Embed Size (px)
Citation preview
10 Practical Uses of SOARLearn How to Streamline Threat Response and Automate Critical Use Cases with Security Orchestration, Automation, and Response
TABLE OF CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Benefits of Automating Your SOC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Identifying Key SOAR Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Automate Phishing Email Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Streamline Threat Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Reduce Time to Qualify and Respond to Threats with
Automatic Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Qualify and Triage Threats with Contextualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Reduce Alarm Fatigue with Use Case Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Streamline Your Security Operations Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Document Processes and Gather Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Protect Business Interests Beyond Security with SmartResponse Automation . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Automation Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Contain a Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Explore Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Manage Provisioning and Deprovisioning Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
What to Consider in a SOAR Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Introduction | 3
Automation is part of our everyday lives . Yet
where security is concerned, organizations are
holding back . Some 59 percent of organizations
said they use low levels or no automation of
key security and incident response (IR) tasks,
according to a recent SANS survey .1
Despite automation’s ability to simplify and
streamline workflows, there are number of
obstacles preventing organizations from
wider-scale adoption for their security oper-
ation centers (SOCs) . Cost is one common
obstacle — automation requires an upfront
investment that may be hard to swallow,
especially if you’re uncertain about the return
on investment . Another challenge? You may
not trust automated, managed processes . After
all, varying types of automation have different
levels of risk . What’s more, you might be unsure
how to use automation .
Despite these concerns, automation can make
a difference . Automation can free your analysts
from performing routine tasks, enabling them
to focus on events that require more attention .
Automation can also improve your mean time
to detect (MTTD) and mean time to respond
(MTTR) to threats and alert you to areas where
you need to improve .
To automate your SOC, you need the right tools
to help your organization respond faster to
threats and lower the risk of human error . You
need a security orchestration, automation, and
response (SOAR) solution that integrates with
your security information and event manage-
ment (SIEM) to help your team respond faster
to threats through a unified interface .
Introduction
1 2019 SANS Automation & Integration Survey, SANS, March 2019
4 | The Benefits of Automating Your SOC
Security automation involves having one or
more security operations-related tasks run on
their own, without human intervention . This
can be a mostly manual workflow with a single
automated step, or a long, complex chain of
automated, interconnected steps . Traditionally,
automation was considered an all-or-nothing
proposition, but automation is flexible . You can
implement automation solutions at various
points of an incident response process to free
analysts from handling repetitive tasks while
maintaining human control over how they
monitor and react to alerts .
Another benefit is that automation removes the
“wait time” — the time it takes for analysts to
perform an action that a SIEM could execute .
Automation also enables security teams to
focus on more complex activities .
The Benefits of Automating Your SOC
Automating a basic set of responses (e .g .,
disabling a user account or quarantining a host)
can eliminate hours or days a threat might
remain active in an environment, reducing
your time to qualify (TTQ) and respond to a
threat . Automation can also help you protect
your organization and strengthen its resilience
through processes that you can repeat .
So, where do you get started? How do you
assess your organization’s goals and comfort
levels for automation? A good first step is to
measure and baseline . Metrics are a key part
of your cybersecurity and security operations
program . Defining metrics such as MTTD and
MTTR helps you prove effectiveness and secure
future investment . By building consistent
measurements, you can review your SOC’s
essential functions and evaluate its perfor-
mance accurately .
Identifying Key SOAR Use Cases | 5
To automate your SOC, you need a
SOAR solution that integrates with
your SIEM . A SIEM with an integrated
SOAR solution helps teams respond
to threats faster because all the
information they need is in one place .
It also reduces the chance of human
error and the time analysts spend
moving between tools because they
can all work via a unified interface .
A SOAR solution can help your
security team respond to alerts more
quickly, enabling it to focus on the
most important tasks . SOAR also
helps streamline threat investigation
and mitigation by coordinating and
automating as many steps in the
response workflow as possible .
To help you understand how SOAR
can benefit your organization, we’ve
outlined some common use cases
LogRhythm addresses .
