Security Orchestration, Automation and Response (SOAR) in Cyber Fusion

Security Orchestration Automation and Response
Cyber Fusion

Posted on: March 04, 2021

According to Gartner, security orchestration, automation, and response (SOAR) is a technology composed of security orchestration and automation (SOA), incident response, and threat intelligence platforms (TIPs). Due to its flexibility and adaptability, SOAR can fit into any organization’s security operations. It aims to streamline the incident response involving multiple security processes and teams to remediate threats. To deliver SOAR capabilities, organizations are setting up cyber fusion centers. By offering a proactive and unified approach, cyber fusion brings together multiple teams through sharing of threat intelligence, SOAR implementation, and inter-team collaboration. Moreover, it facilitates the amalgamation of contextualized tactical, technical, strategic, and operational threat intelligence for quick threat forecast, detection, analysis, and response.

To define SOAR, it is important to understand that the concepts of SOAR and cyber fusion are intertwined, and sometimes interchangeably used in the cybersecurity domain. However, one attains its full meaning only through the other's existence. In essence, cyber fusion is a broader concept of which SOAR is an integral part.

SOAR - An Integral Element of Cyber Fusion

By bringing together people, processes, and technologies in one place, cyber fusion enables security teams to automate and orchestrate security workflows. Organizations catering to the cybersecurity landscape are building virtual cyber fusion centers (vCFCs) that deliver true SOAR integration capabilities, allowing security teams to identify the loopholes, define the solutions, and automate threat response. Irrespective of where the teams are located, a vCFC combines all the security functions meant for threat detection, management, and response in an integrated and collaborative manner. This cyber fusion-driven collaboration empowers security teams to leverage SOAR, allowing them to handle incident case management and triage efforts and proactively prevent malicious attacks.

To eliminate the silos present in response operations, security teams are adopting SOAR cyber security solutions with a cyber fusion-based approach. This allows them to work together through a common platform, build shared goals, and help each other with threat intelligence sharing for a comprehensive response.

SOAR Use Cases in Cyber Fusion

Alert Aggregation

Using a SOAR platform powered by cyber fusion, security teams can aggregate and share human-readable alerts from both internal and external sources. The internal sources include SIEMs, threat intelligence platforms (TIP), incident response platforms, internal advisories among others while the external sources include commercial threat feed providers, information sharing communities, dark web, OSINT, regulatory bodies, etc. These alerts can be shared with analysts as early warning notifications related to any security threat including a vulnerability or malware or evolving attack vectors.

Threat Intelligence Lifecycle Automation

Manually ingesting indicators, normalizing the data, and examining several sources before enriching them is a laborious and time-consuming task. Every day, security teams collect hundreds and thousands of indicators of compromise (IOCs), and manually enriching them is a difficult task. With the capabilities of SOAR, threat intelligence ingestion, enrichment, and analysis can be easily and quickly performed. IOCs can be automatically ingested, normalized, and enriched from multiple trusted threat databases. They can be correlated to discover hidden threat patterns. Subsequently, security teams can perform automated confidence scoring, actioning, and sharing of intelligence and determine further actions to be taken. SOAR also empowers security teams to automate the actioning of the high confidence actionable threat intelligence directly in the deployed security architecture involving tools like firewall, IDS/IPS, UEBA, etc.

Threat Hunting

Threat hunting involves processes such as identifying malicious domains, malware, and other IOCs. By leveraging cyber fusion’s SOAR capabilities, threat hunting can be fully automated, enabling security teams to shift their focus on other critical threats. These capabilities eliminate the barrier to threat hunting and enable security teams to identify and prioritize threats before they compromise an organization’s network.

Incident Response

The entire incident response lifecycle starting from alert ingestion, analysis, triage, investigation, and incident containment can be automated with SOAR capabilities of cyber fusion. At first, the security alert data is ingested from internal and external sources followed by data enrichment and analysis. All the alerts are automatically triaged and false positives are eliminated. Subsequently, automated responses are quickly triggered. This allows security teams to investigate threats by leveraging automated threat hunting playbooks and reduce the overall mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to mere seconds.

