SOAR Giacomo Lanzi

SOAR: coordination for cyber security

SOAR (Security Orchestration, Automation and Response) technology helps coordinate, execute and automate activities between people and tools, enabling companies to respond quickly to cyber security attacks. The aim is to improve their overall security position. SOAR tools use playbooks (strategies and procedures) to automate and coordinate workflows which may include security tools and manual tasks.

How does SOAR help in the security field?

1. Combining security orchestration, intelligent automation, incident management and interactive investigations in a single solution.
2. Facilitating team collaboration and enabling security analysts to take automated actions on tools across their security stack.
3. Providing teams with a single centralized console to manage and coordinate all aspects of their company’s security.
4. Optimizing case management, increasing efficiency by opening and closing tickets to investigate and resolve incidents.

Why do companies need a SOAR?

Modern companies regularly face many challenges and obstacles when it comes to fighting cyber threats.

A first challenge is represented by an ever increasing volume of complex security threats. Furthermore, the security tools involved very often struggle to talk to each other, which is in itself a nuisance.

Such a large amount of data and software can only mean a large number of security alerts. In fact, there is too much threat intelligence data to allow teams to manually classify, prioritize, investigate and target threats. Furthermore, the work of security officers involves very specific skills and with increasing demand it is increasingly difficult to find a sufficient number of security officers to carry out the work.

System implementation

SOAR helps companies address and overcome these challenges by enabling them to:

Unify existing security systems and centralize data collection to achieve full visibility.
Automate repetitive manual activities and manage all aspects of the accident life cycle.
Define incident analysis and response procedures, as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
Quickly and accurately identify and assign the severity levels of incidents to safety alarms and support the reduction of alarms.
Identify and better manage potential vulnerabilities in a proactive and reactive way.
Direct each security incident to the analyst best suited to respond, while providing features that support easy collaboration and monitoring between teams and their members.

Practical applications

Below I wanted to list some practical examples of how a SOAR comes into action in certain situations.

Alarm management

Enrichment and Phishing Response: Activating a Playbook. Automation and execution of repeatable activities such as triage and involvement of interested users. Apply an extraction and control of indicators to identify false positives, then request activation of the SOC for a standardized response at scale.

Endpoint Malware Infection: Extracting threat feed data from endpoint tools and enriching that data. Cross-reference between recovered files and hashes with a SIEM solution, notify analysts, clean up endpoints, and update the tools database.

Failed User Login: After a predefined number of failed user login attempts, evaluating whether a failed login is genuine or malicious, a SOAR can activate in various ways. First of all by putting into practice a playbook, involving users and then analyzing their answers, then also the expiring passwords and finally closing the process.

Threat hunting

Indicators of Compromise (IOC): Take and extract indicators from files, track indicators through intelligence tools and update databases.

Malware Analysis: Verify data from multiple sources, extract and delete malicious files. A report is then generated and checked for malice.

Cloud Incident Response: This is done through the use of data from cloud-focused threat detection and event logging tools. The data is then unified between the cloud and on-premises security infrastructures, correlated thanks to a SIEM. The indicators are then extracted and enriched, to then check for the presence of malice. A final step of human control to the analysts who review their information update the database and close the case.

The benefits of a SOAR

Basically, a SOAR implements working methods and protocols of action in the system for fighting against cyber threats of a company. This significantly improves operational efficiency and accelerates incident detection as well as response times, which are effectively standardized.

A SOAR increases analysts’ productivity and allows them to focus on improving security instead of performing manual tasks.

By exploiting and coordinating the existing security technology investments in a company, it is possible to make a real difference.

Useful links:

SOC as a Service

 

Next Generation SIEM: where are we?

Penetration Test

Vulnerability Assessment

 

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205 December 22, 2024
    Posted by Thomas Weber | CyberDanube via Fulldisclosure on Dec 21CyberDanube Security Research 20241219-0 ------------------------------------------------------------------------------- title| Authenticated Remote Code Execution product| Ewon Flexy 205 vulnerable version|
  • Stored XSS with Filter Bypass - blogenginev3.3.8 December 19, 2024
    Posted by Andrey Stoykov on Dec 18# Exploit Title: Stored XSS with Filter Bypass - blogenginev3.3.8 # Date: 12/2024 # Exploit Author: Andrey Stoykov # Version: 3.3.8 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/12/friday-fun-pentest-series-16-stored-xss.html Stored XSS Filter Bypass #1: Steps to Reproduce: 1. Login as admin and go to "Content" > "Posts" 2. On […]
  • [SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269) December 19, 2024
    Posted by Matthias Deeg via Fulldisclosure on Dec 18Advisory ID: SYSS-2024-085 Product: CA Client Automation (CA DSM) Manufacturer: Broadcom Affected Version(s): 14.5.0.15 Tested Version(s): 14.5.0.15 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-10-18 Solution Date: 2024-12-17 Public Disclosure:...
  • [KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities December 17, 2024
    Posted by Egidio Romano on Dec 16--------------------------------------------------------------------------- GFI Kerio Control
  • RansomLordNG - anti-ransomware exploit tool December 17, 2024
    Posted by malvuln on Dec 16This next generation version dumps process memory of the targeted Malware prior to termination The process memory dump file MalDump.dmp varies in size and can be 50 MB plus RansomLord now intercepts and terminates ransomware from 54 different threat groups Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever […]
  • APPLE-SA-12-11-2024-9 Safari 18.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-9 Safari 18.2 Safari 18.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121846. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Ventura and macOS Sonoma Impact: On a […]
  • APPLE-SA-12-11-2024-8 visionOS 2.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-8 visionOS 2.2 visionOS 2.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121845. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Crash Reporter Available for: Apple Vision Pro Impact: An app may […]
  • APPLE-SA-12-11-2024-7 tvOS 18.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-7 tvOS 18.2 tvOS 18.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121844. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleMobileFileIntegrity Available for: Apple TV HD and Apple TV 4K (all […]
  • APPLE-SA-12-11-2024-6 watchOS 11.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-6 watchOS 11.2 watchOS 11.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121843. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleMobileFileIntegrity Available for: Apple Watch Series 6 and later Impact: A […]
  • APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2 macOS Ventura 13.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121842. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Software Restore Available for: macOS Ventura Impact: An […]

Customers

Newsletter

{subscription_form_1}