Book Image

Security Orchestration, Automation, and Response for Security Analysts

By : Benjamin Kovacevic
Book Image

Security Orchestration, Automation, and Response for Security Analysts

By: Benjamin Kovacevic

Overview of this book

What your journey will look like With the help of this expert-led book, you’ll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust. You’ll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help. Next, you’ll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations. You’ll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR. The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios. By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.
Table of Contents (14 chapters)
Part 1: Intro to SOAR and Its Elements
Part 2: SOAR Tools and Automation Hands-On Examples

The current state of cybersecurity

The last few years have changed how businesses operate, and standard working will never be the same. Digital transformation and the COVID-19 pandemic have foundationally changed the way that we work. Modern tools for collaboration, such as Microsoft Teams, Slack, Zoom, and so on, make it possible for people to work from any location and still relate to their peers. When the COVID-19 pandemic started, everyone had to work from home. And something that started as a temporary solution has changed how people work permanently. However, it hasn’t just changed the way people are working. It has also changed how people connect and what network they use – it has changed cybersecurity. A traditional perimeter does not help anymore; people are expected to be outside their bubbles, and we must find new ways to protect them. The second thing to consider is that people don’t just use corporate devices to connect to corporate resources: they use personal devices as well.

Creating boundaries is becoming harder and harder, and organizations must find a new way to protect their resources. Traditional systems aren’t enough anymore. The first tools that people are turning to have been available for years in the market, such as Mobile Device Management/Mobile Application Management (MDM/MAM), Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR) platforms, Data Loss Prevention (DLP), and so on.

Introducing more security tools and hardening the working environment has a direct impact on productivity. Employees are expected to enroll devices to MDM, set up and pass MFA, avoid copying data to USBs, refrain from continuing their work on other devices, and avoid sharing any links with anyone. This significantly hampers the ability of employees to collaborate efficiently. Cybersecurity experts need to find a golden middle ground between productivity and security; often, this equates to sacrificing security under this pressure until a cybersecurity incident occurs.

To be able to detect security incidents as they happen, more advanced solutions are required: traditional ones such as Security Information and Event Management (SIEM), more modern ones such as Extended Detection and Response (XDR), and the Zero Trust methodology. SIEM allows us to collect logs from various solutions and correlate these events to detect threats more easily. However, on its own, it is ineffective. SIEM tools are only as good as the events they have as logs. We also need to have excellent Security Operations Center (SOC) analysts who can define detection rules, do cyber threat hunting, and react to security incidents in these SIEM solutions. This is why most new SIEM solutions add Artificial Intelligence (AI), Machine Learning (ML), User and Entity Behavior Analytics (UEBA), Threat Intelligence (TI), and so on, into the mix to help with detection – but what about the response? How do we acknowledge and resolve security incidents?

One of the more modern tools is XDR – this is not a single tool but a group of tools that work together to correlate cyber threat detections. In most cases, XDR will cover identities, emails, endpoints, servers, and cloud workloads. It will use AI and ML in the background to connect security incidents from these layers, which are often handled separately by different solutions, into a single incident that outlines the kill chain of an attack as it happens throughout an organization. While XDR is a must-have solution for most organizations, it still doesn’t cover the whole stack of security. You cannot ingest TI data, firewall logs, third-party solution detections, and so on. Typically, XDR will be connected to SIEM for correlation with other sources.

One thing we have seen with XDR is a change in the complexity of organizations’ cybersecurity. 10 years ago, organizations did not use the same vendor for different layers of protection. The idea was that if one failed, you would still have another vendor in line for protection – but how wrong was that?

First, our security experts had to learn to work with and manage multiple solutions and vendors. Multiple portals would therefore need to be logged in to daily. For big organizations, the number of security solutions and vendors used could exceed 40! And second, those solutions did not speak to each other. That means that they did not share intelligence; they did not correlate their shared data. Without SIEM collecting events from all devices, it was almost impossible to make connections between different security incidents. XDR changed this, as the idea behind it has been for solutions to speak with each other, share intelligence, and correlate events for better detection. Another significant benefit is that it is all in one portal, which is essential for security experts to focus on one unified product and not on five different ones.

