SOAR
Security Orchestration, Automation and Response (SOAR) are designed to response automatically on the cyber-attacks.
Integration is the Key
The SOAR works best depending on the integration. It can be integrated with security devices such as, SIEM (Security Incident and Event Monitoring) device, Firewall, IDS, IPS, EMS system and threat intelligence platform to detect and respond the threats automatically. It may be designed to support scripting languages, APIs, Database, syslog, email, online forms, etc. It has a Playbook built earlier by the security architects and engineers to detect and automate the incident response. A SOAR addresses the challenges that SIEM cannot do.
Functional brief:
- SOAR solution may support flexible methods for implementing process workflows.
- May be able to automatically extract email attachments from emails and store that for the related incidents as attachments.
- Solution may include and support in creation of multiple playbooks for incidents like Ransomware Attack, Data Leakage, Malware Attack, DOS and DDOS attack, Phishing Attack, etc.
- It should be able to support creation of incidents via API, Web URL, SIEM, Ticketing system, etc.
- It should have provision or capable of creation and closure of incident automatically or manually. It can execute automated workflow.
- It can provide simulation environment to test playbooks without relying on access to real environment.
- There should be one integrated dashboard in GUI mode to see all the notifications at one screen.
- It should support basic case management including tracking of case, recording of action on incidents and reporting on metrics.
- It can help in asset management, document and report management, task management etc.
- It may Automatically document the entire incident workflow manual as well automated steps for all incidents timestamp of all actions taken in an incident.
- It may develop reports by tracking of indicators and samples, such as IP addresses, URLs, malware samples, threat samples, vulnerabilities data base etc.
- It will Provide automated incident SLA breach report based on severity, type of incident, creation time, closure time, response time etc.
- It should be integrated with threat intelligence feeds to properly correlate to the end of discovering attack patterns, potential vulnerabilities and other ongoing risks to the organization.
- SOAR should have the capability for different forms of threat hunting, while actively looking for attacks and patterns that may not have been detected through automated methods.
- SOAR should provide capability to embed scripts (Python / java / JS or any other language code) in the playbooks steps to design playbooks for advance and complex use cases.
- It allows Security analysts to investigate upon incidents, grouping the alerts, monitoring and reporting.
Companies providing SOAR solution
Below are the vendors who provide SOAR solution as a OEM and as a Service on modular basis;
- CyberBIT
- Demisto
- IBM SOAR
- Splunk
- Rapid 7
- Pal Alto
- SWIMLANE
- FortiSOAR
- FIREEYE
- Exabeam
- RSA
- SIRP
- LogRhythm
No comments:
Post a Comment