Identifying Key SOAR Use Cases
How LogRhythm Enables SOAR
LogRhythm NextGen SIEM Platform combines patented
machine-based analytics, user and entity behavior analytics (UEBA),
network detection and response (NDR), and SOAR in a single, unified
architecture, delivered from the cloud or as an on-prem solution.
LogRhythm RespondX is a security orchestration, automation, and
response (SOAR) solution that expedites investigative workflows, saving
you time and resources. Your team can focus on more complex challenges
and work to scale your overall security operation. RespondX includes:
• Case Management
• Case Playbooks
• Contextualization
• SmartResponse Automation
• Case Metrics & Reporting
SmartResponse Automation is a capability of the LogRhythm
NextGen SIEM Platform that notifies analysts when an anomalous event
occurs. As an embedded feature in LogRhythm RespondX, SmartResponse
enables automated actions.
Machine Data Intelligence Fabric makes data more
powerful by preparing a highly consistent and predictable dataset
for accurate analytics.
10 Practical Uses of SOAR
6 | Identifying Key SOAR Use Cases
Automate Phishing Email InvestigationWhen it comes to phishing, one out of every 99 emails is a
phishing attack .2 That equates to an average of 4 .8 emails
per employee in a five-day work week .3 As phishing attempts
continue to grow, you’re likely not adequately protected .
As with most phishing attempts, threat actors try to
gain financial information or steal a user’s credentials to
access sensitive or private corporate information . But with
LogRhythm’s built-in capabilities, you can automate a work-
flow around phishing attempts and save analysts precious
time to work on other tasks .
LogRhythm’s Phishing Intelligence Engine (PIE) is an
open-source PowerShell framework that works with the
LogRhythm’s NextGen SIEM Platform, which enables you
to automatically detect phishing attacks, validate active
threats, and automate the investigation and remediation
workflow to minimize exposure time .
2 1 in 99 Emails is a Phishing Attack, What Can Your Business Do?, Small Business Trends, July 12, 20193 IBID
When it comes to
phishing, one out of
every 99 emails is
a phishing attack .
That equates to an
average of 4 .8 emails
per employee in a
five-day work week .
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 7
LogRhythm’s PIE determines the risk level of emails by analyzing subject
lines, sender addresses, recipients, message body, links, and attach-
ments — automatically responding to threats by quarantining suspicious
emails, blocking senders, and searching for clicks .
In addition to triggering alarms on known spammers and other malicious
events based on the data, PIE enables you to employ automated actions .
For example, PIE quarantines the same phishing email if multiple people
in the company received it . With PIE, you can also change credentials and
add blocks on senders — ensuring that a specific user can no longer phish
the organization .
Figure 1: PIE automatically handles the entire workflow to investigate and respond to a phishing attack,
freeing up analysts to perform other tasks
10 Practical Uses of SOAR
8 | Identifying Key SOAR Use Cases
PIE also lets users automatically create a new Case in a SOC queue and
automate analysis tasks . Once qualified, it will pull similar emails from O365
so users can’t click on them accidentally .
Figure 3: PIE data syncs with the LogRhythm NextGen SIEM Platform to create Case files to sort forensic details related to phishing attacks
Figure 2: PIE data syncs with the LogRhythm NextGen SIEM Platform to create Case files to sort forensic
details related to phishing attacks
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 9
LogRhythm’s Threat Hunting Automation
(THA) app combines LogRhythm’s
SmartResponse™ Automation, Machine
Data Intelligence (MDI) Fabric, and PIE to
streamline and automate the threat hunting
process . The THA app is a series of func-
tions and scripts that automates passing
collected potential indicators (e .g ., hashes,
IPs, domains, hostnames, or URLs) from
a configured threat intelligence provider
to available web-based malware analysis
databases such as VirusTotal and Open
Threat Exchange .
