Giacomo Lanzi
SOAR: coordination for cyber security
SOAR (Security Orchestration, Automation and Response) technology helps coordinate, execute and automate activities between people and tools, enabling companies to respond quickly to cyber security attacks. The aim is to improve their overall security position. SOAR tools use playbooks (strategies and procedures) to automate and coordinate workflows which may include security tools and manual tasks.
How does SOAR help in the security field?
1. Combining security orchestration, intelligent automation, incident management and interactive investigations in a single solution.
2. Facilitating team collaboration and enabling security analysts to take automated actions on tools across their security stack.
3. Providing teams with a single centralized console to manage and coordinate all aspects of their company’s security.
4. Optimizing case management, increasing efficiency by opening and closing tickets to investigate and resolve incidents.
Why do companies need a SOAR?
Modern companies regularly face many challenges and obstacles when it comes to fighting cyber threats.
A first challenge is represented by an ever increasing volume of complex security threats. Furthermore, the security tools involved very often struggle to talk to each other, which is in itself a nuisance.
Such a large amount of data and software can only mean a large number of security alerts. In fact, there is too much threat intelligence data to allow teams to manually classify, prioritize, investigate and target threats. Furthermore, the work of security officers involves very specific skills and with increasing demand it is increasingly difficult to find a sufficient number of security officers to carry out the work.
System implementation
SOAR helps companies address and overcome these challenges by enabling them to:
– Unify existing security systems and centralize data collection to achieve full visibility.
– Automate repetitive manual activities and manage all aspects of the accident life cycle.
– Define incident analysis and response procedures, as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
– Quickly and accurately identify and assign the severity levels of incidents to safety alarms and support the reduction of alarms.
– Identify and better manage potential vulnerabilities in a proactive and reactive way.
– Direct each security incident to the analyst best suited to respond, while providing features that support easy collaboration and monitoring between teams and their members.
Practical applications
Below I wanted to list some practical examples of how a SOAR comes into action in certain situations.
Alarm management
Enrichment and Phishing Response: Activating a Playbook. Automation and execution of repeatable activities such as triage and involvement of interested users. Apply an extraction and control of indicators to identify false positives, then request activation of the SOC for a standardized response at scale.
Endpoint Malware Infection: Extracting threat feed data from endpoint tools and enriching that data. Cross-reference between recovered files and hashes with a SIEM solution, notify analysts, clean up endpoints, and update the tools database.
Failed User Login: After a predefined number of failed user login attempts, evaluating whether a failed login is genuine or malicious, a SOAR can activate in various ways. First of all by putting into practice a playbook, involving users and then analyzing their answers, then also the expiring passwords and finally closing the process.
Threat hunting
Indicators of Compromise (IOC): Take and extract indicators from files, track indicators through intelligence tools and update databases.
Malware Analysis: Verify data from multiple sources, extract and delete malicious files. A report is then generated and checked for malice.
Cloud Incident Response: This is done through the use of data from cloud-focused threat detection and event logging tools. The data is then unified between the cloud and on-premises security infrastructures, correlated thanks to a SIEM. The indicators are then extracted and enriched, to then check for the presence of malice. A final step of human control to the analysts who review their information update the database and close the case.
The benefits of a SOAR
Basically, a SOAR implements working methods and protocols of action in the system for fighting against cyber threats of a company. This significantly improves operational efficiency and accelerates incident detection as well as response times, which are effectively standardized.
A SOAR increases analysts’ productivity and allows them to focus on improving security instead of performing manual tasks.
By exploiting and coordinating the existing security technology investments in a company, it is possible to make a real difference.
Useful links:
Next Generation SIEM: where are we?
Share
RSS
More Articles…
- The threat of DDoS ransomware
- Procedural Security Analysis – Thank you for contacting us!
- Zombie phishing: beware of emails, it could be zombies
- Social engineering: how hackers scam their victims
- What is phishing? Understanding and identifying social engineering attacks
- Avoid Ransomware: That’s why it’s best not to take any risks
- Double extortion ransomware: What they are and how to defend yourself
- Zero-Day attack: what they are and how to defend yourself with SOCaaS
Categories …
- Backup as a Service (2)
- Acronis Cloud Backup (10)
- Veeam Cloud Connect (4)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (17)
- ownCloud (4)
- Privacy (6)
- Secure Online Desktop (14)
- Security (6)
- Ethical Phishing (2)
- SOCaaS (11)
- Vulnerabilities (83)
- Web Hosting (13)
Tags
Dark Reading:
- Securing Super Bowl LV February 26, 2021A peek at open XDR technology, and defense that held up better than the Kansas City Chiefs.
- Attackers Turn Struggling Software Projects Into Trojan Horses February 26, 2021While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.
- After a Year of Quantum Advances, the Time to Protect Is Now February 26, 2021Innovations in quantum computing mean enterprise and manufacturing organizations need to start planning now to defend against new types of cybersecurity threats.
- Inside Strata's Plans to Solve the Cloud Identity Puzzle February 25, 2021Strata Identity was founded to change businesses' approach to identity management as multicloud environments become the norm.
- Microsoft Releases Free Tool for Hunting SolarWinds Malware February 25, 2021Meanwhile, researchers at SecurityScorecard say the "fileless" malware loader in the attack - Teardrop - actually dates back to 2017.
- North Korea's Lazarus Group Expands to Stealing Defense Secrets February 25, 2021Several gigabytes of sensitive data stolen from one restricted network, with organizations in more than 12 countries impacted, Kaspersky says.
- Ransomware, Phishing Will Remain Primary Risks in 2021 February 25, 2021Attackers have doubled down on ransomware and phishing -- with some tweaks -- while deepfakes and disinformation will become more major threats in the future, according to a trio of threat reports.
