Estimated reading time: 6 minutes
The growing impact of cyber threats, on private or corporate operating systems, leads more and more users to use third-party applications to protect work information. Fortunately, the implementation of new technologies improves this condition. Among the most interesting solutions, aimed at protecting corporate systems, is the SOAR technology with its benefits. What are the potential and the advantages that a company can derive from this system?
SOAR: what is it?
Before analyzing the concrete benefits that SOAR technology can guarantee, it is essential to understand what it is and what it means.
With SOAR, acronym for Security Orchestration, Automation and Response , we identify a tool capable of supporting IT security staff. SOAR model technologies allow for a triple approach : vulnerability and risk management, incident response and ultimately the automation of security operations . In their English terminology respectively: Threat and Vulnerability Management, Incident Response and Security Operations Automation .
The functioning of the SOAR-systems
Through the use of artificial intelligence and machine learning algorithms, a system with SOAR implementation is capable of correlating three sectors usually distant from each other. Specifically, a SOAR technology combines: SAO, TIP and SIRP . Respectively Security Orchestration and Automation , Threat Intelligence platform and Security Incident Response Platform .
These platforms are designed to store data and information on the behavior of viruses, hacker attacks, malware and other potential cyber threats. Companies using a SOAR system are much safer, as they can benefit from a multipurpose system, which not only aims to cure the threat, but also its potential emergence .
Difference between orchestration and automation
SOAR technology combines both automation and orchestration systems for cybersecurity, but what’s the difference? When using a system based on orchestration activities, you have an approach in which different security tools and systems are connected to optimize processes .
In the case of a system aimed at automation, we refer to the ability to automate the operations of corporate environments. Automation is based on activities, while orchestration is based on processes. By exploiting SOAR technology, it is possible to obtain the orchestration of processes for the execution of automated activities .
The benefits of SOAR
In order to have a more concrete idea of the applications of a SOAR technology and the consequent benefits, it is essential to examine its advantages in detail.
Incorporate automation and orchestration features
Using features related to machine learning and artificial intelligence, a SOAR system significantly increases corporate cybersecurity. The processes and activities examined by the automation and orchestration systems ensure the company is responsive to cyber threats without generating post-attack tickets. An example is the implementation of SIEM and UEBA in the security orchestration.
Usually a traditional system generates an alert, then the IT technicians provide for the manual resolution of the problem. With an automated system, is the software itself that detects, solves, and archives the problem. This benefit should not be underestimated if there are no IT technicians within the company context.
Centralization of threats
A standard computer system hardly has a centralized view of threats. This condition forces the system itself to intervene in a marked way after it has been compromised. Unfortunately, canonical systems have different levels of security, where everyone intervenes in specific alert conditions.
Larger companies divide the detection of threats according to the reference area, be this NOC, IT or DevOPS, this greatly limits the cybersecurity of the system.
Thanks to its automation and orchestration capabilities, SOAR technology combines the entire threat centralization phase, ensuring maximum protection even in different contexts.
One of the most significant benefits of using SOAR technology is time savings. When you suffer a cyber attack, be it minor or major, it requires the intervention of IT technicians. In the time lapse between the alert sent by the company and the resolution of the problem, the work activity must stop.
Thanks to a dedicated software, with SOAR implementation, it is possible to optimize the intervention times and in many cases eliminate them completely.
Getting a playbook in as much detail as possible is essential to understanding the attacks. A SOAR system, in a completely intuitive way, allows you to chain several playbooks to face complex actions.
For example, in the event that there is an alert combined with a specific tracking system, capable of isolating the traffic of a specific suspicious IP address; the SOAR software at that time will analyze the information useful to identify the IP addresses and evaluate if there are compromised accounts.
Optimal integration with the infrastructure
One benefit that has made SOAR technology particularly useful is its integration capability. SOAR software can integrate seamlessly into any corporate infrastructure , collecting information and providing IT security in an automated way, even on non-modern systems.
Minimizing interactions with the company system, for solving IT problems, allows the company to optimize working times. All the time lost for solving the technical problem can be recovered and used for other more useful work activities .
Even less skilled IT operations teams can use hardware and software without fear of threats. One of the most relevant issues in business contexts is the inefficiency of IT technicians to recognize cyber threats.