The app also allows you to:
• Display the results on the screen to
offer additional information
• Create a Case and add the output of
the provider to the Case for tracking
• Add the alarm as evidence into the
Case to document your findings
• Automate the investigation reading
from Elasticsearch using and creating
alarms, if needed, to accelerate threat
detection and identification
With THA, you can use excludes or includes
filters for the output to specify your needs .
While cybercriminals need only minutes to
compromise systems, it can take weeks or
even months to detect a possible threat .
To reduce the time to detect and respond
to a cyberthreat, you need a solution that
automates your threat hunting capabilities .
Threat hunting involves manual and
machine-assisted methods of searching
through networks and large datasets of
information (e .g ., threat intelligence lists) to
find threats that evade existing defenses,
such as antivirus systems, intrusion detec-
tion systems, intrusion prevention systems,
and firewalls, among others .
To maximize threat hunting, your analysts
should use automation to accelerate these
hunts to make them easier and more
accurate . It’s important to note that threat
hunting requires specific analytic skills,
such as familiarity with your organization
and its internal processes, as well as the
ability to investigate possible incidents .
Streamline Threat Hunting
10 Practical Uses of SOAR
10 | Identifying Key SOAR Use Cases
Figure 4: With THA, you can add specific details and run the app from the Command Line
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 11
Figure 6: The app adds the evidence found as notes on the provider’s request
Through powerful APIs, LogRhythm gives you complete control of the automation lifecycle . You can
integrate the LogRhythm solution seamlessly with your current process and improve your threat
hunting capabilities .
A configuration is available to automate Case
creation and alarm integration with Kafka . A
Case will be created if the provider specified
marked this as dangerous in the indicator
status . The parameter CreateAlarm will
integrate with Kafka, a distributed streaming
platform, which will raise an alarm whenever a
malicious indicator surfaces .
With THA, you can turn evidence into notes and
add it to the Case upon request .
Figure 5: The app will create a Case if the IOC is confirmed in the
provider request
10 Practical Uses of SOAR
12 | Identifying Key SOAR Use Cases
When a threat makes its way into your envi-
ronment, you need to act fast to minimize
damage . But you first need to know that the
threat exists . While a traditional SIEM platform
features a variety of built-in methods designed
to notify users of important events, your notifi-
cations may not be as effective as you want .
To reduce response time, you need to automate
common investigation and response actions .
This is where LogRhythm SmartResponse™
Automation, an embedded feature in
LogRhythm RespondX — our SOAR solu-
tion — helps . SmartResponse, a capability of the
LogRhythm NextGen SIEM Platform, enables
automated actions . SmartResponse includes
details to help you determine next steps (i .e .,
whether you need to act fast or if you can wait
to respond) . SmartResponse actions are flex-
ible — they can be automated, approval-based,
or run by ad-hoc execution .
Figure 7: Outbound internet relay chat (IRC) alarm fires
Reduce Time to Qualify and Respond to Threats with Automatic Notification
When an alarm triggers, SmartResponse
actions fire to alert the team to the situation
and get the right people involved . This category
of SmartResponse reduces your time to qualify
(TTQ) and time to respond (TTR) to a threat .
Your analysts don’t have to check their email
or spend time logging into a web console — they
receive immediate notifications when an
incident occurs and can take action .
For example, LogRhythm AI Engine, a
component of the LogRhythm NextGen SIEM
Platform, detects the presence of outbound
internet relay chat (IRC) on your network — a
chat protocol regularly found in instances of
malware . Upon detection, a SmartResponse
fires and notifies your team about the alarm
via your security team’s Slack channel or other
communication vehicle, such as SMS or Twilio .
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 13
Figure 8: SmartResponse delivers automated notifications via Slack
Once you qualify a threat and determine
that it is malicious, you must prevent it from
spreading . For example, you might determine
that the IRC is destined for a malicious IP
address located in an abnormal geographic
region . You can configure a SmartResponse
action to fire upon your analysts’ approval
and block traffic to the entire network range
associated with the malicious IP by interacting
with a list of hosts or ranges configured on
your firewall .