Threat Response

With a combination of cyber fusion and advanced orchestration and automation capabilities, threat response can be automated, enabling organizations to stay ahead of sophisticated threats impacting them in real-time. The SOAR capabilities of an automated threat response platform allow security teams to move beyond mere incident management and proactively respond to all kinds of threats including malware, vulnerabilities, and threat actors. Moreover, cyber fusion centers leverage their pre-built extensive libraries of advanced playbooks to automate response to complex and diverse threats.

Case and Triage Management

The SOAR features of a cyber fusion center give a new dimension to case management. Security teams can manage several related incidents and threats on a single platform by leveraging sophisticated case and triage management capabilities to thwart complex attacks while reducing false alarms, noise, and overall MTTR. Moreover, SOAR capabilities reduce analyst fatigue with streamlined post-detection and incident triage systems steered by data enhancement, intel enrichment, and advanced correlation.

Connect the Dots

Cyber fusion-powered SOAR platforms provide the ability to connect the dots between incidents, vulnerabilities, malware, assets, and threat actors, enabling teams to gather contextual intelligence on sophisticated threat campaigns, discover attackers’ trajectories, and determine latent threat patterns. Furthermore, the SOAR solutions combine threat intelligence fusion with workflow building, custom playbooks, and built-in libraries of playbooks to manage threats at a micro-level.

Vulnerability Management

Another critical use case of SOAR—vulnerability management. With SOAR cyber security solutions powered by cyber fusion, security teams can be aware of current vulnerabilities and take relevant risk mitigation measures. After a vulnerability management tool alerts of a potential threat, the SOAR capabilities of cyber fusion centers enrich the data with information accumulated from disparate security tools and external threat databases like VirusTotal, Hybrid Analysis, and others. This allows security teams to quickly and effectively respond to vulnerabilities. Driven by cyber fusion, the SOAR solution can query the vulnerability management tool for advanced diagnosis and determine the risk level of the vulnerability based on the insights.

Cross-Environment Orchestration

Security tools can either be deployed on cloud or on-premise environments. However, automating workflows across the tools deployed in different environments without raising the cyber risk level becomes a complex task for security teams. An advanced SOAR platform with cyber fusion capabilities can facilitate complex orchestration across different environments including on-premise and cloud without having the security team expose their firewall to external traffic. Cyber fusion facilitates multi-environment orchestration that provides the flexibility and scalability required to connect all the security processes across an organization. This SOAR capability allows security teams to monitor and manage all their environments on a single platform.

Machine-to-Human-to-Machine Orchestration (M2H2M)

By using a SOAR platform integrated with cyber fusion technology, organizations can collect, enrich, and share machine-generated security alerts with security teams. This helps them in receiving real-time situational awareness, making informed decisions, and taking the necessary actions.

From internal as well as external human-readable sources, security teams can fully automate alert ingestion and communicate threat alerts into machine-readable security updates. The internally deployed sources include SIEMs, security alerts, ITSMs, TIPs, incident response platforms, and others, whereas the external sources include RSS feeds, news blogs, regulatory advisories, and threat intelligence providers. Simply put, the machine data is leveraged to initiate further machine actions, which are end-to-end automated.

The Sum and Substance

Since the cyber fusion and SOAR concept became a reality, security vendors, large enterprises, and managed security service providers (MSSPs) have started embracing the technologies for various use cases, reaping several benefits. Moving beyond the traditional SOC model, cybersecurity organizations are setting up vCFCs encompassing capabilities of SOAR, threat intelligence ingestion, enrichment, aggregation, analysis, and advanced threat response focused on malware, vulnerabilities, incidents, and threat actors. Last but not least is the advanced orchestration and automation capabilities of a vCFC that allow organizations to improve security processes by making their existing resources work together. This makes security teams more proactive in defending threats by implementing dynamic defense strategies. By building a vCFC, organizations can address threats in real-time, respond faster to threats, optimize threat intelligence workflow, and prevent potential breaches.

One of the unique value propositions of a vCFC is its SOAR capabilities that help automate SOCs, enabling security teams to better prioritize and optimize alert remediation. SOAR is the pillar of a vCFC that reduces the burden of performing monotonous tasks on SOC analysts, releasing them for more productive jobs.