Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture component for enterprise-scale SOCs. Let’s discuss what SOAR is, its common uses, and the future of SOAR with AI.

 

What is SOAR?

SOAR is the acronym for Security, Orchestration, Automation, and Response. Simply put, SOAR is a collection of automation methods focused on security-related workflows.

Since the early days of computers, IT administrators have been trying to automate processes. (Give a Unix administrator a shell prompt, and they’ll attempt to automate their entire life with scripts.)

Image 1 The definition of automation
Image 1: The definition of automation. https://xkcd.com/1319/

SOAR solutions typically support the processing of data flows in and out of third-party APIs, which allows for the enrichment of the incoming data through customized logic flows. An example of this is an SIEM security incident being sent to a SOAR process, which matches IP addresses in the incident with threat intelligence information and then appends the new information to the incident in the SIEM.

 

Playbooks

A playbook defines ‘the gameplan’ for a SOAR logical process flow. Playbooks have a start and a finish, just like a typical computer program. They don’t necessarily require any actual coding – playbooks are usually developed in a user interface using visual objects that are connected together to create a ‘logic app’.

Figure 2 SOAR ‘Logic App’ Playbook example. Courtesy Microsoft
Figure 2: SOAR ‘Logic App’ Playbook example. Courtesy Microsoft

The playbook’s data flows are often planned out on paper before building it out in the SOAR tool.

Figure 3 SOAR data flow example for Palo Alto’s XSOAR solution
Figure 3: SOAR data flow example for Palo Alto’s XSOAR solution

 

Common Uses of SOAR

SOAR’s main objective is to automate many of the important steps required for investigating a security incident presented by your SIEM. SOC operators may find it challenging to remember every step to perform, so SOAR can help with the more technical or boring steps to ensure consistency in the investigative process.

Some common examples of SOAR automation are:

SIEM Incident Actions

  • Disable a user account
  • Isolate a host
  • Applying additional ‘metadata’ to an incident, such as Threat Intelligence details and user account details.
  • Escalate (or de-escalate) an incident from a medium to high severity based on the results of the SOAR operation.

 

Background Task Automations

Here are some examples of using SOAR to perform “housekeeping tasks.”

  • Download and update local Threat Intelligence tables and remove expired TI entries.
  • Perform threat hunts – investigate all users involved in recent SIEM incidents and create a ‘suspicious users/hosts’ lookup table based on the results of the threat hunts. Use this list for additional SIEM correlations and reports.

 

The Future of SOAR and AI

SOAR can be very powerful for automating security workflows; however, using it effectively can involve a significant learning curve and development cycle. The recent AI explosion has provided SOAR new capabilities that may reduce that development process. This improvement comes at a monetary cost, but as AI evolves, that should change.

 

Summary

SOAR is a new spin on the old concept of automation, but it’s focused on security operations. The rise of AI is bringing exciting improvements to SOAR that will drop the development cycle and open opportunities for new security threat detection capabilities.

References

 

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

 

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

 

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

About the Author

David Broggy is Senior Solutions Architect, Implementation Services at Trustwave with over 21 years of experience. He holds multiple security certifications and won Microsoft's Most Valuable Professional (MVP) Award for Azure Security. Follow David on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo