Top SOAR Use Cases
If you’re not familiar with SOARs, they’re one of the newer tools used by cyber security teams to consolidate all of your various alerts, automate common SOC tasks, improve incident response times, optimize data extraction, and reduce the amount of administrative work done by SOC analysts. The larger your organization, the more value and efficiencies they can provide to your already stretched cyber security team.
Here are some of the top ways SOARs can help your organization.
Automatic Intel Lookups and Alert Enrichment
Security analysts spend a significant portion of their day performing lookups in various applications. When a SIEM alert generates, they’ll likely perform a lookup in VirusTotal, detonate a suspicious file in a malware sandbox, get domain info from a Whois service, lookup the user in an identity management application, and more. While doing this for a single alert may only take 15 minutes, doing it several times per day can take up most of an analyst’s time. While collecting this data is required to perform an investigation, pulling it repetitively can become burdensome administrative work.
Most SOARs integrate with many of the popular intelligence services and can obtain the majority of data required before the analyst even opens the alert. Instead of spending twenty minutes running reports, analysts can jump right into the investigation, having the SIEM, firewall, Active Directory, and asset management reports right in front of them.
Case Management Application
Not only can SOARs collect most of the data required for an investigation, they can consolidate it into a single pane of glass. If you take a look at your analysts’ screens, you’ll likely see multiple monitors with several tabs open on each. And they’ll likely have to log into each of them several times per day due to session timeouts on each of them.
SOARs can consolidate all of the data they collect into a single ticket that analysts can work off of. SIEM and firewall reports, lookup results, and more can be attached directly to the ticket to be used in the investigation and retained as evidence. Most SOARs can also create alert metrics quickly, allowing organizations to produce lists of SIEM and other alerts along with their true and false positive rates, giving security teams insight into their high-value content.
One of the perennial challenges of security operations teams is determining which alerts to prioritize. Many vendors set priorities of their IPS signatures and SIEM rules, but these are often too general to be used effectively. Running something from the /tmp folder may be significant at one organization, but not at another.
SOARs can perform a lookup in most identity management applications, and then change the severity based on the user’s role, line of business, and other factors. A generic alert all of a sudden becomes useful when it’s the CEO, an executive, or privileged user triggering it. Login failures are likely happening right now at any large organization, but if it’s the CEO’s user account, that should take priority over any other brute force rule. Is a customer-facing bank branch staff member trying to RDP into other servers on the network? Since that’s not something a branch employee would (or should) do, it should take a higher priority over other alerts.
SOARs can integrate with common email services, including Exchange and Gmail. Before a user opens his or her email after a meeting, your SOAR could have already uploaded the URL or suspicious attachment in VirusTotal or Wildfire, and deleted the email before the user had a chance to click on the link or open the file flagged as malicious.
Email is also an excellent way to “talk” to a SOAR and perform ad-hoc requests. Many SOARs can be configured to monitor an email inbox, and PlayBooks can be setup to run based on certain text values found in selected emails. Want a bunch of IP addresses or domains looked up but don’t know how to search for them in the SIEM, or don’t have access to the SIEM? Not a problem. The SOAR can be configured to parse out IPs, domains, and other text from the email, look up the values in the SIEM, firewall, or other security application, and return the results as a CSV attachment in an email.
SOARs can also use email to perform surveys, collect data from users, and take action based on the responses. They can take a vulnerability management report, lookup the system owner in an asset management system, and then send an email to the owner asking if they are aware of the vulnerability and if it has been remediated. This may not seem like much, but depending on the size of your organization, this could significantly reduce the amount of notifications your SOC needs to send. Chasing thirty system owners around is much easier than one hundred. Chasing system owners around is also another example of administrative work that can be done by a SOAR instead of a security analyst.
SOARs of course need to be configured, maintained, and updated regularly. Automating a task performed a couple of times per year may not be a good automation investment, but reducing the amount of day-to-day administrative work performed by SOC analysts is a great investment and allows staff to focus more on analyzing threats to your organization.