SAO, TIP, SIRP: Better Together
When industry analyst firm Gartner, Inc. coined the term SOAR (Security Orchestration, Automation, and Response), it was because they recognized the benefits innately achieved when the capabilities of three previously very separate platforms are fused together: security orchestration and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP) capabilities.
This is more than simply smashing automation, threat intelligence, and case management into a single security tool (although some solutions may try this by bolting on solutions via integrations that don’t address the full use cases). The capabilities brought forth from each of these three solutions are more than an individual feature. Combining them introduces the ability to truly blend your security processes, teams, and tools together on a foundation of relevant data to ensure all parties involved are getting the most benefits possible from one another.
With SOAR, there is a Job (or 4) to do
When you pull apart SOAR and look at the benefits of the individual platforms that comprise it, you start to see a trend emerge. All three classes of software are focusing on providing the same four benefits (which ThreatConnect has spoken of before) to their users in some form or fashion:
- Build a single source of truth
- Increase accuracy and efficiency
- Improve collaboration of team and technology
- Strengthen business-security goal alignment
To truly understand the benefits of a Security Orchestration, Automation and Response platform, it helps to first come to appreciate the value each provides individually. This appreciation allows you to clearly see how a more centralized platform weaves together your entire security team, tools, processes, and relevant data.
Let’s take a closer look at each of these benefits and outline how each individual platform helps provide them to users. As we move along, please keep this thought in the back of your head: a true SOAR solution will do all of these things for a team. It’s not picking and choosing, or thinking that one isn’t serving a purpose on its own, it’s the combination of all three that are providing users with a truly comprehensive security platform that’s going to change the way security works, meets the goals and objectives of reducing risk, and keeps the organization secure.
Build a Single Source of Truth
If we really wanted to oversimplify this, we’d say these platforms provide you the following: TIPs provide a single source of truth for threat intelligence, SAO for automated processes and decision points, and SIRP for incident or case related workflows and information. Across the board, this means much more than just a single spot to put ‘stuff’. What this means is that you have a dedicated place where you can go to access information, threat intelligence, processes, workflows, case data, etc., and have it provided to you in a format that’s consistent, predictable, and actionable.
There’s power in knowing that whenever you go looking for something, it’ll be there. Having all of your threat intelligence, response plans, and processes in one place, though, gives the entire team a common reference point that enables collaboration, ensures consistency, and reduces the impact of turnover (and more!).
Increase Accuracy and Efficiency
When discussing threat intelligence, this includes both external sources of that intel, as well as internal. External sources would include items like premium, paid feeds from vendors in the space or OSINT (open-source intelligence) from publicly available sources. Adding threat intelligence management and analysis capabilities into the mix ensures that both human and machine actions are driven by the highest fidelity data, reducing waste, and increasing focus on the most relevant threats. The additional management and analysis capabilities are critical here. According to Gartner, Inc., “Threat intelligence is often included as a standard feature of security products. In this case, “standard feature” may mean any one of the following:
- The product leverages threat intelligence provided by the vendor automatically.
- The product can import threat intelligence from third-party sources.
- The product supports some combination of both capabilities
Unfortunately, such security products usually provide very little information given about the TI and how to use it effectively. In the worst-case scenario, this lack of guidance leads to more alert noise and false positives.”
This is where the value of having TIP functionality as a piece of SOAR shines. Providing context to indicators and using them to tell an ever-evolving story about a specific threat is what allows for the increased accuracy and understanding relevancy of a threat to your organization. There’s a couple ways to do this. An example is giving users the ability to apply tactics and techniques found in the MITRE ATT&CK Framework to threat activity, capabilities, or tools so they have a clear way to categorize threat data and understand potential detection and mitigation strategies. They can also use this classification method to group threats and identify patterns that may exist in adversary behavior.
With efficiency, you take those items that are enabling an increase in accuracy, and add automation and orchestration to them. Now, you have context from the threat intelligence and speed and scale from the automaton and orchestration on your side.
When you automate mundane tasks, your team members can spend time on items that require the cognitive processing that a human mind can provide. A lot of those mundane tasks are what’s causing job dissatisfaction for security staff and leading to burnout.
Although sometimes marketed as such, automation and orchestration capabilities alone don’t make for a SOAR platform. Gartner, Inc. states that outright in their SOAR Market Guide Report, “Orchestration and automation are starting to be localized in point security technologies, usually in the form of predefined, automated workflows. This is not the same as a full-featured SOAR solution.”
Let’s move into the response aspect of things. Increasing accuracy and efficiency during incident response results in a reduced time to respond, contain, and remediate. This is huge for organizations of all sizes, and is oftentimes a driver for the purchase of an incident response platform. As far as the criteria individuals have for what an incident response platform is, or SIRP as it’s called in the SOAR recipe, it seems to vary. For some, it’s a ticketing system, for others, it’s a case management system that allows for incident management. It really depends on what the objectives of the user are. No matter what the traditional tool you’ve had in place is, when combined with the analysis power of a TIP and the automation engine provided by SAO, you’re now able to increase accuracy and efficiency by (trackable and reportable) leaps and bounds.
