Clockwork Blue: Automating Security Defenses with SOAR and AI
It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture component for enterprise-scale SOCs. Let’s discuss what SOAR is, its common uses, and the future of SOAR with AI.
What is SOAR?
SOAR is the acronym for Security, Orchestration, Automation, and Response. Simply put, SOAR is a collection of automation methods focused on security-related workflows.
Since the early days of computers, IT administrators have been trying to automate processes. (Give a Unix administrator a shell prompt, and they’ll attempt to automate their entire life with scripts.)
Image 1: The definition of automation. https://xkcd.com/1319/
SOAR solutions typically support the processing of data flows in and out of third-party APIs, which allows for the enrichment of the incoming data through customized logic flows. An example of this is an SIEM security incident being sent to a SOAR process, which matches IP addresses in the incident with threat intelligence information and then appends the new information to the incident in the SIEM.
Playbooks
A playbook defines ‘the gameplan’ for a SOAR logical process flow. Playbooks have a start and a finish, just like a typical computer program. They don’t necessarily require any actual coding – playbooks are usually developed in a user interface using visual objects that are connected together to create a ‘logic app’.
Figure 2: SOAR ‘Logic App’ Playbook example. Courtesy Microsoft
The playbook’s data flows are often planned out on paper before building it out in the SOAR tool.
Figure 3: SOAR data flow example for Palo Alto’s XSOAR solution
Common Uses of SOAR
SOAR’s main objective is to automate many of the important steps required for investigating a security incident presented by your SIEM. SOC operators may find it challenging to remember every step to perform, so SOAR can help with the more technical or boring steps to ensure consistency in the investigative process.
Some common examples of SOAR automation are:
SIEM Incident Actions
- Disable a user account
- Isolate a host
- Applying additional ‘metadata’ to an incident, such as Threat Intelligence details and user account details.
- Escalate (or de-escalate) an incident from a medium to high severity based on the results of the SOAR operation.
Background Task Automations
Here are some examples of using SOAR to perform “housekeeping tasks.”
- Download and update local Threat Intelligence tables and remove expired TI entries.
- Perform threat hunts – investigate all users involved in recent SIEM incidents and create a ‘suspicious users/hosts’ lookup table based on the results of the threat hunts. Use this list for additional SIEM correlations and reports.
The Future of SOAR and AI
SOAR can be very powerful for automating security workflows; however, using it effectively can involve a significant learning curve and development cycle. The recent AI explosion has provided SOAR new capabilities that may reduce that development process. This improvement comes at a monetary cost, but as AI evolves, that should change.
Summary
SOAR is a new spin on the old concept of automation, but it’s focused on security operations. The rise of AI is bringing exciting improvements to SOAR that will drop the development cycle and open opportunities for new security threat detection capabilities.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.