Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Practical use cases for SOARLearn how to streamline threat response and automate critical use cases with security orchestration, automation, and response
TABLE OF CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The benefits of automating your SOC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Identifying key SOAR use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Automate phishing email investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Streamline threat hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Reduce time to qualify and respond to threats with automatic notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Qualify and triage threats with contextualisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Reduce alarm fatigue with use case automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Streamline your security operations workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Document processes and gather metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Protect business interests beyond security with SmartResponse Automation . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Automation use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Contain a threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Explore privilege escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Manage provisioning and deprovisioning users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
What to consider in a SOAR solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Introduction | 3
Automation is part of our everyday lives . Yet
where security is concerned, organisations
are holding back . Some 59 per cent of
organisations said they use low levels or
no automation of key security and incident
response (IR) tasks, according to a recent
SANS survey1 .
Despite automation’s ability to simplify and
streamline workflows, there are a number
of obstacles preventing organisations from
wider-scale adoption for their security
operation centres (SOCs) . Cost is one common
obstacle — automation requires an upfront
investment that may be hard to swallow,
especially if you’re uncertain about the return
on investment . Another challenge? You may
not trust automated, managed processes .
After all, varying types of automation have
different levels of risk . What’s more, you might
be unsure how to use automation .
Despite these concerns, automation can
make a difference . Automation can free your
analysts from performing routine tasks,
enabling them to focus on events that require
more attention . Automation can also improve
your mean time to detect (MTTD) and mean
time to respond (MTTR) to threats and alert
you to areas where you need to improve .
To automate your SOC, you need the right
tools to help your organisation respond
faster to threats and lower the risk of human
error . You need a security orchestration,
automation, and response (SOAR) solution
that integrates with your security information
and event management (SIEM) to help your
team respond faster to threats through a
unified interface .
Introduction
1 2019 SANS Automation & Integration Survey, SANS, March 2019
Security automation involves having one or
more security operations-related tasks run
on their own, without human intervention .
This can be a mostly manual workflow with
a single automated step, or a long, complex
chain of automated, interconnected steps .
Traditionally, automation was considered an
all-or-nothing proposition, but automation
is flexible . You can implement automation
solutions at various points of an incident
response process to free analysts from
handling repetitive tasks while maintaining
human control over how they monitor and
react to alerts .
Another benefit is that automation removes
the “wait time” — the time it takes for analysts
to perform an action that a SIEM could
execute . Automation also enables security
teams to focus on more complex activities .
The benefits of automating your SOC
Automating a basic set of responses (e .g .
disabling a user account or quarantining a
host) can eliminate hours or days a threat
might remain active in an environment,
reducing your time to qualify (TTQ) and
respond to a threat . Automation can also help
you protect your organisation and strengthen
its resilience through processes that you can
repeat .
So, where do you get started? How do you
assess your organisation’s goals and comfort
levels for automation? A good first step is to
measure and baseline . Metrics are a key part
of your cybersecurity and security operations
program . Defining metrics such as MTTD
and MTTR helps you prove effectiveness
and secure future investment . By building
consistent measurements, you can review
your SOC’s essential functions and evaluate
its performance accurately .
4 | The benefits of automating your SOC
To automate your SOC, you need a
SOAR solution that integrates with
your SIEM . A SIEM with an integrated
SOAR solution helps teams respond
to threats faster because all the
information they need is in one place .
It also reduces the chance of human
error and the time analysts spend
moving between tools because they
can all work via a unified interface .
A SOAR solution can help your
security team respond to alerts more
quickly, enabling it to focus on the
most important tasks . SOAR also
helps streamline threat investigation
and mitigation by coordinating and
automating as many steps in the
response workflow as possible .
To help you understand how SOAR
can benefit your organisation, we’ve
outlined some common use cases
LogRhythm addresses .
