SOAR Use Case: Automating Threat Hunting in AWS CloudTrail Logs
While insider threats may not be as common as other attacks like phishing or malware, based on the type of access an insider has, they can be extremely damaging. And while a traditional SOAR can automate aspects of the incident response process for responding to and containing an insider threat, they’re typically heavily dependent on 3rd party tools or manual investigations by security analysts to detect the insider threat. This leads to slow detection and response times and additional operating overhead for security operations teams.
Devo SOAR has the ability to use machine learning to baseline behavior associated with user, host and network activities, enabling you to create playbooks that automatically hunt for abnormal actions indicating a potential insider threat. For example, a server hosting critical financial data may have a finite number of regular users, so Devo SOAR will identify any new user and check a baseline to see if other members of their OU have commonly accessed that data. Even if they have valid permissions, additional investigations can be automatically performed to check for activities tied to insider threats or potentially compromised accounts. This includes investigating where they have sent outbound emails, if they have downloaded unusually large amounts of data, or if they have performed additional suspicious activity like creating new admin accounts. When a possible insider threat is detected, the user account in question can be disabled automatically or with one-click authorization, and the appropriate personnel can be notified to take further action.