The presence of phishing in e-mail or the exchange of files between one area and another leads in many cases to cyber attacks. With a SOAR system, you can minimize these issues by helping IT assistants to focus only on their work.
An advantage not to be overlooked is the cost of continuous interventions for the resolution of cyber attacks. IT technicians who have to intervene after an alert produced by the system have a cost, the latter being significant if prolonged over time. SOAR technology from this point of view protects companies that do not want to spend more money on periodic interventions.
Secure Online Desktop: smart and fast solution
The potential of a SOAR system is evident, but it is important to rely on a quality service to obtain the maximum yield. We at SOD have been committed to providing IT security solutions for years .
The SOCaaS service with dedicated SOAR allows you to implement in your company software capable of automating and orchestrating in the way activities and work processes as best as possible.
This condition is particularly useful for companies that need to protect their corporate IT infrastructure. The ease of use and the enormous benefits make SOAR technology indispensable for those who want to reduce the costs of IT interventions and at the same time improve IT security.
If you have any questions about how our services can be useful for your business, do not hesitate to contact us, we will be happy to answer.
SOAR (Security Orchestration, Automation and Response) technology helps coordinate, execute and automate activities between people and tools, enabling companies to respond quickly to cyber security attacks. The aim is to improve their overall security position. SOAR tools use playbooks (strategies and procedures) to automate and coordinate workflows which may include security tools and manual tasks.
How does SOAR help in the security field?
1. Combining security orchestration, intelligent automation, incident management and interactive investigations in a single solution.
2. Facilitating team collaboration and enabling security analysts to take automated actions on tools across their security stack.
3. Providing teams with a single centralized console to manage and coordinate all aspects of their company’s security.
4. Optimizing case management, increasing efficiency by opening and closing tickets to investigate and resolve incidents.
Why do companies need a SOAR?
Modern companies regularly face many challenges and obstacles when it comes to fighting cyber threats.
A first challenge is represented by an ever increasing volume of complex security threats. Furthermore, the security tools involved very often struggle to talk to each other, which is in itself a nuisance.
Such a large amount of data and software can only mean a large number of security alerts. In fact, there is too much threat intelligence data to allow teams to manually classify, prioritize, investigate and target threats. Furthermore, the work of security officers involves very specific skills and with increasing demand it is increasingly difficult to find a sufficient number of security officers to carry out the work.
SOAR helps companies address and overcome these challenges by enabling them to:
– Unify existing security systems and centralize data collection to achieve full visibility.
– Automate repetitive manual activities and manage all aspects of the accident life cycle.
– Define incident analysis and response procedures, as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
– Quickly and accurately identify and assign the severity levels of incidents to safety alarms and support the reduction of alarms.
– Identify and better manage potential vulnerabilities in a proactive and reactive way.
– Direct each security incident to the analyst best suited to respond, while providing features that support easy collaboration and monitoring between teams and their members.
Below I wanted to list some practical examples of how a SOAR comes into action in certain situations.
Enrichment and Phishing Response: Activating a Playbook. Automation and execution of repeatable activities such as triage and involvement of interested users. Apply an extraction and control of indicators to identify false positives, then request activation of the SOC for a standardized response at scale.
Endpoint Malware Infection: Extracting threat feed data from endpoint tools and enriching that data. Cross-reference between recovered files and hashes with a SIEM solution, notify analysts, clean up endpoints, and update the tools database.
Failed User Login: After a predefined number of failed user login attempts, evaluating whether a failed login is genuine or malicious, a SOAR can activate in various ways. First of all by putting into practice a playbook, involving users and then analyzing their answers, then also the expiring passwords and finally closing the process.
Indicators of Compromise (IOC): Take and extract indicators from files, track indicators through intelligence tools and update databases.
Malware Analysis: Verify data from multiple sources, extract and delete malicious files. A report is then generated and checked for malice.
Cloud Incident Response: This is done through the use of data from cloud-focused threat detection and event logging tools. The data is then unified between the cloud and on-premises security infrastructures, correlated thanks to a SIEM. The indicators are then extracted and enriched, to then check for the presence of malice. A final step of human control to the analysts who review their information update the database and close the case.