Identifying key SOAR use cases
How LogRhythm enables SOAR
LogRhythm NextGen SIEM Platform combines patented
machine-based analytics, user and entity behaviour analytics (UEBA),
network detection and response (NDR), and SOAR in a single, unified
architecture, delivered from the cloud or as an on-prem solution.
LogRhythm RespondX is a security orchestration, automation, and
response (SOAR) solution that expedites investigative workflows, saving
you time and resources. Your team can focus on more complex challenges
and work to scale your overall security operation. RespondX includes:
• Case Management
• Case Playbooks
• Contextualisation
• SmartResponse Automation
• Case Metrics & Reporting
SmartResponse Automation is a capability of the LogRhythm
NextGen SIEM Platform that notifies analysts when an anomalous
event occurs. As an embedded feature in LogRhythm RespondX,
SmartResponse enables automated actions.
Machine Data Intelligence Fabric makes data more
powerful by preparing a highly consistent and predictable dataset
for accurate analytics.
Identifying key SOAR use cases | 5
10 practical uses of SOAR
Automate phishing email investigationWhen it comes to phishing, one out of every 99 emails is a
phishing attack2 . That equates to an average of 4 .8 emails
per employee in a five-day work week3 . As phishing attempts
continue to grow, you’re likely not adequately protected .
As with most phishing attempts, threat actors try to
gain financial information or steal a user’s credentials
to access sensitive or private corporate information . But
with LogRhythm’s built-in capabilities, you can automate
a workflow around phishing attempts and save analysts
precious time to work on other tasks .
LogRhythm’s Phishing Intelligence Engine (PIE) is an
open-source PowerShell framework that works with the
LogRhythm’s NextGen SIEM Platform, which enables you
to automatically detect phishing attacks, validate active
threats, and automate the investigation and remediation
workflow to minimise exposure time .
2 1 in 99 Emails is a Phishing Attack, What Can Your Business Do?, Small Business Trends, July 12, 20193 IBID
When it comes to
phishing, one out of
every 99 emails is
a phishing attack .
That equates to an
average of 4 .8 emails
per employee in a
five-day work week .
6 | Identifying key SOAR use cases
10 practical uses of SOAR
LogRhythm’s PIE determines the risk level of emails by analysing
subject lines, sender addresses, recipients, message body, links, and
attachments — automatically responding to threats by quarantining
suspicious emails, blocking senders, and searching for clicks .
In addition to triggering alarms on known spammers and other malicious
events based on the data, PIE enables you to employ automated actions .
For example, PIE quarantines the same phishing email if multiple people
in the company received it . With PIE, you can also change credentials and
add blocks on senders — ensuring that a specific user can no longer phish
the organisation .
Figure 1: PIE automatically handles the entire workflow to investigate and respond to a phishing attack,
freeing up analysts to perform other tasks
Identifying key SOAR use cases | 7
8 | Identifying key SOAR use cases
PIE also lets users automatically create a new Case in a SOC queue and
automate analysis tasks . Once qualified, it will pull similar emails from O365
so users can’t click on them accidentally .
Figure 3: PIE data syncs with the LogRhythm NextGen SIEM Platform to create Case files to sort forensic details related to phishing attacks
Figure 2: PIE data syncs with the LogRhythm NextGen SIEM Platform to create Case files to sort forensic
details related to phishing attacks
10 practical uses of SOAR
Identifying key SOAR use cases | 9
LogRhythm’s Threat Hunting Automation
(THA) app combines LogRhythm’s
SmartResponse™ Automation, Machine
Data Intelligence (MDI) Fabric, and PIE
to streamline and automate the threat
hunting process . The THA app is a series
of functions and scripts that automates
passing collected potential indicators
(e .g . hashes, IPs, domains, hostnames, or
URLs) from a configured threat intelligence
provider to available web-based malware
analysis databases such as VirusTotal and
Open Threat Exchange .
