View More guides on Security Orchestration Automation and Response
SOAR Use Cases
Posted on: October 08, 2020
Security Orchestration, Automation, and Response (SOAR) technology streamlines security workflows, helping security teams improve their productivity and efficiency. The technology can be used to automate about 80-90% of a security team’s manual tasks and address a wide range of use cases.
SOAR use cases can vary depending on several factors, such as the internal environment of organizations, the industries they cater to, the security processes and workflows in place, the problems their security team is trying to solve for, and the regulatory compliance that needs to be ensured. Following are some of the real-world SOAR use cases:
Automated Phishing Investigation and Remediation
Organizations are experiencing high volumes of potential phishing emails being reported. It’s good that these emails are being reported, but it also means that security teams need to investigate them all. Investigating phishing emails is tedious work and involves parsing of every indicator to determine if it is legitimate or not. A SOAR platform can automate this task with a playbook that automatically parses out indicators and verifies if they are truly malicious and a phishing attempt. The playbook can also enrich the indicators and perform further analysis to perform triage and determine what, if any, response actions are needed. Automated responses can check false positives, block sender’s email addresses, block malicious indicators, add indicators to a SIEM watchlist, delete emails from other mailboxes, and keep a threat quarantined for further investigation, to name a few.
Threat Intelligence Lifecycle Automation
The threat intelligence lifecycle becomes burdensome when security teams have to manually ingest indicators, format the data, and go through several sources to enrich them. In the current security scenario, hundreds and thousands of indicators of compromise (IOCs) are collected on a daily basis, and enriching them manually is not viable for any productive and result oriented security team. With automation, threat intelligence ingestion, enrichment, and analysis can be performed quickly and consistently. SOAR platforms automatically ingest and normalize IOCs from multiple sources and enrich them. Data can be enriched from several enrichment databases such as VirusTotal, Hybrid Analysis Whois, and NVD among others. Subsequently, a SOAR platform can score the intel and help formulate the following course of response action for an incident.
Threat Hunting with SOAR
Threat hunting features amongst the critical SOAR use cases. It includes processes such as identifying malicious malware, domains, and other IOCs. Automating these processes using SOAR can free up security teams to quickly tackle other critical threats. SOAR lowers the barrier to threat hunting and helps them identify and prioritize threats before they impact an organization’s network.
Incident Response with SOAR
Incident response is one of the most common SOAR use cases. SOAR helps in automating the entire incident response lifecycle, including ingestion, analysis,detection, triage, investigation,threat hunting, and containment of incidents. First, a SOAR platform ingests security events data from internal as well as external sources. In the next step, it enriches the data, analyzes it, and looks for new threats using detection playbooks. SOAR automatically triages all the alerts, eliminates the false positives, and lets security teams automate incident response playbooks. As a result, automated responses can more quickly be triggered such as blocking an IP address on a IDS system or firewall, terminating user accounts, and isolating compromised endpoints from a network. Furthermore, security teams can proactively investigate threats using automated threat hunting playbooks, and measure and optimize their mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) by remediating security alerts within minutes.
SOAR solutions help in ensuring that security teams stay updated on all current vulnerabilities and take proper risk mitigation measures. After being notified of a potential threat from a vulnerability management tool, a SOAR solution correlates the data with information gathered from other security tools, enabling security teams to immediately respond to vulnerabilities. The SOAR platform queries the vulnerability management tool for further diagnosis and based on the insights, it can calculate the risk and priority level of the vulnerability.
Automation enables smarter and faster malware analysis providing some of the exciting SOAR use cases for security teams. SOAR platforms come with capabilities to ingest data from threat intelligence feeds, SIEMs, email inboxes, and malware analysis tools, and extract files. These files are uploaded to the malware analysis tool, where further analysis and research can be performed. If the files are malicious, the SOAR platform updates appropriate watchlists and takes necessary action such as opening tickets, quarantining impacted endpoints, and accommodating data from threat feeds of third-parties.
Ransomware Alert Response
Ransomware attacks can be contained in their early stages with the help of SOAR-driven response processes. Ransomware alert response has gained prominence as one of the important SOAR use cases wherein a ransomware alert is received from a SIEM tool, following which an incident is automatically created and investigated. The SOAR platform can then gather the host and user information and coordinate it with previous investigations, connecting the dots between different threat aspects. On completing the initial triage, a SOAR platform can initiate containment actions to determine the aftermath and extent of the ransomware attack, followed by response and remediation.
