Академический Документы
Профессиональный Документы
Культура Документы
Summary
Enterprises are striving to keep up with the current threat landscape with too many manual
processes, while struggling with a lack of resources, skills and budgets. Security and risk
management leaders should determine which SOAR tools improve security operations
efficiency, quality and efficacy.
Overview
Key Findings
Security operations teams struggle to keep up with the deluge of security alerts from an
increasing arsenal of threat detection technologies.
Security operations still primarily rely on manually created and maintained, document-
based procedures for operations, which leads to issues such as longer analyst
onboarding times, stale procedures, tribal knowledge and inconsistencies in executing
operational functions.
The challenges from an increasingly hostile threat landscape, combined with a lack of
people, expertise and budget are driving organizations toward security orchestration,
automation and response (SOAR) technologies.
Threat intelligence management capabilities are starting to merge with orchestration,
automation and response tools to provide a single operational tool for security
operation teams.
Recommendations
IT security and risk management leaders responsible for security monitoring and operations
should:
Assess how SOAR tools can improve the efficacy, efficiency and consistency of their
security operations by using orchestration and automation of threat intelligence
management, security event monitoring and incident response processes.
Focus on automating tasks and orchestrate incident response starting with procedures
that are easy to implement and where machine-based automation will reduce incident
investigation cycle times.
Use external threat intelligence as a key way to improve the efficacy of security
technologies and processes within the security operations program.
Strategic Planning Assumption
By year-end 2020, 15% of organizations with a security team larger than five people will
leverage SOAR tools for orchestration and automation reasons, up from less than 1% today.
Analysis
Security and risk management leaders responsible for security monitoring and operations face
an increasingly challenging world. Attackers are improving their ability to bypass traditional
blocking and prevention security technologies, and end users continue to fall victim to attackers
through social engineering methods, while still failing to carry out basic security practices well.
While mean time to detect threats may be trending down across industries, 1 it still takes way
too long. Once detected, the ability to respond to, and remediate, those threats is still a
challenge for most organizations. Additionally, many security teams have overinvested in a
plethora of tools. As a result, they are also suffering from alert fatigue and multiple console
complexity and facing the challenges in recruiting and retaining security operations analysts
with the right set of skills and expertise to effectively use all those tools. This is all playing
against a backdrop a growing attack surface that is no longer restricted to on-premises IT
environments.
The attack surface today encompasses multiple forms of cloud (SaaS, IaaS and PaaS) and mobile
environments, and even extends to third-party organizations that are suppliers to upstream
organizations. Finally, effective security monitoring requires not only tools and well-
documented incident response processes and procedures, but also the ability to execute them
with consistency and precision, and the capability to refine and update responses as best
practices emerge. Many organizations have few, if any, of these procedures documented.
Sometimes they are just monolithic and inflexible, and continue to rely on ad hoc responses
over and over again.
Since Gartner's first analysis of the SOAR space (which was initially defined by Gartner as
"security operations, analytics and reporting"), the vendor and technology landscape has
evolved. In 2017, many technologies claim the ability to orchestrate incident response, but
present some limitations in capabilities that could deliver real overall benefits for the efficacy of
an operations team. Examples of these shortcomings include a limited ability to show the big
picture of organizations' state of security or the lack of connectivity to the organization's
ecosystem of tools. Security orchestration and automation have become closely aligned with
security incident response (SIR) and general operations processes. Security information and
event management (SIEM) technology vendors have incorporated automated response
capabilities to various levels of capabilities. Automated response is also appearing in other
security technologies as a feature. The lack of centralized capabilities in the above solutions
leaves security teams with a responsibility to manually collect and stitch together all this
information, and work with manual playbooks for tasks related to each type of incident.
Figure 1 shows a continuous set of activities that can be performed by an SOC team by using
SOAR technology. The figure reflects the use of the CARTA strategy for continuous monitoring
and visibility.
Figure 1. SOAR Overview
Definition
Gartner defines security orchestration, automation and response, or SOAR, as technologies that
enable organizations to collect security threats data and alerts from different sources, where
incident analysis and triage can be performed leveraging a combination of human and machine
power to help define, prioritize and drive standardized incident response activities according to
a standard workflow. SOAR tools allow an organization to define incident analysis and response
procedures (aka plays in a security operations playbook) in a digital workflow format, such that
a range of machine-driven activities can be automated.
Bidirectional Multiple action types can be described at a high level as "push" or "pull." "Push"
integration means telling a tool/device to do something. "Pull" means connecting to a
tool/device and requesting information it might have. Gartner recommends that
end users press their tool vendors to support a full range of both push/pull type
capabilities via a well-documented and supported API, simple scripts, or
programming language.
Feature-rich Flexible API customization to facilitate the use of all features supported by that
integration security vendor's product— there are lots of functions (via API) that some
security tools offer. Just because your tool is supported does not mean that all
the functions are controllable via the security tool's APIs.
Additionally, if security tools have a lot of functions presented via API, it doesn't
mean the SOAR tool can handle them all. For example, the firewall might only
support adding an Internet Protocol (IP) address for blocking, and not a URL. A
SOAR tool might not support requesting that a firewall return a response if it has
seen a particular IP/URL/file hash.
Abstraction Key to the value of SOAR tools is the availability of an abstraction layer so the
layer analyst does not need to be an expert in specific APIs, scripts or programming
language for specific tools. Rather, they can use logic and abstraction while the
SOAR tool translates that into machine-specific API calls.
