Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture component for enterprise-scale SOCs. Let’s discuss what SOAR is, its common uses, and the future of SOAR with AI.

What is SOAR?

SOAR is the acronym for Security, Orchestration, Automation, and Response. Simply put, SOAR is a collection of automation methods focused on security-related workflows.

Since the early days of computers, IT administrators have been trying to automate processes. (Give a Unix administrator a shell prompt, and they’ll attempt to automate their entire life with scripts.)

Image 1: Doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas. https://xkcd.com/1319/

Image 1: The definition of automation.https://xkcd.com/1319/

SOAR solutions typically support the processing of data flows in and out of third-party APIs, which allows for the enrichment of the incoming data through customized logic flows. An example of this is an SIEM security incident being sent to a SOAR process, which matches IP addresses in the incident with threat intelligence information and then appends the new information to the incident in the SIEM.

Playbooks

A playbook defines ‘the gameplan’ for a SOAR logical process flow. Playbooks have a start and a finish, just like a typical computer program. They don’t necessarily require any actual coding – playbooks are usually developed in a user interface using visual objects that are connected together to create a ‘logic app’.

Figure 2: SOAR ‘Logic App’ Playbook example. Courtesy Microsoft

The playbook’s data flows are often planned out on paper before building it out in the SOAR tool.

Figure 3: SOAR data flow example for Palo Alto’s XSOAR solution

Common Uses of SOAR

SOAR’s main objective is to automate many of the important steps required for investigating a security incident presented by your SIEM. SOC operators may find it challenging to remember every step to perform, so SOAR can help with the more technical or boring steps to ensure consistency in the investigative process.

Some common examples of SOAR automation are:

SIEM Incident Actions

• Disable a user account
• Isolate a host
• Applying additional ‘metadata’ to an incident, such as Threat Intelligence details and user account details.
• Escalate (or de-escalate) an incident from a medium to high severity based on the results of the SOAR operation.

Background Task Automations

Here are some examples of using SOAR to perform “housekeeping tasks.”

• Download and update local Threat Intelligence tables and remove expired TI entries.
• Perform threat hunts – investigate all users involved in recent SIEM incidents and create a ‘suspicious users/hosts’ lookup table based on the results of the threat hunts. Use this list for additional SIEM correlations and reports.

The Future of SOAR and AI

SOAR can be very powerful for automating security workflows; however, using it effectively can involve a significant learning curve and development cycle. The recent AI explosion has provided SOAR new capabilities that may reduce that development process. This improvement comes at a monetary cost, but as AI evolves, that should change.

Summary

SOAR is a new spin on the old concept of automation, but it’s focused on security operations. The rise of AI is bringing exciting improvements to SOAR that will drop the development cycle and open opportunities for new security threat detection capabilities.

References

• Microsoft Sentinel SOAR Solutions
• Palo Alto XSOAR
• AI and SOAR: Microsoft Copilot for Security

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.