Role of SOAR and TIP in Cyber Fusion

What is a Threat Intelligence Platform (TIP)?

The Upside of Intelligence-driven Cybersecurity

• Structured and Unstructured Information: Since a cyber fusion center features the integration of different security functions, the collation of information from diverse teams and technologies used by them also becomes a part of the process. Threat intelligence platforms play a key part in this by adding information about potential threats by collecting threat data from a variety of internal and external sources in both structured and unstructured formats, including threat intel feeds, emails, research reports, blogs, intel packages, and more. Moreover, it can collect information from the existing security tools and applications like firewalls, antiviruses, SIEM systems, EDRs, IDS/IPS, secure email gateways, and more.
• Prioritization of Relevant Threats: Beyond just collecting threat information from varied sources, a threat intelligence platform enables security teams to use this data to filter out the irrelevant or noisy information and then rank the remaining threat information based on contextual parameters like severity, location, assets affected, and much more.
• Intel Correlation and Enrichment: By analyzing a threat indicator in isolation, security teams cannot fully understand its relevance and severity. In the context of a cyber fusion center, the threat intelligence platform enables analysts to correlate all the relevant information and enrich it with other parameters based on historical incidents, contextual factors, and more, from various trusted databases, and perform other advanced functions like deduplication and automated analysis.
• Intelligence Sharing: The integration of different security functions through cyber fusion further benefits from the sharing of threat intelligence collected through a threat intelligence platform. The collected intelligence can not only be shared with internal teams, but also external partners, industry peers, information sharing communities, government agencies, and so on. Thus, every team can leverage the appropriate type of intelligence they need to act on their security priorities.
• Intel-based Actioning: The connected security stack in a cyber fusion center helps security teams leverage the threat intelligence from the threat intelligence platform to drive various security processes and workflows. By using threat intelligence, security teams can identify the most frequently exploited vulnerabilities, threat groups targeting their industry, prominent attack tactics & techniques, emerging threats, and much more. This enables more precise and effective mitigation actions and improves efficiency. Furthermore, based on advanced algorithms such as IOC scoring, a threat intelligence platform can automatically block malicious indicators in Firewalls deployed in an organization.

What is SOAR?

• Automated Incident Response: A SOAR platform, as part of the cyber fusion center, plays an integral role by allowing security teams to not just respond to reported incidents but proactively squashing threats at an early stage using threat intelligence inputs from the threat intelligence platform. It leverages advanced automation playbooks for end-to-end incident investigation, analysis, and response functions. 
• Machine-to-Machine Orchestration: Since the security stack consists of numerous tools which are not designed to communicate with each other, the SOAR platform acts as the glue to bind them together to orchestrate and automate different security actions. This helps achieve the true goal of cyber fusion wherein different elements of security operations are integrated.
• Human-to-Machine Orchestration: At each stage of the attack cycle, different types of actions are needed to stop the threat actors. A SOAR tool streamlines the workflows for security teams by providing them with the right information in the right context so as to orchestrate and automate the appropriate responsive actions across their security infrastructure. In a cyber fusion center, this capability helps people in different security roles to leverage the information and actioning capabilities of the entire stack.
• Standardized Security Processes: The key to effectively combating frequently occurring threats is to develop and implement the necessary processes for detection, response, and management. Through its automation and orchestration capabilities, a SOAR platform can enable this while learning from past incidents and current threat intelligence. The knowledge base of response actions can be codified in the form of automated workflows that can be tweaked over time to defend against evolving threats. This helps in streamlining the operations of the cyber fusion center.
• Connecting the Dots: A SOAR platform acts as the central nervous system of the cyber fusion center of an organization. This helps security teams connect the dots between disparate security events to analyze the broader picture of the threat environment and the tactics and techniques used by threat actors. 
• Collaboration between Security Teams: A SOAR platform not only connects different tools but also brings different security teams under the same roof to provide a holistic threat response. It improves the collaboration across different roles in line with the objectives of cyber fusion.
• Threat Intelligence Automation: To fully leverage threat intelligence in their security operations, organizations can use the automation capabilities of a SOAR platform to put threat intelligence into action by orchestrating the necessary actions across different security tools deployed on cloud and on-premise environments. 
• Incident Investigation: By using the TIP for intel enrichment and connecting the dots for incident correlation using SOAR, security teams can collect the different pieces of information that can help them get to the root cause of an incident rapidly. Since time is of the essence in incident response, a SOAR platform improves the overall efficiency of the cyber fusion center.
• Incident Cost Metrics: In order to efficiently allocate resources to counter different threats, security managers need the right metrics to understand the gaps and bottlenecks in their processes. By integrating different functions, a SOAR platform gives them the bird’s eye view of all the operations to prioritize the incidents that imply the highest cost to the organization.
• Orchestrating Cloud and On-premise Tools: Today, organizations cannot rely on the conventional model of network perimeter security. Since the modern technology infrastructure involves on-premises, cloud, and hybrid systems, the SOAR platform plays the crucial role of providing visibility and the ability to respond to threats that span different environments. Thus, it extends the reach of the cyber fusion center to all assets, including servers, applications, workstations, endpoints, connected devices, and more.

Conclusion