These days, it seems like vulnerabilities or new attacks are constantly in the news, meaning security professionals are constantly responding to incidents. With so many assets to protect (devices, web apps, servers, etc.), it’s hard to prioritize what should be tackled first and then address issues in a timely manner.
Fortunately, security orchestration and automation response (SOAR) can be a saving grace in security for many resource-strapped or highly targeted companies. In this post, you’ll learn:
- How orchestration and automation can be used to improve incident response plans
- The most prevalent orchestration and automation incident response use cases
- Tips for identifying when it is appropriate to apply orchestration and automation
How SOAR improves incident response capabilities
A security orchestration and automation solution offers incident response capabilities that enhance many areas of a security program. There are three benefits in particular to highlight:
1. Improved response uptime
What if having a clean backlog meant you could improve uptime to 100%? When configured properly, security orchestration and automation workflows can help prevent the cyclical pileup of new security events by automatically handling routine issues. In most cases, these events require a simple follow-up, such as a quick patch, routine password update, or the deprovisioning of a user, but they regularly take a backseat to other priorities. Security orchestration and automation tools enable you to dictate which tasks can be handled automatically, as opposed to letting them accumulate and putting your overall security posture at risk.
2. Reduced margin for error
User error is real, and if you’ve ever been in the trenches responding to alert after alert (most of which end up being false positives, anyway), you know what it’s like when alert fatigue sets in and details begin to slip through the cracks. With security orchestration and automation, most alerts can be handled automatically—and because machines excel at following monotonous, step-by-step routines, they’re arguably the better candidates for this.
For example, security orchestration and automation tools can regularly aggregate malicious URLs from various threat feeds and add entries to a DNS sinkhole to redirect malware and prevent devices from getting infected in the first place. And even if they do get hit, automation can kick in to immediately detect and then quarantine the affected assets to prevent the threat from persevering. With processes like this in place, you can greatly reduce your risk while knowing that every step in the process is handled.
3. Simplified remediation playbooks
Remediation playbooks are often quite complex and involve multiple tools that take time to integrate (often by manually copying and pasting inputs from one tool to another). With many steps to keep processes like compliance, logging, documentation, and communication streamlined and structured, they increase the risk of nonessential steps slipping through the cracks. By leveraging a security orchestration and automation response solution, you can simply plug your tools into pre-designed workflows or processes and the machines handle the rest—no human intervention required unless designated.
Additionally, there’s usually no central hub from which to view workflow progress across tools. This requires security teams to jump from tool to tool to parse through the data and generate a response manually, a process we all know is prone to error—and quite frustrating. Speed and accuracy are gold when it comes to incident response, but if information and workflows are decentralized and uncoordinated, that can hinder progress and security. Thankfully, this is another area in which security orchestration and automation shines. Orchestration is able to take a complex set of steps and automate the execution of them, ensuring no step slips and reporting the status of the workflow in real-time.
Automation in action: Common incident response use cases
Automation use cases are limitless; here are some of the most common ones:
Phishing attacks are the biggest security threat to companies today. For some, it’s a constant bombardment (talk about alert fatigue). Once a phishing email is detected, the next step is to delete the email in whichever inboxes it appeared. There is almost no situation in which you wouldn't want to delete a phishing email, but it’s also a mundane, routine response task that often gets overshadowed by bigger tasks. Security orchestration and automation can take tasks like these and put them into motion behind the scenes while your team works on the rest of the investigation and response, ensuring the email is handled and speeding up the response time.
As mentioned earlier, security orchestration and automation can easily quarantine a device to prevent network egress and lateral movement to other devices. User permissions may also need to be changed in order to stop a compromised account from executing malicious code, stealing data, or bringing down the site or app. Orchestration and automation can deprovision user accounts the moment a trigger event is detected, such as escalation of privileges to admin, or when malware is detected. It can also aid in endpoint remediation by automatically monitoring and killing processes, as well as tracking file permissions and changes. This all can run in the background, handling key yet tedious tasks quickly and with much more accuracy.
Within just 30 days after a vulnerability is discovered, the chances it will be exploited quickly rise. Security orchestration and automation can assist in patching serious vulnerabilities as soon as a fix is released, ensuring that there is no lag and closing the window in which an adversary can sneak in. You can maintain human decision points where needed, customize workflows to dynamically create a set of patches, and alert the IT team that they’re ready for execution.
You + SOAR = Incident response at scale
Automation is best used when it’s applied strategically to offload tedious, repetitive tasks and to enable your team to make better decisions and respond to the most important matters, faster. A complement to your existing team and workflows, it can help you improve your security posture and maximize your response operations.