Figure 9: Ad-hoc SmartResponse
Your analysts can also use SmartResponse and
LogRhythm integrations to rapidly contain and
remediate the threat by taking action to prevent
a security incident from incurring damage .
While analysts can perform these actions
manually, using automation via LogRhythm’s
SmartResponse actions will immediate notify
you of an event or threat, and in the most
effective channel . With SmartResponse, you
can remediate threats from the SIEM and
reduce login time to a click of a button to
expedite threat response .
10 Practical Uses of SOAR
14 | Identifying Key SOAR Use Cases
Qualify and Triage Threats with Contextualization While notifications are important, they are only as good their contextual
information . To effectively detect and remediate a threat, being aware of an
alarm is not enough . You need actionable information to triage and resolve
the event . Without it, your analysts will spend time and resources searching
for this information, adding more work to their already busy schedules .
That’s where LogRhythm contextual SmartResponse actions help .
Contextual information gives analysts background information around an
alarm to enrich the quality of an alert, enabling them to make informed
decisions regarding a response .
If analysts notice an unusual occurrence in the log data, they can use
additional contextualize actions to simplify and expedite the search for more
information . Additional contextualize actions are easy to write and imple-
ment, and enable analysts to gather basic contextual information they need
to make a decision and respond to the event .
Figure 10: LogRhythm contextualize action configuration works to gather basic information
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 15
Figure 12: Host information from ARIN
For example, if analysts encounter Windows
Event ID 4624, they won’t know the origin of
that ID . Most analysts will use a search engine
and query the unknown ID to learn more . This
means analysts have to open a new window,
search for the information needed, and navi-
gate to the appropriate third-party website to
discover more .
Figure 11: Additional contextualize action on an IP address
Additional contextual actions are a feature
of your Web Console and operate similar to
Chrome search shortcuts . With LogRhythm’s
additional contextualize actions, you can
click on Windows Event ID 4624, and a new
browser will open so you can query more
information — allowing your SIEM to search for
you . This reduces the number of clicks to get
to your information and makes it easy to run
custom searches for information in log data .
While additional contextualize actions expedite
the process of querying for basic contextual
information, LogRhythm offers contextual
SmartResponse actions that can automate this
process and perform more complex searches .
10 Practical Uses of SOAR
16 | Identifying Key SOAR Use Cases
Figure 13: LogRhythm SmartResponse Automation can help you reduce alarm fatigue
Making sense of a barrage of alarms is likely
an ongoing struggle for your analysts . Your
analysts don’t have time to investigate and
triage alarms that may turn out to be meaning-
less . Luckily, Case Automation fills the gap .
Case Automation can help you reduce alarm
fatigue by automatically aggregating similar
alarms into a single Case and providing the
context you need to make decisions fast . The
LogRhythm NextGen SIEM Platform includes
scores of prebuilt SmartResponse Automation
that provide critical threat context, effective
Case grouping, and fast triage to help you
focus on incident response .
If an alarm fires overnight, your analysts
need the right information to take action
when they arrive at work . With LogRhythm’s
SmartResponse Automation, analysts can invest
time upfront to automatically gather crucial
details and set up certain actions to save time .
Analysts may see 50 alarms for the same
campaign, but for different users . But they
don’t want to waste time investigating all of
the alarms and creating 50 Cases . Instead,
analysts can aggregate the alarms with Case
Automation, which condenses multiple alarms
and attaches the alarms to a Case automati-
cally, minimizing alarm fatigue .
Reduce Alarm Fatigue with Use Case Automation
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 17
With SmartResponse Automation, your analysts can easily group alarms that are
from the same campaign . They can also review information that was automatically
pulled in, such as email addresses, users impacted, and notes about the alarm .
Preapproved SmartResponse Automation can automatically generate a Case, add
relevant tags and details to the Case, assign a Tier 1 analyst, and associate the
Case with the appropriate playbook to handle response .