Improve Collaboration of Team and Technology
This is one of the quickest-realized benefits of bringing your previously disparate security platforms under one roof.
The continuous sharing of information across your team and technology allows for all parties involved to be provided with the information they need to do their jobs better. Working out of a central location keeps everyone informed and up to date on what needs to be done. Multiple ways of supporting integrations lets your team work collaboratively with the tools they’re currently using while allowing for change without major disruption.
One barrier to collaboration is silos caused by different teams working in different tools. SOAR platforms help teams surmount this barrier by giving everyone a common framework to work in. When examining something like an incident, SOAR gives everyone the same view and the same language, so analysts can ask and respond to questions that might otherwise be memorialized in multiple pieces of software.
Having a common language also makes it easier for your tools to collaborate. Rather than needing to create custom integration points for multiple systems, everything can be done with the SOAR as a common reference point. This means that things like data mappings only need to be done once for each tool, rather than needing to create custom mappings for every tool.
Strengthen Business-Security Goal Alignment
This is a big one, and can prove to be a real challenge. Aligning your team to a common, shared vision that maps back to business priorities helps ensure that security is defending against the right threats and helps demonstrate the value of security to the rest of the business. While the specifics vary organization to organization, aligning the security goals to the goals of the business at the top is typically reducing risk to the organization to an agreed upon level as efficiently as possible. SOARs can help do the job of aligning the security team to organizational goals by helping measure external risks with threat intelligence and exposure to the capabilities of relevant threats, as well as measuring the efficacy and efficiency of both the team and your technology over time. This is accomplished through things like defined intelligence requirements, metrics that matter to you, demonstrable ROI, and dashboards that drive action.
If we go back to the idea of pulling apart the components of SOAR and looking at them individually, each piece provides users the opportunity to leverage the data held in each to drive towards strengthening the alignment between the business team and the security team.
Gartner, Inc. recommends the following on how to use threat intelligence tactically vs. strategically:
- Collect TI requirements based on the threats faced and technology use cases. Tactical use cases deliver TI to your security controls, while strategic use cases leverage TI to educate and inform stakeholders.
- Curate threat intelligence before delivering it to stakeholders and security controls, by applying scores, expirations and enrichments.
- Deliver tactical threat intelligence to your existing security controls by using API- or TAXII-based integrations. Deliver strategic threat intelligence to stakeholders within your organization by creating regular reporting.
- Assess the effectiveness of the threat intelligence by tracking metrics and describing the impact of TI. Use information about a threat in combination with observables attributed to that threat to demonstrate losses prevented.
Realizing the SOAR Vision with ThreatConnect
With our TIP heritage in mind, there are big opportunities to take the work that you’re doing with threat intelligence management, analysis, and application, and use that to drive conversations and reports that map to desired business outcomes. Our customer success team has worked closely over the years with our customers on initiatives to ensure that departments are aligned and the business side of the house understands the value of threat intelligence when properly applied. The big revelation a lot of people have is that it might not differ all that much from what you’re currently doing on the tactical side when it comes to applying threat intelligence to your processes to gain insight and drive decisions.
Until our recent release, ThreatConnect 6.0, we were lighter on SIRP capabilities in the ThreatConnect Platform. When mapping out our approach on how we’d strengthen those capabilities in ThreatConnect for incident responders, we made sure we really understood the goals of users so as to not miss the mark. ThreatConnect 6.0 introduced a new capability called Workflow to the ThreatConnect Platform. Before our product team began designing the feature, they completed extensive surveys and interviews on what sorts of objectives are top of mind for users. At the conclusion of that exercise, they walked away with the following documented ways that this feature should help security teams:
Reduce the time it takes to…
- collect artifacts from endpoints, network traffic, and event logs
- identify whether critical systems were affected
- assess impact (what was affected) and scope (how badly?)
- uncover relevant threat intelligence
- correlate cases to historic data and patterns
Reduce the number of…
- false positives and wild goose chases
Reduce the risk of…
- missing critical steps and relevant artifacts
Maximize the amount of…
- threat intelligence obtained from day-to-day operations
When the objectives are laid out like this together, you start to see the importance of the overlap in platforms and how connecting capabilities of TIP, SAO, and SIRP enable a faster and smarter security team. Users wanted more than a ticketing system or a typical case management solution. They want interconnected security processes that enable a seamless flow of information from one team or team member to the next – a continuous feedback loop for all team members.
This is how ThreatConnect views Security Orchestration, Automation, and Response. Note, though, that even for those organizations using the features found in the ThreatConnect Platform in a TIP capacity, understanding the relationship that exists between intelligence and operations (which includes response) helps cement the importance of having a constant feedback loop present to pass information to and from each other to achieve the four benefits discussed in this article.
Over the past year and a half it’s been interesting to see this market mature and progress. Vendors in the space are each approaching SOAR from a little bit of a different lens depending on whether they have a heritage in the SIRP, TIP, or SAO space. Stay tuned to see what’s next for ThreatConnect – we have exciting things planned.