On paper, the idea of SOAR, Security Orchestration Automation and Response, sounds great. We read all the time about the challenges faced by Security Operation Centers, whether in the press, on vendor web sites or in the introductory slides of a customer facing sales presentation. Here are five examples of SOC challenges that are borne out by analyst surveys and industry reports.
By implementing SOAR, you can automate the triage process by identifying the threat level, sift out the false positives, and fire off an automated response that will, for example, block that IP or malicious hash; disable that user account; or delete those phishing emails from impacted users’ inboxes. So, in theory, with all these SOAR capabilities in place you are well on the way to eliminating the aforementioned challenges and creating a fully autonomous security operations center, right? Not so fast.
In an October 2022 Forbes article, Why The “Autonomous Security Operations Center” Is A Pipe Dream, the author states that the reason there are millions of private cybersecurity workers worldwide is ‘because machines cannot observe, interpret, and react to the infinite variations of human decisions quickly, completely, and accurately in the physical world . . . or the digital’.
So, even though cyber resilience capabilities are evolving with the introduction of, for example, MITRE ATT&CK® and MITRE D3FEND, just because we are getting better at capturing the tools, techniques and procedures (TTPs) used by threat actors—and creating orchestrated SOAR playbooks to mitigate against these threats—these same threat actors are always looking at new ways of slipping through the SOC’s defenses. Yes, APTs do have signature TTPs but detecting low-and-slow, stealth-like attacks is easier said than done.
In their recent Global Incident Threat Report, VMWare listed some examples of what SOCs need to be looking out for:
- Attacks on event integrity through the manipulation of times stamps
- Cloud-jacking and using Cloud environments to breach the target’s supply chain e.g. The Solar Winds breach which, according to Microsoft, involved over a 1,000 developers
- Exploiting business communication platforms such as MS Teams, Slack, Google Chat etc.
- Expanding networks of ransomware groups, some harbored by nation states
This level of sophistication, lateral thinking, and the ongoing emergence of new attack vectors, coupled with the hesitation within SOCs to fully automate processes that could potentially trigger a production outage, puts to bed any idea that we will have fully automated SOCs any time soon.
So, if the Fully Automated SOC Is a Myth, What Benefits Can Soar Actually Provide to the Business?
With any automation and orchestration process, whether in cybersecurity or IT ops, the recommended starting point is to create playbooks for common, standardized, and repeatable processes first and identify those manual tasks that are being executed each and every day. And Gartner analyst Jon Amato points out that ‘It is important to note automation serves no purpose unless it makes ‘something else’ better, faster, cheaper or otherwise measurably improved’.
In their 2022 Now Tech SOAR report Forrester points out that: ‘Despite the plethora of prebuilt playbooks available, security teams often implement a maximum of five to ten playbooks in total over the first several years of adoption. Process automation for complex, inconsistent workflows is challenging and cannot address every manual task security analysts perform …’
What Are Some Common Cyber Security Use Cases Ripe for Automation?
In their 2022 Market Guide for Security Orchestration, Automation and Response Solutions Gartner states that ‘The most common use case mentioned by Gartner clients who are planning to implement, or who have already implemented a SOAR solution, is automating the triage of suspected phishing emails reported by end users’.
The phishing use case provides us with an insight into how many individual manual tasks are actually involved in addressing this type of threat:
- Parse the email and its artefacts
- Send the attachment to a sandbox for further investigation
- Check the IP and URLs against threat intelligence sources e.g., CyberRes Galaxy, Virus Total etc.
- Raise a ticket to re-image the affected PCs if the attachment is found to be malicious
- Engage with the firewall/DNS team to block high-risk IPs, URLs, and domains
- Engage with the email admins to determine impacted users so that the suspect email can be deleted from their inboxes
- Summarize the incident in a report
This process requires a lot of analyst time and effort, especially if we include the time chasing down false positives.
Other use cases include:
- Infected endpoints picked up by an EDR tool
- Compromised credentials
- Failed user logins
- Command-and-control activity
- IP theft triggered by DLP or behavioral analytics
- Ransomware and/or crypto jacking activity
Addressing these threats manually requires a high head-count, creates analyst fatigue due to the sheer number of tasks involved, and extends the exposure time.
By automating or semi-automating the process of triage, enrichment and response SOAR—although not a silver bullet for everything—can provide real business benefits.
What Should You Look For in a Soar Solution?
- Since orchestration is defined as the integration of internal and external tools via the use of application programming interfaces (APIs) it is important that a SOAR solution comes with a wide range of integration capabilities out-of-the-box.
- It should also offer extensive case management, allowing you to assign cases to certain analysts or analyst teams (e.g., based on time zones, shifts) and provide granular access e.g., restrict the ability to block IPs or disable user accounts to certain analysts and include decision trees and time-outs e.g., if the L1 analyst hasn’t responded, then escalate to an L2 analyst.
- Alert consolidation: the ability to detect and combine related or similar alerts into the same case.
- Dashboards and reporting are important in order that a SecOps manager can monitor the overall performance/KPIs of the SOC as well as provide reports to the CISO, CIO, compliance officers, board members etc.
ArcSight SOAR and ArcSight SOAR SaaS
ArcSight SOAR on-premise has been available to our customers since 2020 as a result of the Atar Labs acquisition and I am excited to share that we now offer ArcSight SOAR as a SaaS subscription model.
Both solutions provide over 120+ integrations to 3rd party tools, as well as case management, alert consolidation, granular access, dashboards, and reporting.
ArcSight SOAR is included with ESM, Recon on-prem and ArcSight Intelligence, and for SOAR SaaS it is included in the ArcSight SIEM-as-a-Service base SKU which means that SOAR is available to ArcSight Logger customers that transition to Recon on-premise or ArcSight SaaS Log Management and Compliance.
Business Benefit Proof Points
The National Bank of Georgia has implemented ArcSight SOAR and Nino Simonishvili, Head of Cyber Security discusses the business benefits in this financial industry case study:
‘The ArcSight SOAR capabilities are one of the most important features when we think about Micro Focus CyberRes. We estimate that SOAR will give us the equivalent of an additional headcount. Considering how hard it is in Georgia to recruit quality cyber security staff, this is a major benefit for us’ says Nino Simonishvili, Head of Cyber Security, National Bank of Georgia, in the case study.
In another financial case study from Odeabank, Emrecan Batar, Information Security Senior Specialist at Odeabank remarked that:
‘Rather than writing multiple playbooks for each type of potential security threat, we use a single set of branching logic in ArcSight SOAR to help us close 33% of cases without any human involvement’.
In a Gartner Peer Insights Review of ArcSight, a satisfied customer wrote:
‘We were delighted to get an update from the ArcSight Team that they have acquired a full-fledged SOAR company and most importantly they are sharing this license free of cost for all existing customers’.
For More Information on ArcSight SOAR Please Visit Our Website:
Other ArcSight SOAR resources
- ArcSight SIEM-as-a-Service
- White Paper: SOAR
- White Paper: A Business Case for ArcSight SOAR
- White Paper: SOAR for SOC Analyst and Security Engineers
- Video: ArcSight Demos | Part 18: Native SOAR Solution
- Video: Using Threat Intelligence with ArcSight SOAR | CyberRes SME Submission
- Video: Responding to a Case with an ArcSight SOAR Playbook | CyberRes SME Submission
- Video: SOARing your SecOps Efficiently | ArcSight SOAR DEMO