The benefits of a SOAR
Basically, a SOAR implements working methods and protocols of action in the system for fighting against cyber threats of a company. This significantly improves operational efficiency and accelerates incident detection as well as response times, which are effectively standardized.
A SOAR increases analysts’ productivity and allows them to focus on improving security instead of performing manual tasks.
By exploiting and coordinating the existing security technology investments in a company, it is possible to make a real difference.
Tempo di lettura: 5 min
Un numero crescente di aziende fa leva sul SOAR per migliorare l’efficacia delle proprie operazioni di sicurezza informatica. In questo articolo, spieghiamo come avvantaggiarsi del valore del SOAR potrebbe essere cruciale per migliorare la sicurezza della vostra organizzazione.
Che cos’e’ il SOAR?
Coniato dalla societa’ di ricerca Gartner, Security Orchestration, Automation and Response (SOAR) e’ un termine usato per descrivere la convergenza di tre mercati tecnologici distinti:
1. L’orchestrazione e l’automazione della sicurezza.
2. Le piattaforme di risposta agli incidenti di sicurezza.
3. Le piattaforme di intelligence delle minacce.
Le tecnologie SOAR consentono alle organizzazioni di raccogliere e aggregare grandi quantita’ di dati e allarmi di sicurezza provenienti da una vasta gamma di fonti. Di conseguenza l’analisi umana e meccanica e’ migliorata, cosi’ come la standardizzazione e l’automazione del rilevamento e del ripristino delle minacce.
E’ stimato che entro la fine del 2020, il 15% delle organizzazioni con un team di sicurezza fara’ leva sulle tecnologie SOAR. Nel 2018 erano l’1%.
In che modo SOAR sta aiutando le aziende a superare le sfide della sicurezza?
La veloce evoluzione tecnologica sta portando in campo sfide complicate per il settore IT. Le minacce sono in continua evoluzione, il personale qualificato e’ in costante carenza e le proprieta’ IT da gestire sono in continuo aumento. Di conseguenza, il concetto di SOAR sta aiutando le aziende di tutte le dimensioni a migliorare la loro capacita’ di rilevare e rispondere rapidamente agli attacchi. Vediamo come, nella pratica, SOAR può migliorare la sicurezza aziendale.
1. Fornire intelligence di migliore qualita’
Affrontare le piu’ recenti e sofisticate minacce alla sicurezza informatica richiede una conoscenza approfondita delle tattiche, delle tecniche e delle procedure (TTP) degli aggressori, cosi’ come la capacita’ di identificare gli indicatori di compromesso (CIO).
SOAR aggrega e convalida i dati provenienti da un’ampia gamma di fonti. Nello specifico, queste sono piattaforme di informazioni sulle minacce, tecnologie di sicurezza, sistemi di rilevamento delle intrusioni e le tecnologie SIEM e UEBA. Cosi’, attraverso i dati raccolti e convalidati, il SOAR aiuta i SOC a diventare piu’ orientati all’intelligence.
L’effetto di cio’ e’ che il personale di sicurezza e’ in grado di contestualizzare gli incidenti, prendere decisioni piu’ informate e accelerare il rilevamento degli incidenti così come la risposta alle minacce.
2. Migliorare l’efficienza e l’efficacia delle operazioni
La necessita’ di gestire cosi’ tante tecnologie di sicurezza disparate puo’ mettere a dura prova il personale addetto alla sicurezza. I sistemi hanno bisogno di un monitoraggio costante per garantire prestazioni efficienti. Inoltre, le migliaia di allarmi giornalieri che generano possono anche portare ad un affaticamento pericoloso. Il costante passaggio da un sistema all’altro non fa che peggiorare la situazione, costando alle squadre tempo e fatica, oltre ad aumentare il rischio di errori.
Le soluzioni SOAR aiutano i SOC ad automatizzare e semi-automatizzare alcuni dei compiti quotidiani delle operazioni di sicurezza.
Presentando intelligence e controlli attraverso un unico pannello e utilizzando intelligenza artificiale e apprendimento automatico, gli strumenti SOAR riducono significativamente la necessita’ per i team SOC di eseguire il ‘cambio di contesto’.