Why is it essential to find new ways to protect organizations? Because bad actors are improving their game daily. Just in the last few years, we have had significant cyberattacks, including the Colonial Pipeline ransomware attack, the Maersk ransomware attack, the SolarWinds breach, and the Log4j vulnerability, plus many data breaches in which bad actors have stolen terabytes of personal data. These are only some of the attacks that have been top news worldwide. Even people who don’t know what a cyberattack is have started asking questions about what is happening. The reason for this is the significant impact of each attack. The Colonial Pipeline attack raised a lot of concern and panic among people in the United States. Because of this attack, a few states even reported shortages of fuel. Even though Colonial Pipeline paid the ransom (in total, around 5 million US dollars), restoring operations took them a few days. As a direct connection to the attack, fuel prices in most of the United States went up.

This is only one of the examples of how a cyberattack on critical infrastructure can impact an organization and a whole country. Let’s consider that most of the critical infrastructure in countries (electricity, water, fuel, gas, etc.) is controlled using computers. We can see why staying at least one step ahead of bad actors is crucial.

There are many different figures for the average cost of a cyberattack, and in most cases, the average cost is around $4 million. This cost is not only connected to paying a ransom but also returning to an operational state, plus the cost of losing customers. If we take a look at the Marriott hotel data breach, the total cost at the end could be in the billions, as we include the GDPR and user lawsuits. We can say that, on average, we have millions of reasons to think about cybersecurity at a time.

However, cyberattacks don’t just impact organizations; they are methods of modern warfare. We have had a few examples throughout history, but the latest one is probably the best example. As the Ukrainian-Russian war started, it didn’t start solely with typical military conflicts – guns, tanks, planes, and so on. Cyber warfare was a big part of it, and numerous attacks on Ukrainian infrastructure were reported.

Considering that we have more and more drones in the sky that are remotely managed, it shows us how serious it can be in the future if technological infrastructure is not protected.

While we can invest a lot of money into security equipment, we still have two significant issues at the top of the list regarding how a cyberattack starts. The first will be misconfiguration, and the second will be the user.

As mentioned, many organizations invest a lot in security equipment, but not in security experts or their personnel so that they can learn how to configure solutions correctly. Even a minor misconfiguration can affect the system in a manner that will leave a backdoor that a bad actor can use. Hiring security experts and continuous investment in cybersecurity personnel is more important than security solutions. Cybersecurity personnel must stay ahead of bad actors to protect critical infrastructure. While AI and ML play a significant role in cybersecurity, they will (maybe) never be able to replace security experts. Most sophisticated attacks are not initially detected by cybersecurity tools but rather by experts hunting for anomalies in raw system logs.

Users are probably the most considerable cybersecurity risk each organization faces. It is a common saying in cybersecurity that in each organization, there is at least one user who will click on every link. That is why phishing attacks are still the most common attacks on organizations. Every organization must invest in user education to reduce the risk of users clicking on a link in an obvious phishing email or downloading attachments from unknown sources. It is a long process to educate users and still, the risk will exist. As mentioned earlier, bad actors are smart and target users strategically – for example, when they know their focus will be at the lowest at the end of working hours.

On top of that, think about every conversation had with users – passwords. It is common for users to pick the same password for business and personal use and reuse it across all platforms. Some people use two different passwords, but rarely three or more. This directly impacts an organization’s security because many platforms don’t have advanced password protection – but that is not the only problem! Users incorporate personal information when creating these passwords (such as a place of birth or residence, names of pets or children, important dates, and so on) and then have all of that information publicly available on social media (pictures, About Me, favorite movies, quotes, and more). Because of all this, it is easy for bad actors to strategize their attacks. First, they have all the necessary info to create a dictionary for brute-force attacks on social media. Second, they can use a less secure platform to perform that attack and reuse the password on corporate logins. This is essentially why many organizations implement MFA.

The biggest challenge for modern SOCs is the high number of raw data and security incidents. This affects the time needed to acknowledge and respond to security incidents. The initial triage of an incident can take some time, even an hour, if a SOC is inefficient or there are not enough SOC analysts (which is more common). This can lead to detecting the cyberattack too late, and the attack can spread through the system.

Would it help if we could automate everyday tasks that our SOC analyst performed as part of the initial triage so that the SOC analyst took over once the initial triage had automatically been done? This is where SOAR comes into play!