Figure 14: SmartResponse enables you to add additional details to your Case
If analysts need to collaborate with someone else, they can add colleagues
to assist with a Case . Those added will receive notifications that they have
been added to the Case .
Figure 15: SmartResponse Automation lets you add colleagues to assist in a Case
10 Practical Uses of SOAR
18 | Identifying Key SOAR Use Cases
When it comes to protecting your organization,
your speed to detect and respond to a threat
is crucial . Measuring the time to detect and
respond to a threat is nearly just as important .
To reach a lower MTTD and MTTR, it’s essential
to streamline your organization’s security oper-
ations workflow, regardless of your industry .
For example, a large bank might use a software
as a service (SaaS) email security solution to
scan its inbound email to detect email-borne
malware and phishing attacks, but it may lack
usable log messages of such alerts .
Relying solely on email to alert to potential
incidents could be problematic . First, an
analyst must monitor an additional interface .
Secondly, an email notification increases the
risk that your analysts might not respond
quickly enough, or even worse, miss important
security alerts .
Figure 16: Malware example email shows an SaaS alert
LogRhythm uses PowerShell scripts to turn the
email alerts into a text log and uses AI Engine
to automatically send the notification . The AI
Engine rule includes a SmartResponse action
that automatically creates a Case . Case details
are instantly populated, giving analysts imme-
diate critical details .
By eliminating an additional application that
needs to be monitored and automatically
piping the alarm information into LogRhythm,
LogRhythm can reduce your MTTD and MTTR
from hours to minutes .
Streamline Your Security Operations Workflow
10 Practical Uses of SOAR
Identifying Key SOAR Use Cases | 19
Document Processes and Gather MetricsResponding quickly to a potential threat is paramount, but you need the
right tools and information to take action . LogRhythm Case Playbooks give
your SOC the capability to codify standard operating procedures . With Case
Playbooks, your analysts not only can capture their own playbooks, but
they can modify existing ones and attach company policies and procedures .
When combined with Case Metrics, these features enable your SOC to react
more efficiently and decrease MTTD and MTTR .
For example, assume a SOC analyst wants to improve how to handle suspi-
cious user activity situations . The SOC already uses a SmartResponse to
automatically open a Case when a Suspicious User Activity Alarm rings .
A global administrator downloads and imports the suspicious user activity
playbook from the LogRhythm community . This playbook covers 11 basic
steps to investigate and remediate these types of incidents:
1. Determine if you are investigating
an incident or event
2. Determine if there are any
security classifications observed
with the suspicious user activity
3. Determine if the activity is
normal for the user account
4. Determine if the user is logging in
during normal business hours
5. Determine if the user is failing
authentication or access
6. Determine if the user is
authenticating from normal
locations for that user account
7. Determine if the user is using
any new applications or new
processes observed
8. Determine if the employee is
traveling for work
9. Determine if the employee is out
of the office (vacation or sick)
10. Disable the user account
11. Provide feedback and lessons
learned to reduce chances of
incident occurring again
10 Practical Uses of SOAR
20 | Identifying Key SOAR Use Cases
If your analysts receive an alarm about this
unusual activity, they would need context
to understand the problem, determine its
severity, and fix it . Your analysts would need
to know which webpage is generating the error
message, when it was last updated, and who
updated it . With LogRhythm SmartResponse
Automation, these details are available with
notifications, which analysts receive though
their preferred medium .
If an engineer received a website error alert
with the contextual information, he or she
could quickly determine the severity of the loss
of functionality — without having to manually
triage . The engineer could also use contextual
SmartResponse Automation to determine
which code check-in was used to update the
page, when the update occurred, and which
page or resource changed . For a fast resolu-
tion, the engineer could quickly revert the page
to its most recent version to restore business
functionality and work to troubleshoot the
update at another time .