Inolte, possono contribuire a garantire che i processi siano gestiti in modo piu’ efficiente. Questo migliora la produttivita’ e la capacita’ delle organizzazioni di affrontare un maggior numero di incidenti senza la necessita’ di assumere personale aggiuntivo. Un obiettivo chiave dell’approccio SOAR e’ quello di aiutare il personale di sicurezza a lavorare in modo piu’ intelligente e non piu’ duramente.
3. Migliorare la risposta agli incidenti
Per ridurre al minimo il rischio di violazioni e limitare i vasti danni che possono causare, una risposta rapida e’ di vitale importanza. SOAR aiuta l’organizzazione a ridurre il tempo medio di rilevamento (MTTD) e il tempo medio di risposta (MTTR). E’ possibile qualificare gli allarmi di sicurezza e porvi rimedio in pochi minuti, anziche’ in giorni, settimane o mesi.
SOAR, quindi, consente alle squadre di sicurezza di automatizzare le procedure di risposta agli incidenti. Le risposte automatizzate possono includere il blocco di un indirizzo IP su un firewall, la sospensione di account utenti o la messa in quarantena degli endpoint infetti di una rete.
4. Semplificare la reportistica
In molti centri operativi di cyber security, gli operatori in prima linea passano molto tempo nella gestione dei casi, redazione e creazione di rapporti e nella documentazione delle procedure di risposta agli incidenti. Invece, aggregando le informazioni provenienti da un’ampia gamma di fonti e presentandole tramite dashboard visive e personalizzate, SOAR puo’ aiutare le organizzazioni a ridurre il lavoro collaterale, migliorando al contempo la comunicazione interna.
Inoltre, grazie all’automazione dei compiti delle procedure, SOAR aiuta a codificare la conoscenza sulle minacce.
In ultima analisi, svolgere i compiti piu’ velocemente significa avere piu’ tempo per la risoluzione e mitigazione delle minacce. Piu’ a lungo queste non vengono affrontate, maggiori sono le possibilita’ di danni e malfunzionamenti.
Mentre sia le informazioni sulla sicurezza che la gestione degli eventi (SIEM) e SOAR accumulano dati rilevanti da piu’ fonti, i servizi SOAR si integrano con una piu’ ampia gamma di applicazioni interne ed esterne.
Al momento, molte aziende utilizzano i servizi SOAR per potenziale il software SIEM interno. In futuro, si prevede che, man mano che i fornitori SIEM cominceranno ad aggiungere le funzionalita’ SOAR ai loro servizi, il mercato di queste due linee di prodotti si fondera’.
SOD applica la tecnologia SIEM Next Generation e UEBA per la gestione dei cyber threats e dei processi SOAR. Questo garantisce prevenzione e tempestivita’ di ottimo livello. Se vuoi saperne di piu’, visita la nostra pagina del servizio SOCaaS e contattaci per maggiori informazioni.
SIEM has existed for quite some time, but it is not yet well understood. Also, the fact that technology has evolved significantly in recent years doesn’t help shed some light. Today we see where we are, trying to understand the Next Generation SIEM and the managed systems offered as services that make use of the latest generation SIEM (SOCaaS, for example). Let’s see what all this means for companies.
Being a fundamental part of the SOCaaS offered by SOD, it seems appropriate to explain in detail what a Next Generation SIEM is and what its functions are.
A brief history of SIEM
Before examining what a Next Generation SIEM is, it is right to briefly review the history of this technology and its beginning.
The term Security Information and Event Management (SIEM) was coined in 2005 by Mark Nicolett and Amrit T. Williams of Gartner. The word is the merger of Security Event Management (SEM) and Security Information Management (SIM).
Its original definition given by the creators of the term is: a technology that supports the detection of threats and the response to security incidents, through the collection in real time and historical analysis of events from a wide variety of sources of contextual data.
SIEM was born out of the need to address the huge number of alarms issued by intrusion prevention systems (IPS) and intrusion detection systems (IDS) that were overwhelming IT departments. By helping organizations aggregate events and better analyze those within the network, SIEM has helped organizations improve threat detection. It has also led organizations to take a more proactive approach to security. Preventive security technologies are no longer sufficient on their own.