The app also allows you to:
• Display the results on the screen to
offer additional information
• Create a Case and add the output of
the provider to the Case for tracking
• Add the alarm as evidence into the
Case to document your findings
• Automate the investigation reading
from Elasticsearch using and creating
alarms, if needed, to accelerate threat
detection and identification
With THA, you can use excludes or includes
filters for the output to specify your needs .
While cybercriminals need only minutes to
compromise systems, it can take weeks or
even months to detect a possible threat .
To reduce the time to detect and respond
to a cyberthreat, you need a solution that
automates your threat hunting capabilities .
Threat hunting involves manual and
machine-assisted methods of searching
through networks and large datasets of
information (e .g . threat intelligence lists) to
find threats that evade existing defences,
such as antivirus systems, intrusion
detection systems, intrusion prevention
systems, and firewalls, among others .
To maximise threat hunting, your analysts
should use automation to accelerate these
hunts to make them easier and more
accurate . It’s important to note that threat
hunting requires specific analytic skills,
such as familiarity with your organisation
and its internal processes, as well as the
ability to investigate possible incidents .
Streamline threat hunting
10 practical uses of SOAR
Figure 4: With THA, you can add specific details and run the app from the Command Line
10 | Identifying key SOAR use cases
10 practical uses of SOAR
Figure 6: The app adds the evidence found as notes on the provider’s request
Through powerful APIs, LogRhythm gives you complete control of the automation lifecycle . You can
integrate the LogRhythm solution seamlessly with your current process and improve your threat
hunting capabilities .
A configuration is available to automate
Case creation and alarm integration with
Kafka . A Case will be created if the provider
marked this as dangerous in the indicator
status . The parameter CreateAlarm will
integrate with Kafka, a distributed streaming
platform, which will raise an alarm whenever
a malicious indicator surfaces .
With THA, you can turn evidence into notes
and add it to the Case upon request .
Figure 5: The app will create a Case if the IOC is confirmed in the
provider request
Identifying key SOAR use cases | 11
10 practical uses of SOAR
12 | Identifying key SOAR use cases
10 practical uses of SOAR
When a threat makes its way into your
environment, you need to act fast to minimse
damage . But you first need to know that
the threat exists . While a traditional SIEM
platform features a variety of built-in methods
designed to notify users of important events,
your notifications may not be as effective as
you want .
To reduce response time, you need to
automate common investigation and
response actions . This is where LogRhythm
SmartResponse™ Automation, an embedded
feature in LogRhythm RespondX — our SOAR
solution — helps . SmartResponse, a capability
of the LogRhythm NextGen SIEM Platform,
enables automated actions . SmartResponse
includes details to help you determine next
steps (i .e . whether you need to act fast or
if you can wait to respond) . SmartResponse
actions are flexible — they can be automated,
approval-based, or run by ad-hoc execution .
Figure 7: Outbound internet relay chat (IRC) alarm fires
Reduce time to qualify and respond to threats with automatic notification
When an alarm triggers, SmartResponse
actions fire to alert the team to the situation
and get the right people involved . This
category of SmartResponse reduces your time
to qualify (TTQ) and time to respond (TTR) to
a threat . Your analysts don’t have to check
their email or spend time logging into a web
console — they receive immediate notifications
when an incident occurs and can take action .
For example, LogRhythm AI Engine, a
component of the LogRhythm NextGen SIEM
Platform, detects the presence of outbound
internet relay chat (IRC) on your network — a
chat protocol regularly found in instances of
malware . Upon detection, a SmartResponse
fires and notifies your team about the alarm
via your security team’s Slack channel or other
communication vehicle, such as SMS or Twilio .
Identifying key SOAR use cases | 13
10 practical uses of SOAR
Figure 8: SmartResponse delivers automated notifications via Slack
Once you qualify a threat and determine
that it is malicious, you must prevent it
from spreading . For example, you might
determine that the IRC is destined for a
malicious IP address located in an abnormal
geographic region . You can configure a
SmartResponse action to fire upon your
analysts’ approval and block traffic to the
entire network range associated with the
malicious IP by interacting with a list of
hosts or ranges configured on your firewall .
