[BreachExchange] How to Go From No Incident Response Program to SOAR
Destry Winant
destry at riskbasedsecurity.com
Sun Aug 19 23:46:50 EDT 2018
https://www.securityweek.com/how-go-no-incident-response-program-soar
Getting Off the Ground With Security Orchestration, Automation, and Response
When interacting with companies that are considering purchasing a
security orchestration, automation, and response (SOAR) solution, I
often hear them express the concern that their current incident
response program is not mature enough for them to make the leap to
implementing a comprehensive platform, complete with automation and
orchestration. When there is little to no foundation in place, the
task of getting started seems overwhelming, especially if no one on
your team has experience with incident response or security
orchestration solutions.
While it’s true that you don’t want to just add automation to
inefficient processes and call it a day, it’s a mistake to get further
entrenched in the old ways of handling security incidents if those
ways are no longer good enough. If you know you want to improve your
security operations, but don’t know where to start, here are a few
steps that can help get you ready for a SOAR platform.
Take Stock of Your Current Operations
Two organizations might describe themselves as not having an incident
response program, but mean totally different things. With or without a
SOAR or incident response platform, every organization has some way of
managing security incidents, even if they may involve a lot of
improvisation and ad hoc processes.
When preparing to implement a SOAR platform, take the time to talk to
the stakeholders in your organization to understand the current
processes and how effective (or ineffective) they are. This should
include an inventory of tools; for instance, what is your existing
infrastructure for IT and InfoSec? Do you have any tools for data
enrichment? Once you understand what tools you already have, you can
map them to an incident response lifecycle—such as the one outlined by
NIST 800-61r2—and identify where your gaps are.
Next, take a look at what incident response processes or playbooks
your organization is following. How does the SOC collaborate
internally, and with other teams such as IT and data privacy groups?
How do you maintain compliance with legal and regulatory obligations
during incident response? How does your team currently manage common
security incidents like phishing or malware?
If any metrics are available, review them for insight into what is
working well and where improvements can be made. For example, do you
know how long it takes to detect and respond to security alerts? What
activities are taking up too much of your security analysts’ time? If
there are no formal metrics available, ask security analysts and
managers for their assessments.
Figure Out What Features are Most Important to You, and Which
Platforms Offer Them
There are many different SOAR offerings on the market, so to narrow
the parameters of your choices, take some time to identify the
capabilities that are most important. What do you want to automate
initially? What problems are most pressing for your security team? Do
you have recurring incidents, data siloes, or process bottlenecks?
Your analysts can help answer these questions.
Each platform will emphasize different aspects of security operations.
Broken down into general categories, these features might include:
● Alert management, which helps SOCs sort, evaluate, and close the
steady stream of security alerts that come in from SIEM and other
source systems.
● Triage, which helps analysts make decisions by gathering contextual
information from internal and external sources, such as threat
intelligence and previous incident records.
● Incident response, which encompasses playbooks, task management,
link analysis, and other features that support effective and
repeatable response workflows.
● Reporting and analytics, which includes the ability to automate or
schedule reporting, generate detailed SOC metrics, and tailor
dashboards to the different roles that use the system.
● Compliance and tracking, such as audit trails, chain of custody, and
templates for common compliance reports.
Case management, which may include support for collaboration between
investigators and other teams, case folders for related incidents,
guided investigation workflows, and evidence management.
Try Sketching Out a Playbook
To get a detailed sense of how you will use a SOAR platform, sketch
out a playbook for one of your most important use cases. Then,
identify where you think automation and orchestration can be used to
enhance the steps. You can easily find online examples of playbooks
from vendors or industry bodies, which should give you a sense of what
steps to include. Evaluating your current processes and interviewing
your analysts, as I’ve recommended, will provide more valuable
information, including common or important use-cases. Try starting
with a use case that you think will be typical in your security
environment, such as a phishing attempt, suspected data breach, or
malware infection.
If you have no formal incident response program, implementing a SOAR
solution, incident response platform, or any other major security tool
can be challenging. But after taking the steps I’ve described here,
you will have a better sense of where you are now, where you need to
go, and most importantly, how you can get there.
More information about the BreachExchange
mailing list