Cybersecurity incidents occur on a daily basis at most large organizations. This steady stream of incidents poses a challenge for incident response professionals, who must sort through them and identify appropriate courses of action. This becomes even more challenging when the number and complexity of incidents exceeds the technical, financial and staff resources available to incident response teams. In this unfortunate situation, stress levels rise and significant incidents may be overlooked.
Security orchestration, automation and response (SOAR) programs promise to bring some relief for overworked incident response teams. Automating incident response activities improves the efficiency and effectiveness of incident response efforts and increases the number of incidents that a team may handle.
Let's take a look at two key benefits of automating incident response through the application of SOAR.
Enriching incident response data
Incident response is generally a time-intensive activity, requiring the direct attention of skilled, experienced responders who can apply judgment to the situation. While this work will likely continue to require skilled human analysts, SOAR programs can automatically enrich the information provided to these analysts as they conduct their work. This approach allows automated workflows to supplement alerts from security information and event management (SIEM) systems with additional information, sparing analysts the tedious and time-consuming activity of retrieving information from multiple systems.
For example, many incident response efforts begin with an alert from an intrusion detection and prevention system. After receiving these alerts, analysts triage them and often consult other systems as they seek to determine whether the alert requires further investigation or intervention. SOAR systems might improve this work by automating incident response through the gathering of additional information before the analyst reviews the alert. Examples include the following:
- Obtaining reputation, ownership/registration and geolocation information about network addresses and domain names involved in the alert.
- Consulting the SIEM for log information from the targeted system, identity and access management systems, firewalls, network devices and other information sources that may be relevant to the attack.
- Triggering vulnerability scans to identify security issues on the target system that may have been exploited during the attack.
An analyst reviewing an alert could certainly perform each of these actions, but SOAR systems remove those steps, allowing analysts to simply review the results, determine whether additional action is required and move on to the next alert.
Automating incident response efforts
SOAR activities may also extend beyond assisting a human analyst to actively respond to some security incidents. In the 24/7 world of cybersecurity, prompt response is crucial to containing the damage a security incident causes. SOAR approaches to incident response may automate some or all of the incident response playbook followed by analysts in the wake of common security events.
For example, if a system on the local network demonstrates symptoms of compromise, such as reaching out to a known malware command-and-control network, the SOAR system may trigger an automated playbook response. This response may include triggering a malware scan on the target system, removing it from production networks and placing it on a quarantine network for further investigation, and scanning network traffic logs for signs of lateral compromise of other networked systems. All of these steps can take place immediately upon detection without human intervention. This rapid action serves to limit the impact of the incident and restore normal operations as quickly as possible.
Incident response is a difficult and time-consuming task. Security orchestration, automation and response programs provide some relief from the burden of incident response by enriching the information provided to analysts and even automating incident response actions to contain damage and remediate compromises.