Top Security Orchestration, Automation and Response (SOAR) Use Cases

Security Orchestration Automation and Response

Posted on: October 08, 2020

Security Orchestration, Automation, and Response (SOAR) technology streamlines security workflows, helping security teams improve their productivity and efficiency. This technology automates a majority of the manual tasks and supports a wide range of use cases with the help of no-code and low-code security automation.

Use Cases of Security Orchestration Automation and Response (SOAR) Platforms

SOAR use cases can vary depending on several factors, such as the internal environment of organizations, the industries they cater to, the security processes and workflows in place, the problems their security team is trying to solve for, and the regulatory compliance that needs to be ensured.

Automated Phishing Investigation and Remediation

Organizations are experiencing high volumes of potential phishing emails being reported. It’s good that these emails are being reported, but it also means that security teams need to investigate them all. Investigating phishing emails is tedious work and involves parsing every indicator to determine if it is legitimate or not. The best SOAR solutions automate this task with a playbook that automatically parses out indicators and verifies if they are truly malicious and a phishing attempt. SOAR playbooks can also enrich the indicators and perform further analysis to perform triage and determine what, if any, response actions are needed. Automated phishing responses can check false positives, block sender’s email addresses, block malicious indicators, add indicators to a SIEM watchlist, delete emails from other mailboxes, and keep a threat quarantined for further investigation, to name a few.

Threat Intelligence Lifecycle Automation

The threat intelligence lifecycle becomes burdensome when security teams have to manually ingest indicators, format the data, and go through several sources to enrich them. In the current security scenario, hundreds and thousands of indicators of compromise (IOCs) are collected on a daily basis, and enriching them manually is not viable for any productive and result oriented security team. With automation, threat intel ingestion, enrichment, and analysis can be performed quickly and consistently. SOAR (Security Orchestration, Automation and Response) platforms automatically ingest and normalize IOCs from multiple sources and enrich them. Data can be enriched from several enrichment databases such as VirusTotal, Hybrid Analysis Whois, and NVD among others. Subsequently, a SOAR tool can score the intel and help formulate the following course of response action for an incident.

Threat Hunting with SOAR

Threat hunting features amongst the critical Security Orchestration, Automation and Response platform (SOAR) use cases. It includes processes such as identifying malicious malware, domains, and other IOCs. Automating these processes using SOAR can free up security teams to quickly tackle other critical threats. SOAR lowers the barrier to threat hunting and helps them identify and prioritize threats before they impact an organization’s network.

Incident Response with SOAR

Incident response is one of the most common SOAR use cases. The best SOAR platform helps in automating the entire incident response lifecycle, including ingestion, analysis, detection, triage, investigation, threat hunting, and containment of incidents. First, a SOAR platform ingests security events data from internal as well as external sources. In the next step, it enriches the data, analyzes it, and looks for new threats using detection playbooks. SOAR automatically triages all the alerts, eliminates the false positives, and lets security teams automate incident response playbooks. As a result, automated responses can more quickly be triggered such as blocking an IP address on an IDS system or firewall, terminating user accounts, and isolating compromised endpoints from a network. Furthermore, security teams can proactively investigate threats using automated threat hunting playbooks, and measure and optimize their mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) by remediating security alerts within minutes.

Vulnerability Management

Security Orchestration Automation and Response solutions help in ensuring that security teams stay updated on all current vulnerabilities and take proper risk mitigation measures. After being notified of a potential threat from a vulnerability management tool, a SOAR solution correlates the data with information gathered from other security tools, enabling security teams to immediately respond to vulnerabilities. The SOAR platform queries the vulnerability management tool for further diagnosis and based on the insights, it can calculate the risk and priority level of the vulnerability.

Malware Analysis

Automation enables smarter and faster malware analysis providing some of the exciting Security Orchestration, Automation, and Response (SOAR) use cases for security teams. Security orchestration platforms come with capabilities to ingest data from threat intelligence feeds, SIEMs, email inboxes, and malware analysis tools, and extract files. These files are uploaded to the malware analysis tool, where further analysis and research can be performed. If the files are malicious, the security orchestration platform updates appropriate watchlists and takes necessary action such as opening tickets, quarantining impacted endpoints, and accommodating data from threat feeds of third-parties.

Ransomware Alert Response

Ransomware attacks can be contained in their early stages with the help of Security Orchestration, Automation, and Response (SOAR)-driven response processes. Ransomware alert response has gained prominence as one of the important SOAR use cases wherein a ransomware alert is received from a SIEM tool, following which an incident is automatically created and investigated. The SOAR platform can then gather the host and user information and coordinate it with previous investigations, connecting the dots between different threat aspects. On completing the initial triage, a SOAR platform can initiate containment actions to determine the aftermath and extent of the ransomware attack, followed by response and remediation.