Denial-of-Service (DoS) Alert Mitigation
From detection to blocking of the malicious indicators, automation helps in effectively breaking the chain of Denial-of-Service (DoS) attacks by standardizing the response process. In this SOAR use case, automation can perform tasks such as ingestion of threat alerts, triaging and analysis, and response actions to DoS alerts. The DoS alert playbook can be triggered after receiving a threat alert and an incident can be automatically created in the SOAR platform. The playbook can then take automated action such as performing an antivirus scan, ISP intimation, and sending notifications to app owners and end-users.
Web Defacement Response
Security teams can utilize SOAR platforms to automatically detect and respond to web defacement attacks. Upon receiving an alert about website defacement from a third-party website monitoring service provider, an incident can be automatically created in a SOAR platform. In this SOAR use case, enrichment of the targeted web application is automated to collect the server and its owner’s details. Following the incident enrichment process, response and remediation actions can be taken with the help of a SOAR platform including triggering an antivirus scan, security compliance check, log analysis and investigation, or forensic imaging through an ITSM ticket.
Remote to Local Exploit Response
Remote to local exploits can have undesirable repercussions for organizations as they allow attackers to run malicious codes by abusing security vulnerabilities. Such exploits can be utilized for business disruptions, data theft, and spying. The dwell detection time for manual response processes and the MTTR in such attacks are high. SOAR platforms can reduce the overall dwell detection time and MTTR by synchronizing the incident reporting, enrichment, analysis, and containment processes. A playbook for this SOAR use case can check to see whether the triggered alert was blocked or not and take the appropriate action if further quarantine or blocking are required.
SOAR for Cyber Fusion
Cyber fusion combines threat intelligence sharing, end-to-end automation, and threat response together for faster, smarter, and more efficient security.. By actioning incidents with automated workflows and enabling cyber fusion-driven collaboration between different people, processes, and technologies, security teams seamlessly can leverage SOAR to manage incident triage efforts to prevent malicious attacks. Automation allows them to deduce insights from threat campaigns, identify the course of action of potential adversaries, and create threat patterns by correlating isolated threats and incidents.
Using a SOAR platform, security teams can share threat alerts from internal sources such as a TIP, SIEM, ITSM, and others, as well as external sources such as RSS feeds, regulatory bodies, and CVE/NVD databases. These human-readable alerts can be shared with custom notifications to inform analysts about early warnings related to malware or any vulnerabilities. In addition to the information about vulnerabilities and malware, SOAR platforms aggregate custom threat intel feeds to equip employees, peers, customers, vendors, and other stakeholders with actionable threat alerts.
SOAR for Managed Security Service Providers (MSSPs)
MSSPs can deploy orchestration layers with SOAR platforms, either in their own or clients’ environment, to deliver several soar use cases including automated alert triaging at machine speed, eliminating manual efforts and reducing the overall costs. SOAR offers advanced levels of incident investigation, triaging, and workflow management capabilities for MSSPs. With automation, MSSPs can manage post-detection and triaging, followed by data enhancement, intel enrichment, and incident correlation processes. Moreover, MSSPs can leverage various metrics within SOAR platforms to evaluate incident costs across their client base. They can use SOAR to take direct actions in security tools such as Firewall, EDR, IDS/IPS, and others deployed in their clients’ environment to proactively thwart malicious threats.
Managing security tools deployed on cloud or on-premise environments is complicated for security teams. Modern SOAR platforms have the capabilities to deliver SOAR use cases that include running across multiple different environments including cloud and on-premise. SOAR platforms that offer multi-environment orchestration provide the scalability and flexibility needed to connect all the security processes across an organization. Once an action is triggered in a SOAR platform, applications within a playbook synchronize in real-time to protect an organization’s global network assets. This capability allows security teams to manage and monitor all their environments from a single SOAR platform. Cross-environment orchestration allows playbooks to be customized to adapt to unique threats or environments. Thus, time-intensive processes are completed in seconds and all the actions are measured and recorded in a SOAR platform for future reporting and reference.
Security teams can aggregate, enrich, and distribute alerts from internal security tools as well as external sources for further analysis and actioning of incidents. The internally deployed sources include security alerts, SIEMs, TIPs, ITSMs, incident response platforms, and others, whereas the external sources are news blogs, RSS feeds, threat intelligence providers, regulatory advisories, and so on. In short, the machine data is used to kick-off further machine actions and is automated from end-to-end.
Human to Machine Orchestration features among critical SOAR use cases as it enables security teams to fully automate alert ingestion and disseminate threat alerts from both internal and external human-readable sources into machine-readable security updates.
SOAR platforms allow security teams to aggregate, enrich, and share machine-developed security alerts with employees, customers, vendors, and other key stakeholders for real-time situational awareness, actioning, and decision-making.