Best Practices for Deploying Security Orchestration

1. Product  Partners  Resources  About Us  Login Securaa  Security Orchestration  Best Practices for Deploying Security Orchestr… Best Practices for Deploying Security Orchestration  September 2, 2020  Rajesh Krishna  Security Orchestration Search …  Recent Posts Alert Handling with Security Orchestration A Handbook of The Threat Intelligence Tools Your Company Needs Optimize Your Cyber-security Security Orchestration, Automation & Response (SOAR) platforms are increasingly becoming popular in the enterprises. Gartner de?nes SOAR as follows: with SOAR Tools Understanding SOAR Security “SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies — where incident analysis and triage can be performed by leveraging a combination of human and machine power — help de?ne, prioritize and drive standardized incident response activities. SOAR tools allow an organization to de?ne incident analysis and response procedures in a digital work?ow format” Automated Ransomware Response Popular Categories CISO This definition when analyzed in depth gives you hints of how SOAR platforms can be deployed by enterprises. Here are the recommended best practices for deploying security orchestration: CSO Incident Response 1) Identify usecases for automation. 2) Prepare Work?ows for known Threat categories 3) Integrate the technologies involed in the usecase. 4) Test, Test Again and Go Live 5) Measure improvement in MTTR for the target usecase. Security Automation Security Orchestration SOAR SOC Automation Source Threat Intelligence Lets look at all the steps one by one. Threat Intelligence Tools 1) Identify use cases for automation Follow Us The best practice to identify such use cases is by talking to your analysts. Understand what their pain points are, what is boring for them, any repetitive tasks that they feel is unproductive?  You can prepare a document listing use cases for various analysts by threat categories, third party tools, procedures, etc. Then you can target each automation use case one by one based on your requirements. You should start small, Start with one use case or procedure and keep adding it. For Ex- Reputation check using both opensource and commercial tools is a common task that every analyst has to do. You can start with that. 2) Prepare Work?ows Most mature SOC environments have documented procedures for handling speci?c threats. Ex- To handle a phishing incident, there could be 10 different steps that might involve both manual or automated tasks across various tools, people etc. You can start with that. You will know the tools that will be used for reputation checks, detonation of payloads, checking vulnerabilities, Storing evidence etc. Privacy - Terms

2. If your organization doesn’t have such procedures in place then its time to get the team together and start creating them. You can start with most common cyber security issues that your organization faces. Avoid usecases that goes beyond one or two departments as it might consume time and resources that you might not be ready for in the initial phases of SOAR deployment. Product  Partners  Resources  About Us  Login This work?ow will eventually be used to create playbook in the SOAR platform to automate the usecases identi?ed in step 1. 3) Integrate Technologies Based on the usecase identi?ed along with response work?ow, you can integrate various third party tools. The technologies will be based on your response procedure/work?ow. Typical technologies involved would be – SIEM tool: The most common source of alerts – Threat intelligence tools: To check reputation of various external indicators – Vulnerability Scanners: To check vulnerabilities on the asset infrastructure – Enforcement Technologies: Includes any technology that is used for remediation or enforcement. For example, ?rewalls, antivirus, email security systems etc. – Directory Systems like Microsoft AD for checking user details etc. – Ticketing Systems: for tracking IT related tickets. Some of these technologies could be optional for you based on your organization’s IT Infrastructure. A best practice speci?c to this step could be to begin only with technologies that do not have change impact in your infrastructure or don’t need to through change committee. Ex- SIEM and Threat intelligence in the beginning followed by other technologies 4) Test, Re Test and Implement Once the playbook is implemented, you can con?gure the SOAR platform to ?re the playbook when a speci?c condition matches. Ex- in Securaa, you can write a rule that says, run playbook “ Threat intelligence Checks” when an incoming alert has “Malicious Domain” in the alert description. Once the alerts are consumed by the SOAR platform, check if the playbook is functioning and all the playbook actions are automatically executed. Did it mis a step, did any integration time out. are your analysts happy with automation etc. Test this few times and once you are satis?ed with the results, you can implement this playbook. You can now move on to the next usecase. 5) Measure improvement in MTTR for the target usecase Most SOAR platforms track Mean Time to respond to an alert. You can see if the MTTR has improved better for a time Range. Ex- Securaa provides a out of box chart that track MTTR over a period of time. This should be checked as you add new usecases along with work?ows. Also, take feedback from your analysts. They are the best source for your success for SOAR deployment. If you are looking for a comprehensive SOAR platform along with guidance then reach out to us. asset vulnerability management tool Open Source Threat Intelligence security automation platform security orchestration security orchestration tools SOAR SOAR platform SOAR platform vendors SOAR software soar solutions gartner soc automation open source soar threat intelligence platform open source top threat intelligence platforms top threat intelligence tools vulnerability management asset prioritization vulnerability remediation prioritization

3.  Share on Facebook  Share on Twitter  Share on Pinterest Partners  Product  Resources  About Us  Login  Share on LinkedIn Company Site Links Product Features Securaa Our Story Leadership Team Contact Us Blog Terms & Conditions Privacy Policy Threat Intelligence Platform Asset & Vulnerability Management Orchestration & Automation Solutions A Uni?ed Security Operations Platform that integrates with multiple technologies & helps SOC teams in effectively responding to security incidents. © Copyright - Securaa. All Rights Reserved 