Giacomo Lanzi
SOAR: coordination for cyber security
SOAR (Security Orchestration, Automation and Response) technology helps coordinate, execute and automate activities between people and tools, enabling companies to respond quickly to cyber security attacks. The aim is to improve their overall security position. SOAR tools use playbooks (strategies and procedures) to automate and coordinate workflows which may include security tools and manual tasks.
How does SOAR help in the security field?
1. Combining security orchestration, intelligent automation, incident management and interactive investigations in a single solution.
2. Facilitating team collaboration and enabling security analysts to take automated actions on tools across their security stack.
3. Providing teams with a single centralized console to manage and coordinate all aspects of their company’s security.
4. Optimizing case management, increasing efficiency by opening and closing tickets to investigate and resolve incidents.
Why do companies need a SOAR?
Modern companies regularly face many challenges and obstacles when it comes to fighting cyber threats.
A first challenge is represented by an ever increasing volume of complex security threats. Furthermore, the security tools involved very often struggle to talk to each other, which is in itself a nuisance.
Such a large amount of data and software can only mean a large number of security alerts. In fact, there is too much threat intelligence data to allow teams to manually classify, prioritize, investigate and target threats. Furthermore, the work of security officers involves very specific skills and with increasing demand it is increasingly difficult to find a sufficient number of security officers to carry out the work.
System implementation
SOAR helps companies address and overcome these challenges by enabling them to:
– Unify existing security systems and centralize data collection to achieve full visibility.
– Automate repetitive manual activities and manage all aspects of the accident life cycle.
– Define incident analysis and response procedures, as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
– Quickly and accurately identify and assign the severity levels of incidents to safety alarms and support the reduction of alarms.
– Identify and better manage potential vulnerabilities in a proactive and reactive way.
– Direct each security incident to the analyst best suited to respond, while providing features that support easy collaboration and monitoring between teams and their members.
Practical applications
Below I wanted to list some practical examples of how a SOAR comes into action in certain situations.
Alarm management
Enrichment and Phishing Response: Activating a Playbook. Automation and execution of repeatable activities such as triage and involvement of interested users. Apply an extraction and control of indicators to identify false positives, then request activation of the SOC for a standardized response at scale.
Endpoint Malware Infection: Extracting threat feed data from endpoint tools and enriching that data. Cross-reference between recovered files and hashes with a SIEM solution, notify analysts, clean up endpoints, and update the tools database.
Failed User Login: After a predefined number of failed user login attempts, evaluating whether a failed login is genuine or malicious, a SOAR can activate in various ways. First of all by putting into practice a playbook, involving users and then analyzing their answers, then also the expiring passwords and finally closing the process.
Threat hunting
Indicators of Compromise (IOC): Take and extract indicators from files, track indicators through intelligence tools and update databases.
Malware Analysis: Verify data from multiple sources, extract and delete malicious files. A report is then generated and checked for malice.
Cloud Incident Response: This is done through the use of data from cloud-focused threat detection and event logging tools. The data is then unified between the cloud and on-premises security infrastructures, correlated thanks to a SIEM. The indicators are then extracted and enriched, to then check for the presence of malice. A final step of human control to the analysts who review their information update the database and close the case.
The benefits of a SOAR
Basically, a SOAR implements working methods and protocols of action in the system for fighting against cyber threats of a company. This significantly improves operational efficiency and accelerates incident detection as well as response times, which are effectively standardized.
A SOAR increases analysts’ productivity and allows them to focus on improving security instead of performing manual tasks.
By exploiting and coordinating the existing security technology investments in a company, it is possible to make a real difference.
Useful links:
Next Generation SIEM: where are we?
Share
RSS
More Articles…
- Examples of phishing: the latest campaigns mentioned by the CSIRT
- Event Overload? Our SOCaaS can help!
- Business email compromise (BEC) schemes
- XDR as an approach to security
- What is threat intelligence?
- Data Loss Prevention: definition and uses
- Prevent shoulder surfing and theft of corporate credentials
- HTTP / 3, everything you need to know about the latest version protocol
Categories …
- Backup as a Service (2)
- Acronis Cloud Backup (11)
- Veeam Cloud Connect (4)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (17)
- ownCloud (4)
- Privacy (6)
- Secure Online Desktop (14)
- Security (10)
- Ethical Phishing (6)
- SOCaaS (17)
- Vulnerabilities (83)
- Web Hosting (15)
Tags
Dark Reading:
- Latest Security News From RSAC 2021 May 17, 2021Check out Dark Reading's updated, exclusive coverage of the news and security themes that are dominating RSA Conference 2021.
- DarkSide Ransomware Variant Targets Disk Partitions May 17, 2021A newly discovered DarkSide ransomware variant can detect and compromise partitioned hard drives, researchers report.
- 47% of Criminals Buying Exploits Target Microsoft Products May 17, 2021Researchers examine English- and Russian-language underground exploits to track how exploits are advertised and sold.
- DDoS Attacks Up 31% in Q1 2021: Report May 17, 2021If pace continues, DDoS attack activity could surpass last year's 10-million attack threshold.
- Rapid7 Is the Latest Victim of a Software Supply Chain Breach May 17, 2021Security vendor says attackers accessed some of its source code using a previously compromised Bash Uploader script from Codecov.
- RSAC 2021: What Will SolarWinds' CEO Reveal? May 17, 2021In a keynote conversation with Forrester analyst Laura Koetzle, Sudhakar Ramakrishna will get candid about the historic breach.
- Agility Broke AppSec. Now It's Going to Fix It. May 17, 2021Outnumbered 100 to 1 by developers, AppSec needs a new model of agility to catch up and protect everything that needs to be secured.
