DigitalWorld: Edition11 SOAR Technical Control Solutioning

This news letter delves into SOAR Technical Control Solutioning various aspect such as SOAR Functionality , SOAR Architecture and Solution Components , IAM/PAM Protocols? ,SOAR Data Sources , SOAR Deployment Consideration ,SOAR Workflow , SIEM Versus SOAR , Key regulatory consideration , References?

Content

SOAR Definition and Functionality

SOAR Architecture

SOAR Supported Protocol & Format/Methods

SOAR Solution – Key Component

SOAR Solution Placement in the Enterprise Network

SOAR DATA Sources

SOAR Workflow - for a Security Event

SIEM Versus SOAR Functionality.

SOAR Key Regulatory Consideration

Reference

?

SOAR Definition

Security Orchestration, Automation, and Response (SOAR): SOAR is a software solution that that integrates with various security tools to gather data, automates security workflows / repetitive tasks, and streamline incident and threat response workflows. ? ?

SOAR Functionality can be well described as in Detection , Triage , Prioritization and Respond to an Security Event/Incident . For repetitive task , it can respond in an automated fashion by using predefined playbooks .

?

SOAR Architecture

SOAR generally follows a layered software architecture. This layered approach breaks down SOAR's functionalities into distinct modules that work together. Here's a simplified view:

• Data Layer: Stores SOAR's internal data and integrates data from external security tools.
• Integration Layer: Enables communication and data exchange between SOAR and various security tools.
• Business Logic Layer (Workflow Engine): The core of SOAR, responsible for workflow management, decision making, and automation based on playbooks.
• Presentation Layer: Provides a user interface for security analysts to interact with SOAR.

This layered architecture facilitates communication, workflow execution, and user interaction, all crucial aspects of SOAR's security orchestration and automation capabilities.

SOAR Supported Protocol & Methods

Security Orchestration, Automation, and Response (SOAR) solutions support a variety of protocols and methods for integrating with other systems.?Here are some common ones

1. Syslog: Description: Syslog is a widely used protocol for sending system log messages to a central server. Purpose: SOAR platforms can ingest security events and logs via Syslog from various devices and applications. Benefits: It allows centralized collection, analysis, and correlation of security-related data.
2. Database Connections: Usage: SOAR platforms can connect to databases (e.g., SQL databases) to retrieve and process security-related information. Example: Querying a threat intelligence database for indicators of compromise (IOCs) or historical incident data.
3. RestFul APIs (Application Programming Interfaces):

o?? Integration: used by SOAR systems for communication with external system. ?It allows SOAR to send requests and receive responses in a structured format, enabling data exchange and triggering actions on other platforms.

o?? Benefits: APIs allow seamless communication between SOAR and other security tools, enabling automation and orchestration.

4.?????? STOMP: This messaging protocol is used for real-time communication between SOAR and other security tools. It allows for bi-directional messaging, enabling SOAR to subscribe to events from other platforms and react accordingly. For example, SOAR might use STOMP to receive security alerts from a SIEM and then automate an incident response workflow.

5.?????? OpenWire: This is another messaging protocol similar to STOMP, sometimes used by SOAR for communication, particularly with IBM Security products.

1. Simple Network Management Protocol (SNMP): Used for communication with network devices to retrieve configuration information or trigger actions.
2. Email and Online Forms: Ingestion: SOAR platforms can process security-related emails and forms submitted by analysts or end-users. Workflow Automation: For example, creating incidents from email alerts or handling user-reported incidents.
3. CEF (Common Event Format): Usage: SOAR solutions often support CEF, a standardized format for security events. Benefits: CEF simplifies data normalization and ensures consistent event representation across different tools.
4. OpenIOC and STIX/TAXII: Usage: These standards are used for sharing threat intelligence and indicators of compromise (IOCs). Integration: SOAR platforms can consume OpenIOC and STIX/TAXII feeds to enhance threat detection and response1.

The specific protocol used depends on the integration between SOAR and the external system. REST APIs are generally the most versatile option, while STOMP and OpenWire are better suited for real-time communication and event streaming. For configuring SOAR to connect with other tools, you'll typically need to provide details like the API URL, port number, and authentication credentials for the chosen protocol.

?

SOAR Solution – Key Component

Components:

• Workflow Engine: The core component of SOAR. It defines the sequence of actions to be taken in response to different security incidents. Security analysts design workflows (often called playbooks) that detail the steps for investigating and containing various types of threats.The workflow engine executes these playbooks based on triggers from security alerts or other events.

Workflows can include tasks like:

• Enriching alerts with additional context from other sources.
• Isolating compromised systems.
• Deploying anti-malware software.
• Resetting user passwords.
• Notifying security analysts.
• Integration Connectors: Establish communication channels between SOAR and other security tools. These connectors translate data formats and protocols to enable seamless information exchange.

Common examples of security tools SOAR integrates with include SIEM (Security Information and Event Management), firewalls, endpoint detection and response (EDR) tools, and threat intelligence feeds.

