Security Orchestration, Automation & Response (SOAR) platforms are increasingly becoming popular in the enterprises. Gartner defines SOAR as follows:

“SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies — where incident analysis and triage can be performed by leveraging a combination of human and machine power — help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format”

This definition when analyzed in depth gives you hints of how SOAR platforms can be deployed by enterprises. Here are the recommended best practices for deploying security orchestration:

1) Identify usecases for automation.
2) Prepare Workflows for known Threat categories
3) Integrate the technologies involed in the usecase.
4) Test, Test Again and Go Live
5) Measure improvement in MTTR for the target usecase.

Lets look at all the steps one by one.

1) Identify use cases for automation

The best practice to identify such use cases is by talking to your analysts. Understand what their pain points are, what is boring for them, any repetitive tasks that they feel is unproductive?

You can prepare a document listing use cases for various analysts by threat categories, third party tools, procedures, etc. Then you can target each automation use case one by one based on your requirements. You should start small, Start with one use case or procedure and keep adding it. For Ex- Reputation check using both opensource and commercial tools is a common task that every analyst has to do. You can start with that.

2) Prepare Workflows

Most mature SOC environments have documented procedures for handling specific threats. Ex- To handle a phishing incident, there could be 10 different steps that might involve both manual or automated tasks across various tools, people etc. You can start with that. You will know the tools that will be used for reputation checks, detonation of payloads, checking vulnerabilities, Storing evidence etc.

If your organization doesn’t have such procedures in place then its time to get the team together and start creating them. You can start with most common cyber security issues that your organization faces. Avoid usecases that goes beyond one or two departments as it might consume time and resources that you might not be ready for in the initial phases of SOAR deployment.

This workflow will eventually be used to create playbook in the SOAR platform to automate the usecases identified in step 1.

3) Integrate Technologies

Based on the usecase identified along with response workflow, you can integrate various third party tools. The technologies will be based on your response procedure/workflow. Typical technologies involved would be

SIEM tool: The most common source of alerts

  • Threat intelligence tools: To check reputation of various external indicators
  • Vulnerability Scanners: To check vulnerabilities on the asset infrastructure
  • Enforcement Technologies: Includes any technology that is used for remediation or enforcement. For example, firewalls, antivirus, email security systems etc.
  • Directory Systems like Microsoft AD for checking user details etc.
  • Ticketing Systems: for tracking IT related tickets.

Some of these technologies could be optional for you based on your organization’s IT Infrastructure.
A best practice specific to this step could be to begin only with technologies that do not have change impact in your infrastructure or don’t need to through change committee. Ex- SIEM and Threat intelligence in the beginning followed by other technologies

4) Test, Re Test and Implement

Once the playbook is implemented, you can configure the SOAR platform to fire the playbook when a specific condition matches. Ex- in Securaa, you can write a rule that says, run playbook “ Threat intelligence Checks” when an incoming alert has “Malicious Domain” in the alert description.

Once the alerts are consumed by the SOAR platform, check if the playbook is functioning and all the playbook actions are automatically executed. Did it mis a step, did any integration time out. are your analysts happy with automation etc.

Test this few times and once you are satisfied with the results, you can implement this playbook. You can now move on to the next usecase.

5) Measure improvement in MTTR for the target usecase

Most SOAR platforms track Mean Time to respond to an alert. You can see if the MTTR has improved better for a time Range. Ex- Securaa provides a out of box chart that track MTTR over a period of time. This should be checked as you add new usecases along with workflows. Also, take feedback from your analysts. They are the best source for your success for SOAR deployment.

If you are looking for a comprehensive SOAR platform along with guidance then reach out to us.