Figure 9: Ad-hoc SmartResponse
Your analysts can also use SmartResponse
and LogRhythm integrations to rapidly contain
and remediate the threat by taking action to
prevent a security incident from incurring
damage .
While analysts can perform these actions
manually, using automation via LogRhythm’s
SmartResponse actions will immediate notify
you of an event or threat, and in the most
effective channel . With SmartResponse, you
can remediate threats from the SIEM and
reduce login time to a click of a button to
expedite threat response .
14 | Identifying key SOAR use cases
10 practical uses of SOAR
Qualify and triage threats with contextualisation While notifications are important, they are only as good as their contextual
information . To effectively detect and remediate a threat, being aware of an
alarm is not enough . You need actionable information to triage and resolve
the event . Without it, your analysts will spend time and resources searching
for this information, adding more work to their already busy schedules .
That’s where LogRhythm contextual SmartResponse actions help .
Contextual information gives analysts background information around an
alarm to enrich the quality of an alert, enabling them to make informed
decisions regarding a response .
If analysts notice an unusual occurrence in the log data, they can use
additional contextualise actions to simplify and expedite the search for
more information . Additional contextualise actions are easy to write and
implement, and enable analysts to gather basic contextual information they
need to make a decision and respond to the event .
Figure 10: LogRhythm contextualise action configuration works to gather basic information
Identifying key SOAR use cases | 15
10 practical uses of SOAR
Figure 12: Host information from ARIN
For example, if analysts encounter Windows
Event ID 4624, they won’t know the origin of
that ID . Most analysts will use a search engine
and query the unknown ID to learn more . This
means analysts have to open a new window,
search for the information needed, and
navigate to the appropriate third-party website
to discover more .
Figure 11: Additional contextualise action on an IP address
Additional contextual actions are a feature
of your Web Console and operate similar to
Chrome search shortcuts . With LogRhythm’s
additional contextualise actions, you can
click on Windows Event ID 4624, and a new
browser will open so you can query more
information — allowing your SIEM to search
for you . This reduces the number of clicks to
get to your information and makes it easy to
run custom searches for information in log
data . While additional contextualise actions
expedite the process of querying for basic
contextual information, LogRhythm offers
contextual SmartResponse actions that can
automate this process and perform more
complex searches .
Figure 13: LogRhythm SmartResponse Automation can help you reduce alarm fatigue
Making sense of a barrage of alarms is likely
an ongoing struggle for your analysts . Your
analysts don’t have time to investigate and triage
alarms that may turn out to be meaningless .
Luckily, Case Automation fills the gap .
Case Automation can help you reduce alarm
fatigue by automatically aggregating similar
alarms into a single Case and providing the
context you need to make decisions fast .
The LogRhythm NextGen SIEM Platform
includes scores of prebuilt SmartResponse
Automation that provide critical threat
context, effective Case grouping, and fast
triage to help you focus on incident response .
If an alarm fires overnight, your analysts
need the right information to take action
when they arrive at work . With LogRhythm’s
SmartResponse Automation, analysts can
invest time upfront to automatically gather
crucial details and set up certain actions to
save time .
Analysts may see 50 alarms for the same
campaign, but for different users . But they
don’t want to waste time investigating all of
the alarms and creating 50 Cases . Instead,
analysts can aggregate the alarms with
Case Automation, which condenses multiple
alarms and attaches the alarms to a Case
automatically, minimising alarm fatigue .
Reduce alarm fatigue with use case automation
16 | Identifying key SOAR use cases
10 practical uses of SOAR
With SmartResponse Automation, your analysts can easily group alarms that are
from the same campaign . They can also review information that was automatically
pulled in, such as email addresses, users impacted, and notes about the alarm .
Preapproved SmartResponse Automation can automatically generate a Case, add
relevant tags and details to the Case, assign a Tier 1 analyst, and associate the
Case with the appropriate playbook to handle response .
