SOAR Security Orchestration and Response

Securaa is a next-generation Security Orchestration and Response system.

For readers who are still new to this domain, here is a brief summary of what a Security Orchestration and Response (SOAR) Platform does:

  1. Aggregation: A SOAR system collects/aggregates alert data from various sources like SIEMs, Mailboxes, syslog servers etc.
  2. Enrichment: Once an alert is collected, the SOAR platform enriches alert based on entities contained in the alert like usernames, ip addresses, domains etc.
  3. Orchestration: A soar platform also integrates disparate tools and platforms so they can work together based on approved direction of the SOC team. Some of the activities could be manual or automated in nature depending on the platform or process.
  4. Automation: A Security orchestration and automation platform also executes functions on its own to affect other integrated systems. This is be done using automatic playbooks that trigger when certain conditions are met or manually based on analyst’s requirements.
  5. Response: Providing canned resolution for known response activities. This involves executing response based on organization approved workflows or Standard Operating Procedures.

Let’s understand those capabilities in detail:

1. Aggregation:

This is the simplest capability that allows SOAR to become the single pane of glass for SOC. They consume alerts from various sources like SIEM, emails (in case you have CIRT/CIRC mailbox) or directly from systems that might not be integrated with SIEM. Other source of alerts could be cloud based systems that use REST API to collect alerts instead of syslog or simple format of alerts that are supported by SIEM. SOAR replaces your current case management capability as it provides a superior and modern case management system that’s more flexible and aligned to today’s dynamic environment

2. Enrichment:

This implies that the SOAR system pulls additional data for all the entities involved in an alert. Ex- if there is a user ID, soar system will fetch context from directory system like username, manager, locations etc. for an external IP address this could be a reputation lookup from a native or external threat intelligence system

You might be wondering why enrichment is needed as most SIEMS are doing the enrichment on their own. Well you are correct, however, most SIEM still do not support enrichment as part of the case management process. Even if they do, the alert raised in the SIEM system often focus on lookups that are easy to perform like threat intelligence. Also, most lookup activity is not dynamic in nature. Ex- You can’t configure most SIEM’s to only do a second lookup with a commercial threat intelligence when a HIGH severity alert is created. Most SIEM’s will always do the look for not making it static in nature. Some of them might permit additional lookups that are manual in nature only when alert is created in the system. With a SOAR platform, you can write a simple playbook that will execute only when an Alert of certain Severity is fired for an asset with a known business criticality. this makes the enrichment dynamic in SOAR platform compared to SIEM systems. This saves you dollars on TI systems that often charge based on number of API calls.

3. Orchestration

This is one of the differentiators of the soar platform where it integrates with third party systems to execute changes based on response that the analyst needs to provide. These integrations are API driven. Ex- in an organization, blocking an IP address in a firewall might require an approval whereas in others it can be done without approval. Another example could be to get an approval from a user’s manager to reset his reportee’s password when the account is blocked after multiple failed login attempts. Once the systems in an organization are integrated, the SOC team can create workflows/playbooks to carry out desired actions manually or automatic. this is the most time-consuming phase for organizations who don’t have predefined Response workflows for most common threat categories. Ex- what to do when a DDoS is detected.

4. Automation and Response:

Automation is all about putting the system in the AutoPilot mode where the system keeps reading alerts from various sources and providing a response to those alerts on its own. It then matches rules/policies and executes workflows/playbooks based on conditions. Ex- automatically scan historical successful connection logs in the SIEM DB when a new external IP address is reported to be in use for a known threat actor. This is a typical use for automation of threat hunting. A variant of this could be sending the same IP address to a firewall system that sends an alert if more than 10 systems are found connecting to this known bad IP address.

Securaa provides all these functionalities along with unique differentiators with a native TIP (Threat Intelligence Platform) and a vulnerability and asset management platform. Please contact us at rajesh@securaa.io.

Enquire now

If you want to get a free consultation without any obligations, fill in the form below and we'll get in touch with you.