By Rishikesh Kamat, Vice President, Product Management · NTT Ltd
The threat landscape is dynamic and is changing fast. With cyber criminals being more motivated than ever before due to an ever expanding digital footprint, cyber security is no longer about playing defense. To protect themselves, enterprises have to act decisively and be agile to take quick steps to prevent the next attack or data breach from happening. The key lesson from the Covid-19 pandemic was that the speed of response is vital, with an acknowledgement and understanding of the risks involved. In the digital age, agility is vital as every enterprise has to be alert to try to prevent breaches from happening. Just in case, breaches happen, they have to be agile to react quickly, limit the damage and prevent further breaches from happening.
This is, however, easier said than done. Traditional security approaches cannot react at the speed that is required for the world we are living in today. From stealth attacks to modern ransomware attacks to exploiting zero day vulnerabilities, the scale and complexity of attacks is growing exponentially. To deal with changing security threats in a more effective way, automation of security operations is paramount.
The value of security automation
Enterprises today need solutions that can not only anticipate cyber threats in real-time but also respond automatically in a quick and effective way. In this scenario, SOAR (Security orchestration, automation and response) – a group of technologies that enables organizations to quickly manage, analyze and respond to threats is fast gaining prominence.
In simple words, SOAR is a combination of the automated processing of security information, the orchestration of elements of a workflow involving collecting data, adding context, approvals and other audit-based markers and the associated response or action. This combination is important as each step can help in improving the security posture. For example, automation and orchestration can only be effective if enterprises have the right level of threat intelligence data. Similarly, threat intelligence is only useful, if threats can not only be detected, but actions are taken immediately.
Let us try to understand this with the help of an example. Every day, thousands of phishing e-mails are sent to enterprises by hackers. A SOAR platform can ingest related security alert data from security solutions such as SIEM. Even as the SOAR platform investigates the malicious links, it collects the key information from the malicious email and cross-references the data against external threat intelligence data. It can then proceed to scan all emails and other endpoints to identify the malicious emails or compromised machines and delete all such emails. Simultaneously, the intelligence about indicators of compromise are added to the blacklist which can be used for stopping future suspicious emails automatically. In case the emails do not have any evidence of malicious indicators, the SOAR platform can be configured to work in tandem with other security and ITOps solutions to isolate such emails and then send it for further investigation to an IT security team for analysis.
A similar strategy can be adopted for protection against malware. SOAR platforms can ingest data from different threat intelligence sources, SIEM tools and map the attack vector across different phases to determine if the files are malicious. If the files are found to be malicious, then the SOAR platform can automatically update the required watchlists and then proceed to quarantine or isolate infected endpoints and open the required tickets.
Improving the security posture
SOAR can help in automating the incident response cycle. This includes ingestion of alerts, analysis, investigating incidents, hunting threats and finally, containing them through an automated response mechanism. It can also enforce process standardization and compliance through a defined and repeatable process. SOAR can also enable enterprises to automate repetitive manual tasks such as data collection and enrichment and deliver countermeasures at machine speed by orchestrating with other security solutions such as SIEM, IDS/IPS, EDR, Firewalls, etc.
Using playbooks to respond proactively
One of the most significant benefits of a SOAR platform is the ability to automate a workflow using a playbook. Enterprises can build custom playbooks for any incident type with intuitive drag and drop workflow. For example, if numerous failed logins are detected on an end-user device, then a playbook that tells the SOAR platform the key actions to be taken automatically, will be extremely beneficial. The playbook, for example, can define that in case of suspicious logins, the SOAR platform must automatically send an alert to the impacted user and confirm if they have tried to login. If the answer is in the affirmative, then the platform can reset the password, and send the user a new email with a request to update the new login password. In case, the user has not tried to login, then the SOAR platform can send users an email that someone was trying to login into their account multiple times.
Similarly, automating incident response playbooks can help in quickly blocking suspicious IP addresses, terminating user accounts or isolating certain devices or endpoints from a network. Depending on the kind of attacks that organizations typically face, customized playbooks can be created.
In conclusion, responding to current cyber threats which are complex requires enterprises to be constantly alert and vigilant, as one simple mistake by anyone can lead to quick erosion of business trust. To maintain a proactive security posture, it is impossible for enterprises to combat emerging threats without a high degree of automation. Against this context, SOAR is an efficient and comprehensive approach that can enable enterprises to respond effectively in a consistent standardized manner by significantly reducing the need for human intervention to respond to security threats.