Figure 14: SmartResponse enables you to add additional details to your Case
If analysts need to collaborate with someone else, they can add colleagues
to assist with a Case . Those added will receive notifications that they have
been added to the Case .
Figure 15: SmartResponse Automation lets you add colleagues to assist in a Case
Identifying key SOAR use cases | 17
10 practical uses of SOAR
18 | Identifying key SOAR use cases
10 practical uses of SOAR
When it comes to protecting your
organisation, your speed to detect and
respond to a threat is crucial . Measuring
the time to detect and respond to a threat
is nearly just as important . To reach a lower
MTTD and MTTR, it’s essential to streamline
your organisation’s security operations
workflow, regardless of your industry .
For example, a large bank might use a
software as a service (SaaS) email security
solution to scan its inbound email to detect
email-borne malware and phishing attacks, but
it may lack usable log messages of such alerts .
Relying solely on email to alert to potential
incidents could be problematic . First, an
analyst must monitor an additional interface .
Secondly, an email notification increases
the risk that your analysts might not
respond quickly enough, or even worse, miss
important security alerts .
Figure 16: Malware example email shows an SaaS alert
LogRhythm uses PowerShell scripts to turn
the email alerts into a text log and uses AI
Engine to automatically send the notification .
The AI Engine rule includes a SmartResponse
action that automatically creates a Case . Case
details are instantly populated, giving analysts
immediate critical details .
By eliminating an additional application that
needs to be monitored and automatically
piping the alarm information into LogRhythm,
LogRhythm can reduce your MTTD and MTTR
from hours to minutes .
Streamline your security operations workflow
Identifying key SOAR use cases | 19
10 practical uses of SOAR
Document processes and gather metricsResponding quickly to a potential threat is paramount, but you need the
right tools and information to take action . LogRhythm Case Playbooks give
your SOC the capability to codify standard operating procedures . With Case
Playbooks, your analysts not only can capture their own playbooks, but
they can modify existing ones and attach company policies and procedures .
When combined with Case Metrics, these features enable your SOC to react
more efficiently and decrease MTTD and MTTR .
For example, assume a SOC analyst wants to improve how to handle
suspicious user activity situations . The SOC already uses a SmartResponse
to automatically open a Case when a Suspicious User Activity Alarm rings .
A global administrator downloads and imports the suspicious user activity
playbook from the LogRhythm community . This playbook covers 11 basic
steps to investigate and remediate these types of incidents:
1. Determine if you are investigating
an incident or event
2. Determine if there are any
security classifications observed
with the suspicious user activity
3. Determine if the activity is
normal for the user account
4. Determine if the user is logging in
during normal business hours
5. Determine if the user is failing
authentication or access
6. Determine if the user is
authenticating from normal
locations for that user account
7. Determine if the user is using
any new applications or new
processes observed
8. Determine if the employee is
traveling for work
9. Determine if the employee is out
of the office (vacation or sick)
10. Disable the user account
11. Provide feedback and lessons
learned to reduce chances of
incident occurring again
If your analysts receive an alarm about this
unusual activity, they would need context
to understand the problem, determine its
severity, and fix it . Your analysts would need
to know which webpage is generating the
error message, when it was last updated,
and who updated it . With LogRhythm
SmartResponse Automation, these details are
available with notifications, which analysts
receive though their preferred medium .
If an engineer received a website error alert
with the contextual information, he or she
could quickly determine the severity of the
loss of functionality — without having to
manually triage . The engineer could also use
contextual SmartResponse Automation to
determine which code check-in was used to
update the page, when the update occurred,
and which page or resource changed . For a
fast resolution, the engineer could quickly
revert the page to its most recent version to
restore business functionality and work to
troubleshoot the update at another time .
An analyst on the team identifies that he
or she needs to add the additional step
of checking if the user is a “VIP” before
disabling the account . The analyst updates
the playbook, inserting this step between nine
and 10 . The new playbook is now available for
future handling of the suspicious user activity
alarms .