• Playbooks: Pre-defined workflows for specific security incidents. Playbooks detail the steps to be taken for each incident type, ensuring a consistent and efficient response.

• Case Management: Tracks and manages the lifecycle of security incidents. This includes recording incident details, investigation progress, and resolution steps.
• Reporting Engine: Generates reports on security incidents, providing insights into trends, attack types, and overall security posture.

Additional Considerations:

• Machine Learning (ML): Some SOAR solutions leverage machine learning to automate tasks like threat identification and incident prioritization.
• Artificial Intelligence (AI): Advanced SOAR platforms might utilize AI to conduct more complex investigations and recommend response actions.

By working together, these protocols and components enable SOAR to automate repetitive and time-consuming SIR tasks. This allows security analysts to focus on more strategic activities like threat hunting and investigation.

SOAR Solution Placement in the Enterprise Network

Here are the key considerations for on-premise SOAR (Security Orchestration, Automation, and Response) solution placement within an enterprise network:

Security and Access Control:

• Top Priority: SOAR deals with sensitive security data as it interacts with various security tools and automates response actions. On-premise placement allows for more granular control over access and security compared to cloud-based solutions.

·???????? Integration: The SOAR solution should be able to integrate with and ingest data from a wide variety of assets/systems and platforms. This includes security information and event management (SIEM) systems, threat intelligence platforms (TIPs), and other security tools.

• Network Segmentation: Implement network segmentation to isolate the SOAR solution within a dedicated secure zone. This isolation helps contain potential security breaches and minimizes the attack surface should the SOAR system itself become compromised.

Network Performance and Integration:

• Minimizing Latency: On-premise SOAR can ensure efficient communication with other security tools (SIEM, firewalls, EDR) residing on the same network. This minimizes latency and latency variations that can impact response times.
• Integration Considerations: The specific network placement might depend on the SOAR's integration methods. If SOAR communicates primarily through REST APIs, placing it closer to the application layer where these APIs reside can optimize communication efficiency.

Usability and Manageability:

• Security Analyst Access: Security analysts in the SOC are the primary users of SOAR. On-premise placement within the SOC or a readily accessible security zone allows for efficient monitoring, management, and use of the platform.
• Centralized Security Management: Keeping SOAR on-premise fosters a centralized approach to security management within your organization's network. Security teams can maintain a holistic view of security incidents and leverage SOAR for coordinated response activities.

Additional Considerations:

• IT Expertise: On-premise deployment requires your IT team to have the expertise to manage, maintain, and update the SOAR solution hardware and software infrastructure.
• Scalability: Consider future growth and potential needs for increased processing power or data storage. Ensure your on-premise infrastructure can accommodate future scaling requirements for the SOAR solution.
• Disaster Recovery: Develop a disaster recovery plan to ensure the availability and functionality of your on-premise SOAR solution in case of hardware failures or other disruptions.

On-premise vs Cloud-based SOAR:

While on-premise SOAR offers greater control and security, it also requires more IT management overhead. Cloud-based SOAR solutions can be easier to deploy and maintain but might have limitations on data security and customization. Carefully evaluate your organization's specific needs and security posture when choosing between on-premise and cloud-based deployment options.

In summary:

• On-premise SOAR placement prioritizes security, efficient communication within your network, and ease of use for security analysts within the SOC.
• It requires careful consideration of network segmentation, IT expertise for management, scalability planning, and disaster recovery strategies.
• Weigh the benefits of on-premise control against the potential advantages of a cloud-based deployment model when making your final decision.

SOAR DATA Sources

SOAR platforms can ingest data from a wide range of security tools and sources to build a comprehensive picture of potential security incidents. Here are some of the common data sources for SOAR:

·???????? Security Information and Event Management (SIEM) Systems: SIEM systems aggregate logs and events from various security tools, providing a centralized view of security activity. SOAR can leverage this consolidated data for analysis and identification of security incidents.

·???????? Endpoint Detection and Response (EDR) Solutions: EDR tools monitor endpoints (like laptops, servers) for suspicious activity. They provide SOAR with real-time data on potential threats like malware infections or unauthorized access attempts.

·???????? Network Security Devices: Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS) generate alerts on suspicious network traffic. SOAR can ingest these alerts to identify potential network attacks or breaches.

·???????? Cloud Security Tools: Cloud providers offer security tools that monitor and report on security events within their cloud environments. SOAR can integrate with these tools for better visibility into cloud security posture.

·???????? Threat Intelligence Feeds: Threat intelligence feeds provide up-to-date information on known threats, indicators of compromise (IOCs), and attacker tactics, techniques, and procedures (TTPs). SOAR can leverage this threat intelligence to enrich security events and improve threat detection accuracy.

·???????? Identity and Access Management (IAM) Systems: IAM systems track user access and activities. SOAR can integrate with IAM to identify suspicious user behavior or unauthorized access attempts.

·???????? Security Mail Gateways and Email Security Solutions: These tools monitor email traffic for phishing attempts, malware attachments, and spam. SOAR can analyze data from these sources to identify potential email-borne threats.