An analyst on the team identifies that he or she
needs to add the additional step of checking
if the user is a “VIP” before disabling the
account . The analyst updates the playbook,
inserting this step between nine and 10 . The
new playbook is now available for future
handling of the suspicious user activity alarms .
With the playbook in place to address these
alarms, Case Metrics for MTTD and MTTR
are available to measure the efficiency of the
process and identify areas for improvement .
For example, let’s say the metrics highlight that
step seven is a bottleneck in the process . The
organization recently deployed Carbon Black
for endpoint protection . To improve MTTR, the
team deploys a Carbon Black SmartReponse
Automation to automatically extract the
process list from the user’s potentially
impacted systems .
Protect Business Interests Beyond Security with SmartResponse AutomationBeyond security, you can use automated
responses to protect other business interests,
such as your company website . If your
company made updates to its website and
the website became infected with a bug
and impacted functionality, the site would
generate error messages .
Automation Use Cases | 21
Automation plays a pivotal role in SOAR . You can empower incident
response teams with pre-packaged, customizable automation, reducing your
time to respond from days to minutes .
Automation Use Cases
Endpoint Quarantine: Disable the
port/device that’s known to have a
suspicious device .
Suspend Users: If you suspect
an account compromise, halt a
user’s account access — no matter
the device .
Collect Machine Data: In the
case of malware, SmartResponse
can gather forensic data from the
suspicious endpoint .
Suspend Network Access: If
data exfiltration occurs, your
incident response team can close
the connection by updating your
network infrastructure’s access
control list .
Kill Processes: If an analyst
detects an unknown or blacklisted
process on a critical device,
SmartResponse can kill it .
Key Uses for Automation LogRhythm SmartResponse Automation can help you solve some of the most common issues:
10 Practical Uses of SOAR
Following are some common use cases
involving automation that can greatly reduce
your response time to potential threats .
Contain a ThreatWhen your team identifies a threat, you need to
quickly contain it to prevent lateral movement
and the threat from escalating . If the threat
involves malware, automation can help you
instantly disable a user’s account . Automation
also enables you to monitor stop processes and
keep track of any unexpected file changes .
For example, automation enables you to use
integrations with Active Directory, Azure AD,
Okta, or another IAM platform to disable a
user account and reset credentials . It also lets
you use a NAC solution or directly act on the
host to quarantine the host or take it offline
to prevent a compromise from spreading . The
benefit of using automation with LogRhythm is
that analysts don’t need to be experienced with
a third-party product — they simply approve or
issue a SmartResponse action .
Explore Privilege Escalation If your team detects suspicious activity in the
form of privilege escalations, that’s typically
a red flag that a threat exists or an attacker
is in your network . You can use automation to
determine the validity of a user and confirm if
that user has privileged access .
22 | Automation Use Cases
This might look like firing an alarm whenever
you discover suspected privilege escalation .
You can use automation to present contextual
information such as details about the account
being modified, user group information, and
the user’s manager so the analyst can quickly
determine if this is legitimate activity . If it’s not
legitimate, you can implement an automated
workflow to disable the account and reset
credentials before the attacker accesses or
exfiltrates sensitive data .
Manage Provisioning and Deprovisioning UsersManaging the permissions of user accounts
remains a struggle for many organizations .
The problem? Security teams are already
busy handling other issues . Adding users with
different roles and privileges can be tedious
and time consuming . By adding automation
capabilities, your team can quickly add or
remove user accounts to keep systems and
data safe from threats .
With LogRhythm, you could easily build
onboarding and offboarding playbooks for
different roles . When a request comes in, you
can create a Case and assign the relevant
playbook . You can use SmartResponse
automation to create or disable accounts
in third-party resources, and use the
playbook to ensure employees are following
company procedures .
What to Consider in a SOAR Solution | 23
What to Consider in a SOAR Solution
• A Sophisticated Dashboard: Find a SOAR solution with a dashboard
that is sophisticated, yet easy to use .