With the playbook in place to address these
alarms, Case Metrics for MTTD and MTTR
are available to measure the efficiency of the
process and identify areas for improvement .
For example, let’s say the metrics highlight
that step seven is a bottleneck in the process .
The organisation recently deployed Carbon
Black for endpoint protection . To improve
MTTR, the team deploys a Carbon Black
SmartReponse Automation to automatically
extract the process list from the user’s
potentially impacted systems .
Protect business interests beyond security with SmartResponse AutomationBeyond security, you can use automated
responses to protect other business interests,
such as your company website . If your
company made updates to its website and
the website became infected with a bug
and impacted functionality, the site would
generate error messages .
20 | Identifying key SOAR use cases
10 practical uses of SOAR
Automation plays a pivotal role in SOAR . You can empower incident
response teams with pre-packaged, customisable automation, reducing your
time to respond from days to minutes .
Automation use cases
Endpoint Quarantine: Disable the
port/device that’s known to have a
suspicious device .
Suspend Users: If you suspect
an account compromise, halt a
user’s account access — no matter
the device .
Collect Machine Data: In the
case of malware, SmartResponse
can gather forensic data from the
suspicious endpoint .
Suspend Network Access: If
data exfiltration occurs, your
incident response team can close
the connection by updating your
network infrastructure’s access
control list .
Kill Processes: If an analyst
detects an unknown or
blacklisted process on a critical
device, SmartResponse can kill it .
Key uses for automation LogRhythm SmartResponse Automation can help you solve some of the most common issues:
Automation use cases | 21
Following are some common use cases
involving automation that can greatly reduce
your response time to potential threats .
Contain a threatWhen your team identifies a threat, you
need to quickly contain it to prevent lateral
movement and the threat from escalating . If
the threat involves malware, automation can
help you instantly disable a user’s account .
Automation also enables you to monitor stop
processes and keep track of any unexpected
file changes .
For example, automation enables you to use
integrations with Active Directory, Azure AD,
Okta, or another IAM platform to disable a
user account and reset credentials . It also lets
you use a NAC solution or directly act on the
host to quarantine the host or take it offline
to prevent a compromise from spreading . The
benefit of using automation with LogRhythm
is that analysts don’t need to be experienced
with a third-party product — they simply
approve or issue a SmartResponse action .
Explore privilege escalation If your team detects suspicious activity in the
form of privilege escalations, that’s typically
a red flag that a threat exists or an attacker
is in your network . You can use automation to
determine the validity of a user and confirm if
that user has privileged access .
This might look like firing an alarm whenever
you discover suspected privilege escalation .
You can use automation to present contextual
information such as details about the account
being modified, user group information,
and the user’s manager so the analyst can
quickly determine if this is legitimate activity .
If it’s not legitimate, you can implement an
automated workflow to disable the account
and reset credentials before the attacker
accesses or exfiltrates sensitive data .
Manage provisioning and deprovisioning usersManaging the permissions of user accounts
remains a struggle for many organisations .
The problem? Security teams are already
busy handling other issues . Adding users with
different roles and privileges can be tedious
and time consuming . By adding automation
capabilities, your team can quickly add or
remove user accounts to keep systems and
data safe from threats .
With LogRhythm, you could easily build
onboarding and offboarding playbooks for
different roles . When a request comes in, you
can create a Case and assign the relevant
playbook . You can use SmartResponse
automation to create or disable accounts
in third-party resources, and use the
playbook to ensure employees are following
company procedures .
22 | Automation use cases
10 practical uses of SOAR
What to consider in a SOAR solution
• A Sophisticated Dashboard: Find a SOAR solution with a dashboard
that is sophisticated, yet easy to use .
• Central Evidence Repository: An effective SOAR solution accepts
evidence from a variety of sources that you can search and allows
analysts to easily share evidence with each other while preventing
information from being exposed to attackers .