By collecting data from these diverse sources, SOAR platforms can correlate events, identify potential threats, and orchestrate an effective security response.

?

?

?

SOAR Workflow - for a Security Event

Here's a step-by-step breakdown of what happens in a SOAR platform when it receives a security event:

1.?????? Ingestion and Parsing:

1. The SOAR platform receives the security event data from various security tools (firewalls, SIEM, EDR).
2. This data can be in different formats (logs, alerts). SOAR parses and normalizes the data into a format it can understand.

2.?????? Enrichment and Correlation:

1. SOAR may enrich the event data by looking up additional information about the involved IP addresses, URLs, or file hashes against threat intelligence feeds.
2. It can also correlate the event with other events happening around the same time to identify potential connections and build a broader incident picture.

3.?????? Threat Analysis and Prioritization:

1. SOAR analyzes the enriched event data using pre-defined rules and threat intelligence.
2. This helps it determine the severity and potential risk associated with the event.
3. Based on this analysis, SOAR prioritizes the event, flagging high-risk events for immediate attention.

4.?????? Workflow Selection and Automation:

1. Depending on the type and severity of the event, SOAR selects the appropriate pre-defined workflow (playbook) to handle the situation.
2. These playbooks outline a series of automated actions. SOAR can then initiate these actions, such as: Isolating the infected device. Blocking malicious IP addresses. Quarantining suspicious files. Sending notifications to security analysts.

5.?????? Human Intervention and Decision Making:

1. While SOAR automates tasks, it doesn't replace human security analysts.
2. Analysts review the event details, approve or adjust automated actions, and potentially initiate further investigation based on the situation's complexity.

6.?????? Reporting and Feedback Loop:

1. SOAR keeps track of the entire incident response process, including automated actions and analyst interventions.
2. This data is used to generate reports that provide insights into security incidents and overall security posture.
3. Security analysts can then review these reports and provide feedback to improve SOAR workflows and playbooks for future incidents.

?

This is a simplified view, and the specific steps may vary depending on the SOAR platform and its configuration.

SIEM Versus SOAR Functionality

SIEM and SOAR are not directly security controls themselves, but rather software categories that implement security controls. Here's a breakdown of each:

SOAR (Security Orchestration, Automation and Response)

• SOAR complements SIEM by automating security incident response (SIR) tasks.
• It integrates with SIEM and other security tools to receive security alerts.
• SOAR can automate tasks like: Enriching alerts with additional context from other sources. Prioritizing alerts based on severity. Executing pre-defined workflows to investigate and contain security incidents. Generating reports on security incidents.

How they work together:

• SIEM acts as the security intelligence layer, collecting data and identifying potential threats.
• SOAR acts as the automation layer, streamlining the response to those threats.

Security Controls with SIEM/SOAR:

• SIEM and SOAR support the implementation of various security controls outlined in frameworks like NIST SP 800-53. Here are some examples: SIEM: Contributes to "Detection of Security Events" by analyzing logs and identifying anomalies. SOAR: Supports "Incident Response" by automating tasks and workflows to contain threats. Both: Can be used for "Access Control" by monitoring user activity and identifying suspicious access attempts.

SIEM Versus SOAR

?

In essence, SIEM and SOAR are powerful tools that security teams can leverage to strengthen their overall security posture by improving threat detection, response efficiency, and overall visibility into security events.

?

SOAR Key Regulatory Consideration

?

Here are the key regulatory considerations for a SOAR ?solution:

Data Privacy and Security:

• Data Governance: SOAR solutions ingest and process security data from various sources. It's crucial to ensure your SOAR platform adheres to relevant data privacy regulations like GDPR (EU), CCPA (California), or others depending on your location. This involves: Data Access Controls: Implementing strong access controls to restrict access to sensitive data based on user roles and needs. Data Encryption: Encrypting data at rest and in transit to safeguard sensitive information from unauthorized access. Data Retention Policies: Establishing clear policies for how long data is retained within SOAR and when it should be securely disposed of.
• Auditability and Traceability: Regulatory requirements often mandate demonstrating the origin, movement, and changes made to data throughout the incident response process. SOAR should provide clear audit trails that track:
• User activity within the SOAR platform.
• Actions taken during incident response based on playbooks.
• Modifications made to data throughout the process.
• This helps ensure data integrity and accountability for actions taken

?

Reporting and Auditing:

• SOAR can be a valuable tool for generating reports that demonstrate compliance with regulations. Look for a SOAR solution that offers:

• Compliance Reports: The ability to generate reports that align with specific regulatory requirements.
• Audit Trail Functionality: Maintain a clear audit trail that tracks user activity, security incidents, and actions taken within the SOAR system.

?

Reference

https://insights.sei.cmu.edu/blog/benefits-and-challenges-of-soar-platforms/

https://medium.com/@cloud_tips/soar-security-orchestration-automation-and-response-definition-best-practices-and-tools-8a20dd590bd5