Process guidance The ability to guide through standardized steps, instructions and
decision-making workflow.
Workflow with Flexible workflow formalization along with a set of predefined actions,
multilevel as well as enforcement, status tracking and auditing capabilities.
automation
The ability to automate workflows, with flexibility to inject human
responses into the workflow.
Playbooks The ability to code some playbooks, either using some standard
language like Python or using some UI that helps the definition of
playbooks.
User interface Provide investigation timeline/screen to collect and store artifacts of the
for investigation investigation for current and future analysis.
Help SOC analysts to continue the investigation/response during work shifts
among analysts by keeping historical information of the incidents and notes.
Collaboration and granular role- Exchange of information between teams, organization units
based access control and and tiers.
management
Capturing knowledge base from Build an internal knowledge base for incident resolution.
security analysts
Leading products also provide a library of playbooks and
processes for popular use cases, as well as access to a
community of contributors.
Incident Correlate incidents, including artifacts, to cross-match activity, and either view
investigation or link related incidents. The information should then be surfaced proactively to
analysts.
Use forensics to perform a detailed analysis of activity that occurred before and
after a security breach.
SOC director- Report on the efficiency and behavior of the SOC on metrics such as:
level
Number of analysts; number of incidents per analyst.
reporting
Average and mean time for each of the phases of the incident response;
for example, incident and triage.
Risks
Key risks for implementing SOAR include:
Market direction: In the longer term, adjacent technologies that are much larger and
also focus on security operations (such as SIEM or other threat-focused
vendors/segments) are likely to add SOAR-like capabilities. This will be sped up by
acquisitions of SOAR tool vendors (for example, IBM acquiring Resilient Systems;
Microsoft acquiring Hexadite; FireEye acquiring Invotas; ServiceNOW acquiring
BrightPoint Security).
Limited integration value: Clients will not be able to leverage a SOAR tool if they lack a
minimum set of security solutions in place to provide enough information to make a
decision nor automating security tasks. For example, SIEM is often a key piece of
technology for the use of SOAR tools due to its complimentary nature. Today, SOAR is
most viable for Type A and Type B organizations. 2
Budget: Clients that are budget-constrained need to juggle conflicting needs of
stretched budgets for all of IT, let alone security. They will likely not be early consumers
of these technologies and instead will look to invest in more foundational security
measures.
Recommendations
IT security leaders should consider SOAR tools in their security operations to meet the following
goals.
Improve Security Operations Efficiency and Efficacy
SOAR tools offer a way to move through a task, from steps A to Z. For example, if a process
takes an hour or two to perform, having a way to reduce that to 15 minutes offers a significant
improvement in productivity. This is beneficial because:
Performing the task faster equals better time to resolution. The longer an issue is left
unaddressed, the worse it can become, leaving the organization in a potentially risky
situation for longer periods of time. Ransomware, for example, is a threat that can get
exponentially worse with time.
Staff shortages are a critical issue for many organizations. The ability to handle
processes more efficiently means that security analysts can spend less time with each
incident and will thus be able to handle more incidents, allowing response to more
incidents despite fewer resources being available.
Automation and orchestration allow your tools to work together to solve issues, versus
operating in isolation with no context, which requires a lot of manual work to perform
required tasks.
Product Selection
Security and risk management leaders should favor SOAR solutions that:
Allow orchestration of a rich set of different security (and nonsecurity) technologies,
with a focus on the specific solutions that are already deployed or about to be deployed
in an organization.
Promote an easy integration of tools not included in the out-of-the-box integration list.
Offer the capability to easily code an organization's existing playbooks that the tool can
then automate, either via an intuitive UI and/or via a simple script.
Optimize the collaboration of analysts in the SOC; for example, with a chat or IM
framework that make analysts' communication more efficient, or with the ability to
work together on complex cases.
Have a pricing cost that is aligned with the needs of the organization and that is
predictable. Avoid pricing structures based on the volume of data managed by the tool,
or based on the number of playbooks that are run per month, as these metrics carry an
automatic penalty for more frequent use of the solution.
Offer flexibility in the deployment and hosting of the solution, either in the cloud, on-
premises or a hybrid of these, to accommodate organizations' security policies and
privacy considerations, or organizations' cloud-first initiatives.
Better Prioritize the Focus of Security Operations
Prioritization is perennially a key problem. Favor SOAR tools that can help select the top 10
things to be doing today if you have 100 you can potentially do. Efficiency will not fix poor
prioritization. SOAR tools can help with this by using external context, like threat intelligence, to
help drive processes that have more context so that better decisions can be made in security
operations. The goal is working smarter, not harder.
Don't "Boil the Ocean" — Focus on Critical Security Processes and Use Tools Such as SOAR to
Evolve From There
Security teams are regularly tasked with fixing all things, all the time, 24/7, everywhere — but
with the same budget and staffing as last year. This is clearly untenable, yet is a persistent
observation we have with security operations teams in client inquiries. For security operations,
we recommend focusing on executing well on key incident response processes, such as
malware outbreak, data exfiltration and phishing. Focus on processes to address these types of
situations very well, and then use this well-executed base to expand into other areas.
Representative Vendors
Anomali
Ayehu
CyberSponse
Demisto
DFLabs
EclecticIQ
IBM (Resilient Systems)
Microsoft (Hexadite)
Phantom
Resolve Systems
ServiceNow Security Operations
Siemplify
Swimlane
Syncurity
ThreatConnect
ThreatQuotient