The great thing about SOAR is that, if deployed correctly, it gives your organization the platform required to implement an intelligence-driven security strategy.
You can think of SOAR and how it’s been defined and implemented (so far) as operating very much like an enabler, or a hub for decision making. It provides a centralized location that accepts numerous inputs which drive specific outputs. If you do not have a system that uses existing internal and external intelligence on threats and your operations as it orchestrates as part of all of its processes, you have an automation machine which can support various “if this, then that” type scenarios, but it’s not necessarily improving efficiencies or efficacy after those experienced after it initial implementation. With the addition of an engine that interprets and creates intelligence, the SOAR platform becomes smarter which makes the organization faster and stronger.
Intelligence Empowers Smarter Operations: Start a Feedback Loop between Intel & Ops
Intelligence does not exist for its own sake, intelligence, including threat intelligence, specifically exists to inform decisions for security operations, tactics, and strategy. This relationship is not a one-way street. Intelligence and operations as functions of the security team should be cyclical and symbiotic. Intelligence informs decisions for operations resulting in actions being taken based on those decisions. Those actions (such as cleanups, further investigations, or other mitigations) will beget data and information in the form of artifacts such as lists of targeted or affected assets, identified malware, network-based IOC’s, newly observed attack patterns, etc. These artifacts can be refined into intelligence that can thus inform decisions for future operations.
While some organizations do not have a formally defined intelligence function on their team, the concept of using what you know about the threat-space to inform your operations exists in all organizations. Regardless of whether an explicitly named threat intelligence analyst employee is on staff, the relationship between intelligence and operations is fundamental and present in all security teams. Threat intelligence may be the catalyst for taking an action or starting a process and informing how the process and decision making are done throughout. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.
But, implementing an intelligence-driven defense isn’t without its challenges. Fragmentation of information, people, processes, and technologies is a significant hurdle. Our objective has always been to help security teams get the most value out of that intelligence by enabling cross-team coordination and workflows. While the industry analysts are still defining the architectural concept of SOAR, we see a need for a platform to bring it altogether to automate, orchestrate, and break down fragmentation for seamless coordination. A centralized platform that enables the refinement of relevant data from cases, response engagements, threat investigations, shared communities, and external vendors into intelligence suitable for decision making by any analyst, and also leverage that newly created intelligence to inform decisions across the security team.
To that end, we have created a checklist for a complete SOAR platform. Look for a solution that provides the following:
Management and Sharing of Intelligence
- The ability to heavily leverage a REST API and represent data in a way that can be shared among multiple teams and tools
- Relationships with Information Sharing and Analysis Centers (ISACs) to aid in collaboration with your respective industry.
- Secure flexibility around who can see what information, for example using the TLP protocol
- STIX/TAXII support
- Integrations with multiple OSINT and paid intelligence providers
- Role-based access control
- Team-based notifications and tasking
- Commenting and markdown support
- Escalation management
- Integrations with communication tools like Slack
Document & Artifact Storage
- Document indexing, for example using ElasticSearch
- Extensible storage to meet growing needs
- The ability to link documents and artifacts to relevant intelligence or other information
Investigative Case Management
Cybersecurity investigations are complex with huge amounts of digital evidence. Look for features that reduce complexity, foster collaboration, and speed up investigatory timelines. Specific capabilities a SOAR solution should include are:
- Reconstructed timelines of actions taken and decisions made to provide up-to-date progress reports and to support post-incident reviews
- Ability to assign tasks to specific team members or groups of users to allow collaboration and management
- Ensure consistency and repeatability of investigations through the use of customizable workflow templates
- Reduction in false positives and dwell time by integrating threat intelligence directly in case reports
- Quickly link cases and investigations to historical or other ongoing cases
Automated Phishing Handling
Eliminate the burden of manually analyzing and remediating the growing volume of phishing emails with feature capabilities that support the following:
- The automated collection of potentially malicious emails from end users
- Automated analysis of email with available threat intelligence
- Integrations with an email system, sandbox, and ticketing system to provide a process for finding all emails with suspicious links or attachments to enable quarantining any email that was sent to other users while waiting for decision of deleting or allowing access
Leverage the feedback loop to enable faster, more accurate actions as you anticipate and thwart a threat actor’s next move. Focus on solutions that:
- Reduce false positives and determine level of risk and prioritization based on historical data
- Help you derive meaningful threat intelligence from operational data
Robust Integration Capabilities
Scale integrations across security tools and processes with solutions that offer:
- Flexible playbooks to support integration workflows
- REST API to allow flexibility in integration development
- Mature, bi-directional SIEM integrations to help reduce false positives
- Playbook apps can be built without the need for custom development or code
Automation and Orchestration
- No limits on executions
- Ability to prioritize mission-critical playbooks
- Additional servers can be rolled out to meet demand for resiliency and performance
- Performance can be easily monitored from a central location
Collective Analytics Layer
- “Ground truth” telemetry from other analysts around the globe is provided anonymously and automatically
There’s no such thing as a one-size-fits-all dashboard, so ensure that the solution allows you to:
- Create multiple, custom dashboards tailored to different teams
- Query the data using a variety of parameters to ensure the right information is bubbled up
- Use your own, custom metrics to measure the key performance indicators you care about
- Flexible data model that supports bespoke indicators
- Admins can create their own attributes to ensure the data they care about is properly modelled and memorialized
- Associations can be formed between different objects, for example between threat actors and their capabilities
For more information on SOAR Platforms, see our e-book, SOAR Platforms: Everything you need to know about Security Orchestration, Automation, and Response, here.