• Customisable Workflows: A good SOAR solution should integrate
with existing infrastructure components, enabling teams to develop
custom workflows that capture the anomalies that are hidden within
the organisation .
Choosing the right SOAR solution for your SOC can make the difference
between establishing a mature, well-run organisation that makes
measurable improvements in detection and response times and settling for
modest improvements that are inconsistent or wasteful .
Beyond making your security analyst’s job easier and automating workflows
to accelerate threat detection and investigation, SOAR also provides a
framework for metrics to help you evaluate the SOC and enable continuous
training and improvement . When exploring SOAR, an effective SOAR
solution should contain the following criteria:
What to consider in a SOAR solution | 23
• Playbooks: Guided workflows within a SOAR solution play
a key role in enabling analysts to respond to and remediate
threats from a single platform increase efficiency and efficacy
when every second counts .
• Data Enrichment: SOAR capabilities should have extensive
capabilities for incorporating context-enriching data into an
investigation to facilitate decision making .
• Library of Automated Responses: An extensive library
of out-of-the-box automated responses to threats provides
continuity across threat detection and response workflow
without the need for APIs or custom integration work .
• APIs and Integrations: A SIEM with SOAR capabilities must
be able to integrate with current and future technologies
inside and outside the IT environment . As such, a SOAR
solution should provide APIs and a range of integrations
across multiple vendors and technologies .
• Ease of Use: A SOAR solution should be easy to operate
and manage, with one-click functionality for common
tasks like Case creation and threat intelligence lookup .
• Embedded SOAR Capabilities: A SIEM with integrated
SOAR enables a SOC to optimise the efficiency gains it
realises from SOAR .
24 | What to consider in a SOAR solution
10 practical uses of SOAR
CONCLUSIONIf your organisation is still relying on manual
processes to detect incidents, your analysts
are likely struggling to address each and
every alarm . With the increasing volume of
threats and incidents coming your way, you
need a better solution . SOAR can help .
By properly outlining your processes on
paper, you can create playbooks to reflect
those processes and then decide which you
can automate . A SOAR solution can help you
remove analysts’ menial tasks, which will
keep them happier and more engaged . It can
also accelerate onboarding because it doesn’t
require analysts to be experts in all of your
organisation’s technologies .
SOAR can also help you streamline your
security operations team’s ability to detect
and respond to threats faster, quantify key
performance indicators such as MTTD and
MTTR, and minimise damage from a potential
incident . Once a procedure is defined, you
should have the ability to gather metrics
that show where you need to improve .
Preapproved playbooks can help you find
the areas where to improve organisational
deficiencies most effectively . If you choose
a SOAR solution well, automation can be a
valuable tool for your team to help it focus on
more important work, without getting lost in
manual, tedious tasks .
Curious about how LogRhythm can help you? Let one of our experts
show you. Schedule a demo today. www.logrhythm.com/demo
About LogRhythm
LogRhythm is a world leader in NextGen SIEM, empowering thousands of
enterprises on six continents to successfully reduce cyber and operational
risk by rapidly detecting, responding to and neutralising damaging
cyberthreats . The LogRhythm NextGen SIEM Platform combines advanced
security analytics; user and entity behaviour analytics (UEBA); network
detection and response (NDR); and security orchestration, automation, and
response (SOAR) in a single end-to-end solution . LogRhythm’s technology
serves as the foundation for the world’s most modern enterprise security
operations centres (SOCs), helping customers measurably secure their
cloud, physical, and virtual infrastructures for both IT and OT environments .
Built for security professionals by security professionals, the LogRhythm
NextGen SIEM Platform has won countless customer and industry
accolades . For more information, visit logrhythm .com .
26 | About
+44 (0)1628 918 330 // europe@logrhythm .com // Regional HQ, Clarion House, Norreys Drive, Maidenhead, SL6 4FL, United Kingdom