Denial-of-Service (DoS) Alert Mitigation

From detection to blocking of malicious indicators, automation helps in effectively breaking the chain of Denial-of-Service (DoS) attacks by standardizing the response process. In this SOAR use case, automation can perform tasks such as ingestion of threat alerts, triaging and analysis, and response actions to DoS alerts. The DoS alert playbook can be triggered after receiving a threat alert and an incident can be automatically created in the security automation and security orchestration platform. The playbook can then take automated action such as performing an antivirus scan, ISP intimation, and sending notifications to app owners and end-users.

Web Defacement Response

Security teams can utilize Security Orchestration, Automation, and Response (SOAR) platforms to automatically detect and respond to web defacement attacks. Upon receiving an alert about website defacement from a third-party website monitoring service provider, an incident can be automatically created in a security automation platform. In this security automation use case, enrichment of the targeted web application is automated to collect the server and its owner’s details. Following the incident enrichment process, response and remediation actions can be taken with the help of a Security Orchestration platform including triggering an antivirus scan, security compliance check, log analysis and investigation, or forensic imaging through an ITSM ticket.

Remote to Local Exploit Response

Remote to local exploits can have undesirable repercussions for organizations as they allow attackers to run malicious codes by abusing security vulnerabilities. Such exploits can be utilized for business disruptions, data theft, and spying. The dwell detection time for manual response processes and the MTTR in such attacks are high. Security Orchestration platforms can reduce the overall dwell detection time and MTTR by synchronizing the incident reporting, enrichment, analysis, and containment processes. A playbook for this security automation use case can check to see whether the triggered alert was blocked or not and take the appropriate action if further quarantine or blocking are required.

SOAR for Cyber Fusion

Cyber fusion combines threat intelligence sharing, end-to-end automation, and threat response together for faster, smarter, and more efficient security. By actioning incidents with automated workflows and enabling cyber fusion-driven collaboration between different people, processes, and technologies, security teams seamlessly can leverage security automation to manage incident triage efforts to prevent malicious attacks. Automation allows them to deduce insights from threat campaigns, identify the course of action of potential adversaries, and create threat patterns by correlating isolated threats and incidents.

Alert Aggregation

Using top SOAR platforms, security teams can share threat alerts from internal sources such as a threat intelligence platform (TIP), SIEM, ITSM, and others, as well as external sources such as RSS feeds, regulatory bodies, and CVE/NVD databases. These human-readable alerts can be shared with custom notifications to inform analysts about early warnings related to malware or any vulnerabilities. In addition to the information about vulnerabilities and malware, SOAR platforms aggregate custom threat intel feeds to equip employees, peers, customers, vendors, and other stakeholders with actionable threat alerts.

SOAR for Managed Security Service Providers (MSSPs)

MSSPs can deploy orchestration layers with SOAR (Security Orchestration Automation and Response) platforms, either in their own or clients’ environment, to deliver several security orchestration and security automation use cases including automated alert triaging at machine speed, eliminating manual efforts and reducing the overall costs. Top SOAR solutions offer advanced levels of incident investigation, triaging, and workflow management capabilities for MSSPs. With automation, MSSPs can manage post-detection and triaging, followed by data enhancement, intel enrichment, and incident correlation processes. Moreover, MSSPs can leverage various metrics within security automation platforms to evaluate incident costs across their client base. They can use security automation to take direct actions in security tools such as Firewall, EDR, IDS/IPS, and others deployed in their clients’ environment to proactively thwart malicious threats.

Cross-Environment Orchestration

Managing security tools deployed on cloud or on-premise environments is complicated for security teams. Modern security orchestration platforms have the capabilities to deliver SOAR use cases that include running across multiple different environments including cloud and on-premise. Security Orchestration, Automation, and Response (SOAR) platforms that offer multi-environment orchestration provide the scalability and flexibility needed to connect all the security processes across an organization. Once an action is triggered in a Security Orchestration and Security Automation platform, applications within a playbook synchronize in real-time to protect an organization’s global network assets. This capability allows security teams to manage and monitor all their environments from a single Security Orchestration Automation and Response (SOAR) platform. Cross-environment orchestration allows playbooks to be customized to adapt to unique threats or environments. Thus, time-intensive processes are completed in seconds and all the actions are measured and recorded in a SOAR platform for future reporting and reference.

Machine-to-Machine Orchestration

Security teams can aggregate, enrich, and distribute alerts from internal security tools as well as external sources for further analysis and actioning of incidents. The internally deployed sources include security alerts, SIEMs, TIPs, ITSMs, incident response platforms, and others, whereas the external sources are news blogs, RSS feeds, threat intelligence providers, regulatory advisories, and so on. In short, the machine data is used to kick off further machine actions and is automated from end to end.

Human-to-Machine Orchestration

Human to Machine Orchestration features among critical Security Orchestration Automation and Response (SOAR) use cases as it enables security teams to fully automate alert ingestion and disseminate threat alerts from both internal and external human-readable sources into machine-readable security updates.

Machine-to-Human Orchestration

Security Orchestration, Automation, and Response (SOAR) platforms allow security teams to aggregate, enrich, and share machine-developed security alerts with employees, customers, vendors, and other key stakeholders for real-time situational awareness, actioning, and decision-making.

To learn more about the SOAR use cases, schedule a free demo.