4 years ago