- Thousands of VMware Servers Exposed to Critical RCE Bug February 25, 2021Security experts report scanning activity targeting vulnerable vCenter servers after a researcher published proof-of-concept code.
- 5 Key Steps Schools Can Take to Defend Against Cyber Threats February 25, 2021Educational institutions have become prime targets, but there are things they can do to stay safer.
- How to Avoid Falling Victim to a SolarWinds-Style Attack February 25, 2021A multilayered, zero-trust security posture provides a better chance of fending off sophisticated supply chain attackers before it's too late.
Full Disclosure
- Trojan-Proxy.Win32.Delf.ai / Remote SEH Buffer Overflow February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/1dd6eb39a388f4c8a3eaf248d86aaabc.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan-Proxy.Win32.Delf.ai Vulnerability: Remote SEH Buffer Overflow Description: The malware listens on TCP port 1089. Attackers who can reach the infected system can send a specially crafted HTTP TRACE request to trigger […]
- Trojan.Win32.Hotkeychick.am / Insecure Permissions February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/5ea9840970e78188f73eb1763363eeac.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Hotkeychick.am Vulnerability: Insecure Permissions Description: The trojan creates an insecure dir named "Korektor_MPiPS-01" under c:\ drive, granting change (C) permissions to the authenticated user group. Standard users...
- Backdoor.Win32.Azbreg.amw / Insecure Permissions February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/5eb58198721d4ded363e41e243e685cc.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Azbreg.amw Vulnerability: Insecure Permissions Description: The backdoor creates an insecure hidden dir named "MSDCSC" granting change (C) permissions to the authenticated user group. Standard users can rename the malware...
- Trojan-Spy.Win32.SpyEyes.elr / Insecure Permissions February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/025d07f4610605031e501e6745d663aa.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan-Spy.Win32.SpyEyes.elr Vulnerability: Insecure Permissions Description: The malware creates an insecure hidden dir named "40404504504" under c:\ drive, granting change (C) permissions to the authenticated user group. Standard users...
- Trojan-Dropper.Win32.Daws.etlm / Remote Unauthenticated System Reboot February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/a0479e18283ed46e8908767dd0b40f8f.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan-Dropper.Win32.Daws.etlm Vulnerability: Remote Unauthenticated System Reboot Description: Daws.etlm drops an executable named "MSWDM.EXE" under Windows dir and listens on UDP port 139. Unauthenticated third-party attackers can send...
- Trojan.Win32.Gofot.htx / Local File Buffer Overflow February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Gofot.htx Vulnerability: Local File Buffer Overflow Description: HackerJLY PE Parser tool V1.0.1.8 doesnt properly check the files it loads which triggers a local buffer overflow. Analyzing the crash we can see […]
- Backdoor.Win32.Wollf.h / Missing Authentication February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/4932471df98b0e94db076f2b1c0339bd.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Wollf.h Vulnerability: Missing Authentication Description: Wollf backdoor creates a service named "wrm" and listens on TCP port 7614, there is no authentication allowing anyone to take over the infected system. Type: […]
- Backdoor.Win32.Delf.adag / Weak Hardcoded Credentials February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/0e997ab441cd8c35010dd8db98aae2c2.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Delf.adag Vulnerability: Weak Hardcoded Credentials Description: The backdoor runs an FTP server listening on TCP port 21 and uses weak hardcoded credentials which can be easily found using strings util. Credentials […]
- Backdoor.Win32.Agent.xw / Remote Null Ptr Dereference - Denial of Service February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ed4242ad0274d3b311d8722f10b3abea.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.xw (Null httpd 0.5.1) Vulnerability: Remote Null Ptr Dereference - Denial of Service Description: Sending an empty HTTP GET request triggers a null pointer dereference and access violation leading to a […]
- Backdoor.Win32.Agent.xs / Insecure Permissions February 26, 2021Posted by malvuln on Feb 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6c51a5ba17ffd317ad08541e20131ef3.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.xs Vulnerability: Insecure Permissions Description: The malware creates a hidden but insecure dir named "Recycler" under c:\ drive and grants change (C) permissions to the authenticated user group. It also drops […]
Customers
Twitter FEED
Recent activity
-
SecureOnlineDesktop
Cyber threat intelligence identify dangers before they cause damage Find threats before they become a problem… https://t.co/eoT3Mfmi7g
-
SecureOnlineDesktop
Analisi di Sicurezza Procedurale Verifica che le operazioni in azienda rispettino gli standard imposti per il trat… https://t.co/HYs4UsX3mP
-
SecureOnlineDesktop
VPN Aziendali connessioni protette sempre e dovunque Gran parte del lavoro ormai passa per la rete,la sicurezza dev… https://t.co/ZreMXSsS17
-
SecureOnlineDesktop
Ultimamente ci sono stati casi critici di ransomware degni di nota. L’Universita' Tor Vergata ha subito un attacco… https://t.co/oHVilx0VXx
-
SecureOnlineDesktop
There have been critical cases of ransomware of note lately. Tor Vergata University suffered an attack that knocked… https://t.co/FQYuyKdAv6
Newsletter
Products and Solutions
Partners
Cloud Models
News
- The threat of DDoS ransomware February 24, 2021
- Procedural Security Analysis – Thank you for contacting us! February 20, 2021
- Zombie phishing: beware of emails, it could be zombies February 15, 2021
- Social engineering: how hackers scam their victims February 10, 2021
- What is phishing? Understanding and identifying social engineering attacks February 8, 2021
Google Reviews
About
Copyright © 2011 Secure Online Desktop s.r.l. All Rights Reserved.
VAT: 07485920966 “Cloud Computing services - Software cloud - Cloud server - VPS” Terms of ServicePrivacy Policy
ISO Certifications