- Name That Toon: Road Trip May 17, 2021Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.
- Rapid7 Source Code Accessed in Supply Chain Attack May 14, 2021An investigation of the Codecov attack revealed intruders accessed Rapid7 source code repositories containing internal credentials and alert-related data.
- How Faster COVID-19 Research Is Being Made Possible by Secure Silicon May 14, 2021When Intel and Leidos set up a "trusted execution environment" to enable a widespread group of researchers to securely share and confidentially compute real-world data, it was no small achievement.
Full Disclosure
- Backdoor.Win32.Delf.zho / Authentication Bypass RCE May 14, 2021Posted by malvuln on May 13Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6b9f5a0512af3ab33c26eaa4bdf94f1f.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Delf.zho Vulnerability: Authentication Bypass RCE Description: The malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password […]
- [CFP]: 2nd Joint Workshop on CPS&IoT Security and Privacy (CPSIoTSec 2021) May 14, 2021Posted by Call For Papers CPSIOTSEC21 on May 13--------------------------------------------------------------------------------------------------------------- C a l l F o r P a p e r s 2nd Joint Workshop on CPS&IoT Security and Privacy (CPSIoTSec 2021) Seoul, South Korea, November 15 (Monday), 2021 URL: https://cpsiotsec.github.io co-located with the ACM Conference on Computer and Communications Security (ACM CCS 2021)...
- Trovent Security Advisory 2103-02 / Multiple XSS vulnerabilities in ERPNext 13.0.0/12.18.0 May 11, 2021Posted by Stefan Pietsch on May 11# Trovent Security Advisory 2103-02 # ##################################### Multiple XSS vulnerabilities in ERPNext 13.0.0/12.18.0 ###################################################### Overview ######## Advisory ID: TRSA-2103-02 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2103-02 Affected product: ERPNext Tested versions: 12.18.0 and 13.0.0 beta Vendor: Frappé Technologies...
- Trovent Security Advisory 2103-01 / Authenticated SQL injection in ERPNext 13.0.0/12.18.0 May 11, 2021Posted by Stefan Pietsch on May 11# Trovent Security Advisory 2103-01 # ##################################### Authenticated SQL injection in ERPNext 13.0.0/12.18.0 ##################################################### Overview ######## Advisory ID: TRSA-2103-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2103-01 Affected product: ERPNext Tested versions: 12.18.0 and 13.0.0 beta Vendor: Frappé Technologies https://frappe.io...
- CVE-2021-32051 Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter. May 11, 2021Posted by Marcel Keiffenheim on May 11
- Backdoor.Win32.Antilam.13.a / Unauthenticated Remote Command Execution May 11, 2021Posted by malvuln on May 11Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/1ef711b34cc278449f1997e4ed06334a.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Antilam.13.a Vulnerability: Unauthenticated Remote Command Execution Description: The malware drops an executable named "scandisk.exe" that listens on TCP ports 47891 and 29559. Third party attackers who can reach infected...
- Backdoor.Win32.MotivFTP.12 / Authentication Bypass RCE May 11, 2021Posted by malvuln on May 11Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/88785a093b8fa00893214dd220ac255d.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.MotivFTP.12 Vulnerability: Authentication Bypass RCE Description: The malware listens on TCP port 21. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload...
- Re: Three vulnerabilities found in MikroTik's RouterOS May 11, 2021Posted by Gynvael Coldwind on May 11Got it! Thank you for the explanation!
- Four vulnerabilities found in MikroTik's RouterOS May 11, 2021Posted by Q C on May 11Advisory: four vulnerabilities found in MikroTik's RouterOS Details ======= Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description ================== RouterOS is the operating system used on the MikroTik's devices, such as […]
- Re: Three vulnerabilities found in MikroTik's RouterOS May 11, 2021Posted by Q C on May 11Hi, In Mikrotik RouterOs, each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items, and provides a convenient way to assign different permissions and access rights to different user classes. (Reference: https://help.mikrotik.com/docs/display/ROS/User) Some common […]
Customers
Twitter FEED
Recent activity
-
SecureOnlineDesktop
Tempo di lettura: 4 minIntroduzioneAlla luce del crescente numero di attacchi ransomware in cui i cryptolocker inte… https://t.co/ubv6OcMrVW
-
SecureOnlineDesktop
Estimated reading time: 5 minutes Cyber Threat Hunting is a proactive security search across networks, endpoin… https://t.co/afEZYKrnAK
-
SecureOnlineDesktop
Estimated reading time: 5 minutes A Zero-Day attack (also known as 0-day) exploits a software vulnerability unkno… https://t.co/tdRF7a7zOa
-
SecureOnlineDesktop
Tempo di lettura: 4 minAttraverso il servizio di cloud storage ownCloud puoi collaborare con i tuoi colleghi ai con… https://t.co/gLk003kzxV
-
SecureOnlineDesktop
A common definition of data exfiltration is the theft, removal, or unauthorized movement of any data from a device.… https://t.co/cuUyQtUoah
Newsletter
Products and Solutions
Partners
Cloud Models
News
- Examples of phishing: the latest campaigns mentioned by the CSIRT May 10, 2021
- Event Overload? Our SOCaaS can help! May 3, 2021
- Business email compromise (BEC) schemes April 28, 2021
- XDR as an approach to security April 26, 2021
- What is threat intelligence? April 21, 2021
Google Reviews
About
Copyright © 2011 Secure Online Desktop s.r.l. All Rights Reserved.
VAT: 07485920966 “Cloud Computing services - Software cloud - Cloud server - VPS” Terms of ServicePrivacy Policy
ISO Certifications