The difficulties of SIEMs in the early years
Eager to improve their cybersecurity situation, many enterprise-wide organizations have rapidly adopted SIEM technology. Over the years, however, inherited problems have emerged from the past:
1. The datasets were inflexible, so some SIEMs were unable to process the required data, which meant their effectiveness was limited
2. They were difficult to maintain and manage, which added complexity and drained staff resources
3. SIEMs produced a high number of false positives, creating even more work for the security teams
4. With the advancement of technology, SIEMs have struggled to keep up with the evolution of threats and therefore the IT risk for companies has grown
The Next Generation SIEM arrives
Many advanced threats are now polymorphic rather than static. That is, they are able to constantly modify their behavior to evade detection. As such, Next Generation SIEM systems must not only process more data, but also become much more capable of recognizing new patterns within them.
Given the difficulties and limitations of inherited SIEM systems, many thought they would disappear over time. But this did not happen, SIEM still remains a key technology used by companies. However, technology has had to evolve.
While SIEM once relied on only a handful of data sources, the “Next Generation” of SIEM systems was developed to process a greater volume and variety of data, as well as correlating it in a timely fashion.
Gartner reported that the SIEM market is continuously growing. One reason for this growth is that Next Gen SIEM systems are now used by midsize organizations, not just large enterprises.
What are the capabilities of Next Gen SIEM?
Next Gen SIEMs, sometimes referred to as analytical SIEMs or SIEM 3.0, have brought new capabilities to organizations and their security teams.
– Allow faster integration into a corporate infrastructure through an open architecture to cover cloud, on-premise and BYOD resources
– Include real-time visualization tools to understand the most important and high-risk activities
– Use scenario and behavior analysis to “photograph” well understood scenarios and highlight significant changes in behavior
– Integrate and use Threat Intelligence information from customized, open source and commercial sources
– Provide a flexible framework that allows for the implementation of a tailored workflow for key organizational use cases
– Measure status against regulatory frameworks (e.g. PCI DSS) for prioritization and risk management
Security Orchestration, Automation and Response
Security Orchestration, Automation and Response (SOAR) is a growing security area that Next Gen SIEM vendors are exploiting to contribute and take advantage of the latest features. In its essence, SOAR has two fundamental aspects:
1. It allows to bring more data to a Next Gen SIEM for analysis
SOAR is helping SIEM technology to become smarter and big data oriented, thus enabling security teams to make faster and better informed decisions. Broader intelligence means more reliable threat identification and fewer false positives.
2. Help automate incident response
Another important way SOAR is influencing the evolution of SIEM Next Gen is to help standardize incident analysis and response procedures. The goal is to partially or completely automate response activities in order to reduce the potential harm and inconvenience that breaches can cause. Such response activities could include blocking compromised user accounts and blocking IP addresses on a firewall.
By automating routine actions, SOAR helps security teams become more efficient and frees them up time to focus on threat hunting and patch management.
User Behavior Analysis (UEBA)
Another important feature of Next Generation SIEMs is the use of User and Entity Behavior Analytics (UEBA). UEBA does not track security events or monitor devices, but instead focuses on monitoring and analyzing the behavior of an organization’s users.
UEBA can be extremely useful in helping organizations identify compromised accounts, as well as insider threats. It works using advanced machine learning and behavioral profiling techniques to identify anomalous activity such as account compromise and abuse of privileges. By not using rules-based monitoring, the UEBA is more effective in detecting anomalies over time.
The challenges for a modern SIEM
Despite unquestionable advances in detecting complex cyber threats, SIEM Next Gens can still, if not used and maintained properly, generate a large number of alerts. For organizations without IT resources and dedicated security personnel, researching these alerts to distinguish true network security problems from false positives can be extremely complex and time-consuming.
Even when real threats are identified, knowing how to respond to them can be just as challenging.
Getting the most out of SIEM to help address growing security challenges will also depend on better trained personnel who can use the systems more effectively and validate alarms. For organizations that lack in-house knowledge or skills, it therefore makes sense to work with an external vendor who can cover or augment security capabilities.
A full SOCaaS service, including Next Generation SIEM and UEBA for threat hunting, is the ideal choice. Not only does it save time in terms of validating and checking alarms, but also in economic terms, not having to face installation costs and staff training.
If you are interested in learning more, do not hesitate to contact us, we will answer your questions.
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF