Cyber threats are increasing daily, making it exhausting for blue teams to keep up with attackers. Managing classic attack techniques and the zero days unleashed by attackers is an endless struggle. This problem led to the development of Security Orchestration, Automation, and Response (SOAR) solutions that automate and streamline tedious and repetitive tasks of the incident management life cycle. SOAR empowers security teams to respond quickly and resolve security alerts by integrating all responsive security tools like EDR and firewalls with the help of a predefined workflow.

Value of SOAR for An Organization

As cyber-attacks become more sophisticated; criminals can easily breach traditional security solutions like firewalls and antivirus solutions. In the era of zero-day attacks, detection and response capabilities strengthen an organization’s security. The two most significant advantages of SOAR include

1. Within-minute response capabilities increase the speed and ease of transition from detection to the remediation phase of the Incident Management Life Cycle.
2. Multiple security controls on a single dashboard allow one team to manage multiple resources and reduce operational security costs.
   

Summary of SOAR concepts

 An effective SOAR solution has the following three capabilities, also known as the three pillars of SOAR.

Three Pillars of SOAR
Orchestration	Ability to integrate with a wide range of security tools and systems
Automation	Capability to automate repetitive and time-consuming security tasks
Response	Capability to streamline incident response processes, reduce manual effort, and minimize response time

This article discusses the three pillars of SOAR in detail along with best practices that should be incorporated when implementing SOAR. 

Orchestration

Orchestration is the automated coordination of interdependent security actions like  investigation and response across complex infrastructure. It refers to the connection and integration of numerous internal and external security tools, such as:

• Firewalls
• EndPoint Detection and Response (EDR)
• Vulnerability scanners
• Active Directory (AD)
• Security information and Event Management (SIEM) platforms
• External threat intelligence feeds
• Built-in or customized applications
• Application programming interfaces (APIs). 

Benefits of orchestration

Orchestration plays an important role in the road map of a Next-Generation Security Operation Center. Benefits include:

• Reduces false positives by having more refined events from crucial controls like EDR.
• Increases analyst efficiency by providing only relevant information from the noise of SIEM logs.
• Improves log quality by augmenting logs with additional threat intelligence data.
• Integrates with response controls like firewalls to improve mean time to response ( MTTR).
• Paves the way towards standardizing investigation through predefined workflows and Key-Risk Indicators ( KRI’s ) mapping.

Orchestration example

Suppose that a security analyst receives an alert indicating that a server has been compromised. The analyst initiates a SOAR playbook to investigate and remediate the issue. The playbook starts by automatically querying the endpoint detection and response (EDR) system to gather more information about the event. Based on the results of the EDR query, the playbook automatically takes action by:

• Isolating the compromised server from the network
• Triggering a malware scan
• Notifying appropriate personnel

The playbook also creates a ticket in your incident response system to track the investigation and remediation. Once the issue is resolved, the playbook automatically removes the server from isolation and closes the incident ticket.

Automation

Automation lies at the heart of a SOAR solution. After you collect and ingest alerts through orchestration, the next step is to analyze data and automate repeating actions in existing manual processes. You can standardize and automatically execute tasks previously performed by analysts, such as:

• Reputation check of IPs over threat platform
• Historical events check of artifacts
• Email notifications

To achieve maximum automation, you must create workflows for every alert category.

Benefits and challenges of automation

Automation matures the overall efficiency of your Security Operations Center (SOC). However, incorrectly configured automation can bring some additional challenges. If you automate a workflow triggered by a false positive alarm, it can adversely affect the business of the organization. For example, the automated workflow isolates the production server of a web application from the network because of a ransomware false positive. This causes unnecessary service disruption because the production environment goes offline,

Automation example

Consider an organization is experiencing a brute force attack by an attacker to guess the password of a crucial business user or application. With the help of SOAR we can automate the crucial investigation steps resulting in the reduction of the mean time to investigate (MTTI)  the incident.

• An alarm has been generated by the SIEM on the basis of the implemented rule and pushed to SOAR.
• On the basis of the category of alarm relevant workflow will be triggered.
• If the source that triggers the alarm is public the reputation check will be performed on a TI portal like Virustotal through the automated API call and the result is mapped to the case.
• If the triggering IP is private then the targeted user type will be checked by automated API call to Active Directory and the result is mapped to the case.

The above listed activities highlighted with red in the flow diagram if manually performed by an analyst will take at least 15 minutes by an experienced analyst however if automated, Within a minute the analyst is able to take the decision because the data is already mapped against the case by the SOAR.

Response

Once an incident has been identified and investigated after passing through the orchestration and automation phase, the next step is to respond quickly to the incident to mitigate its effects. Classical cybersecurity response focuses on the detection of attack indicators. For instance, the SOC team traditionally responded to a malicious scanning attempt by informing the firewall administrator of the blockage and taking actions through a separate firewall console. Multiple response parties and tools increased the Mean Time to Respond (MTTR), an essential KPI of SOC. 

Benefits of response

SOAR aims to optimize MTTR by integrating security response tools like Firewall, Active Directory, and EDR with APIs. Security analysts can pass the incident request directly from the SOAR console and immediately take action through responsive control. Response in SOAR improves the MTTR of SOC and mitigates the incident effects quickly after detection. 

Response example

Considering the above brute force workflow example we can automate the crucial response activities of the incident response cycle resulting in the reduction of the mean time to response ( MTTR ) of the incident.

• In the investigation phase if the brute force alarm has been identified as a true positive the responsive actions can be executed by running relevant playbooks.
• In case of public attacking IP the API call to firewall should be generated to block the IP.
• In the case of private IP the targeted user disablement call to AD should be executed following by the isolation of the host from the network and initiation of the scan.

The above listed response activities highlighted with green in the flow diagram if manually performed the response could take days as the analyst has to send an email request to firewall administrator for the blacklisting of the IP and if it’s midnight and the firewall administrator is not available the MTTR will keep increasing.

While in the other case if isolation of host is manually performed by accessing each machine physically and removing ethernet, this practice could delay the response to weeks in case if endpoints are on remote location or ransomware has impacted hundreds of systems in a short span.

Best Practices of Implementing SOAR

SOAR, without any doubt, is an essential pillar in the development of Next-Generation SOC. However, its implementation can be challenging. You should ensure the following prerequisites to achieve a real return on investment.

• Optimize ingestion of SIEM logs and noisy logs on the asset side by using routing rules or other log clipping features of SIEM.
  
• Configure rules and alarms only after proper testing and use case simulation to minimize false positives.
  
• Develop and maintain a use case framework for change management of rules and alarms.
  
• Define and map Key Risk indicators (KRIs) against the use case framework to define the severity of triggered alarms.
  
• Map workflows and response guides with the KRIs for the timely auto-execution of relevant response actions.

Conclusion

The proper implementation of a SOAR solution can make the dream of a next-Gen SOC a reality. Orchestration and automation improve your MTTR and make your analysts’ work easier. Automation and response capabilities also move you towards standardization and a process-oriented culture. A SOAR solution can bolster your detection and response capabilities and improve the overall CMMI level of your SOC.