Security Orchestration Automation and Response (SOAR) Technical Resolution
The background of SOAR generation
With the increasingly fierce confrontation of network security, the strategy of network security should simply hope to prevent and block has failed, and we must pay more attention to detection and response. Businesses and organizations need to build a new security system that integrates blocking, detecting, responding, and preventing the assumption that the network has been attacked.It is in this context, internationally, the detection and response of products have received great attention. Domestically, more attention has been focused on new detection products, especially in the field of unknown threat detection. With these products and technologies, users are given shorter MTTDs (average detection time) to detect attacks and intrusions more quickly and accurately. However, most of these products and technologies have helped users reduce MTTR (average response time). In fact, for users, detecting problems faster is only the first step, and how to respond quickly to problems is even more important. In improving the efficiency of security response, we can not only consider from a single point (such as simply from the endpoint or network), but also from the perspective of the overall security operation of the whole network to consider, to integrate the decentralized detection and response mechanism. And that’s exactly what SOAR is going to solve.
Evolution and definition of SOAR
SOAR’s full name is Security Automation, Automation and Response, which means security orchestration automation and response. The technology focuses on the field of security operations and focuses on(but not limited to) security response issues, first proposed by Gartner in 2015. At the time, Gartner defined SOAR as Security Operations, Analytics and Reporting. With the rapid development and evolution of security operations technology, in 2017 Gartner redefined SOAR as security orchestration automation and response, and saw it as a fusion of three technologies/tools: Security Orchestration and Automation, Security Incident Response Platform (SIRP, Security Response Response Platform) and Threat Intelligence Platform (TIP, Threat Platform). Gartner believes that SOAR technology is still evolving rapidly and that its content may change in the future, but its goal of focusing on security response around security operations will not change.Gartner’s latest descriptive definition of SOAR (from Gartner’s report, Hype Cycle on Threat-Facing Technologies, 2018) is as follows:SOAR is a collection of technologies that help organizations collect information that is monitored by security operations teams, including alerts generated by various security systems, and conduct incident analysis and alarm triage. Then, guided by a standard workflow, use a combination of human-machine steamers to help secure operations personnel define, sort, and drive standardized event response activities. SOAR tools enable enterprises and organizations to formalize the process of event analysis and response.At present, SOAR technology is in adolescence, in the rising stage of the hype curve, has not yet reached the peak of speculation.
Analysis of soar’s three core technologies
At present, SOAR’s three core technical capabilities are security orchestration and automation, security incident response platform, threat intelligence platform.1) Safety orchestration and automation: This is the core and basic capabilities of SOAR.Security orchestration and safety automation are two different concepts. Among them, the security orchestration refers to the process of combining the security capabilities of different systems or components within a system through programmable interfaces (APIs) and human checkpoints, which are combined according to a certain logical relationship to complete a particular security operation. /b11>For example, the user for a received suspicious message in-depth detection and response (operation) process can be broken down into a disassembled sender, URL link and IP and other information query threat intelligence system, the attachment into the sandbox system for analysis, and according to the intelligence system and sandbox system returned information to further decide whether to notify the mail system to delete the message or attachment, whether to obtain further information on the terminal through EDR recipients for analysis, and so on. The above suspicious mail analysis process is an example of the mail system, threat intelligence system, sandbox system, EDR and so on system organized together through a certain logic.Here, automation refers specifically to the automated orchestration process, which is a special kind of orchestration. If the orchestration process is all done by the API of each related system, then it can be automated. Corresponding to automated orchestration, there is also manual orchestration and partial lying (mixed) orchestration.Whether it’s automated or manual, it can be expressed through a playbook. The engine that underpins script execution is usually the workflow engine. To make it easier for managers to maintain scripts, SOAR also typically provides a visual script editor.The script is intended