• Central Evidence Repository: An effective SOAR solution accepts
evidence from a variety of sources that you can search and allows
analysts to easily share evidence with each other while preventing
information from being exposed to attackers .
• Customizable Workflows: A good SOAR solution should integrate
with existing infrastructure components, enabling teams to develop
custom workflows that capture the anomalies that are hidden within
the organization .
Choosing the right SOAR solution for your SOC can make the difference
between establishing a mature, well-run organization that makes measur-
able improvements in detection and response times and settling for modest
improvements that are inconsistent or wasteful .
Beyond making your security analyst’s job easier and automating workflows
to accelerate threat detection and investigation, SOAR also provides a
framework for metrics to help you evaluate the SOC and enable continuous
training and improvement . When exploring SOAR, an effective SOAR solu-
tion should contain the following criteria:
10 Practical Uses of SOAR
24 | What to Consider in a SOAR Solution
• Playbooks: Guided workflows within a SOAR solution play
a key role in enabling analysts to respond to and remediate
threats from a single platform increase efficiency and efficacy
when every second counts .
• Data Enrichment: SOAR capabilities should have extensive
capabilities for incorporating context-enriching data into an
investigation to facilitate decision making .
• Library of Automated Responses: An extensive library of
out-of-the-box automated responses to threats provides conti-
nuity across threat detection and response workflow without
the need for APIs or custom integration work .
• APIs and Integrations: A SIEM with SOAR capabilities must
be able to integrate with current and future technologies
inside and outside the IT environment . As such, a SOAR solu-
tion should provide APIs and a range of integrations across
multiple vendors and technologies .
• Ease of Use: A SOAR solution should be easy to operate
and manage, with one-click functionality for common
tasks like Case creation and threat intelligence lookup .
• Embedded SOAR Capabilities: A SIEM with integrated
SOAR enables a SOC to optimize the efficiency gains it real-
izes from SOAR .
CONCLUSIONIf your organization is still relying on manual
processes to detect incidents, your analysts
are likely struggling to address each and
every alarm . With the increasing volume of
threats and incidents coming your way, you
need a better solution . SOAR can help .
By properly outlining your processes on
paper, you can create playbooks to reflect
those processes and then decide which you
can automate . A SOAR solution can help
you remove analysts’ menial tasks, which
will keep them happier and more engaged .
It can also accelerate onboarding because it
doesn’t require analysts to be experts in all
of your organization’s technologies .
SOAR can also help you streamline your
security operations team’s ability to detect
and respond to threats faster, quantify key
performance indicators such as MTTD and
MTTR, and minimize damage from a poten-
tial incident . Once a procedure is defined,
you should have the ability to gather metrics
that show where you need to improve .
Preapproved playbooks can help you find
the areas where to improve organizational
deficiencies most effectively . If you choose
a SOAR solution well, automation can be a
valuable tool for your team to help it focus
on more important work, without getting
lost in manual, tedious tasks .
Curious about how LogRhythm can help you? Let one of our experts
show you. Schedule a demo today. www.logrhythm.com/demo
26 | About
About LogRhythm
LogRhythm is a world leader in NextGen SIEM, empowering thousands of
enterprises on six continents to successfully reduce cyber and operational
risk by rapidly detecting, responding to and neutralizing damaging
cyberthreats . The LogRhythm NextGen SIEM Platform combines advanced
security analytics; user and entity behavior analytics (UEBA); network
detection and response (NDR); and security orchestration, automation, and
response (SOAR) in a single end-to-end solution . LogRhythm’s technology
serves as the foundation for the world’s most modern enterprise security
operations centers (SOCs), helping customers measurably secure their
cloud, physical, and virtual infrastructures for both IT and OT environments .
Built for security professionals by security professionals, the LogRhythm
NextGen SIEM Platform has won countless customer and industry
accolades . For more information, visit logrhythm .com .
1 .866 .384 .0713 // info@logrhythm .com // 4780 Pearl East Circle, Boulder CO, 80301