for the orchestration administrator, focusing on the logic of the orchestration security operation itself, while hiding the programming interface and its instruction implementation that specifically connect the individual systems. SOAR typically enables orchestration of instructions to actual systems through app and action mechanisms. The implementation of applications and actions is intended for orchestrate instruction developers.2) Security Incident Response Platform: This is a key feature of SOAR, but it can also exist independently of SOAR.The Incident response platform existed before SOAR, and by name is a platform for responding and disposing of Incident. However, the combination of security incident response and security orchestration and automation has greatly improved the ability to respond after the advent of SOAR. Typically, security incident responses include alert management, ticket management, case management, and more.The core of alarm management is not only the collection, display and response to alarm security incidents, but also the emphasis on alarm triage and alarm investigation. Only through alarm triage and alarm investigation can the quality of alarms be improved and the number of alarms reduced.Work order management is suitable for medium and large security operations team coordination, process-based alert disposal and response, and ensure that the response process can be recorded, measurable, assessable.Case management is the core capability of modern security incident response management. Case management helps users process, continuously analyze and respond to a set of related alarms, and continuously accumulate evidence of the case and the attacker’s war technique process indicator information (TTP). Multiple cases are executed in parallel, resulting in a continuous tracking and disposal of a range of security incidents.3) Threat Intelligence Platform: This is an important function of SOAR, but it can also exist independently of SOAR.The Threat Intelligence Platform (TIP) is a segment defined by Gartner in 2014 to assist users in blocking, detecting, and responding to attacks through the collection, association, classification, sharing, and integration of multi-source threat intelligence, as well as integration with other systems. At present, threat intelligence mainly exists in the form of services rather than platforms, the size of the simple TIP market is small, manufacturers are not many, some are independent existence;
Through the above analysis, we can find that SOAR, as an integrated response platform for safety operations, has a strong supporting role. Gartner believes that the Modern Security Operations Center will include at least Hyundai SIEM, which integrates UEBA’s SIEM, and SOAR. In other words, SOAR will serve as a support platform for secure operations and response in modern SOCs. Gartner estimates that by 2021, 70% of SOCs will include SOAR capabilities. This may be either a SOAR product edified by SIEM or a stand-alone SOAR platform.By implementing SOAR in SOC, you can not only improve the soC’s ability to respond to security, especially orchestration and automation, as well as responsiveness capabilities, but also improve the effectiveness of SOCs as a whole, including the speed of security incident investigation and analysis (including MTTD), The ability to integrate decentralized security systems and the productivity of individual safety operations personnel.
SOAR technology landing practice
The value and role of SOAR has become quite obvious. At present, there have been a number of SOAR professional manufacturers in the world, and many SIEM international manufacturers have also launched (acquisition) soar products and features.At present, the international typical professional SOAR manufacturers are basically start-upcompanies, including: CyberSponse, DFLabs, Resolve Systems, Respond Software, Siemplify, Swimlane and so on. Major security factories, especially SIEM, have acquired SOAR and integrated it, such as IBM’s acquisition of The Integration with QRadar, Splunk’s acquisition of Phantom, Rapid7’s acquisition of Resilient, and Microsoft’s acquisition of Hexadite. FireEye acquired Invotas, Palo Alto Networks acquired Demisto, and SIEM leaders such as LogRhythm, Exabeam and Securonix introduced an integrated version of the lightweight security response orchestration automation component.On the contrary, there is no professional SOAR manufacturers, there is no security management platform manufacturers officially released SOAR products or features. The reason is that the acquisition of SOAR capability is not overnight, and it requires the accumulation of deep safety operation and maintenance technology.It is in this context, as the domestic security management and operation technology accumulation and practical experience of Shenghuaan entrepreneurial technology team, from 4 years ago to notice SOAR technology, after a long period of research, as well as nearly a year of dedicated research and development, in late July 2019 released Cybersky-SOAR.Shenghuaan’s Cybersky-SOAR mainly includes five functions: alarm management, case management, ticket management, security arrangement and automation, and threat intelligence applications.