Security orchestration

Last updated

Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities. [1] [2] [3]

Contents

Organizations uses SOAR platforms to improve the efficiency of physical and digital security operations. [4] SOAR enables administrators to handle security alerts without the need for manual intervention. When the network tool detects a security event, depending on its nature, SOAR can raise an alert to the administrator or take some other action. [2]

Components

"Orchestration" connects the different security tools and systems of the Information system. It integrates custom-built applications with built-in security tools, so they all work with each other. It also connects diverse endpoints, firewalls and behavior analysis tools. [5]

"Automation" takes the huge amount of information generated through orchestration and analyzes it through machine learning processes. SOAR handle a lot of manual tasks of log analysis and can also handle ticket requests, vulnerability checks and auditing processes. [5]

"Incident response" allows security teams to react when a potential threat is indicated. This component also handles post-incident activities such as threat intelligence sharing in an automated way. [5]

Playbooks and runbooks

SOAR allows security administrators to define the potential incidents and the response, thanks to playbooks and runbooks. [2]

A playbook is a document that describes how to verify a cybersecurity incident and how the incident should be responded. The purpose of the playbook is to document what the runbook should do. Playbook can be used as a manual backup in case the SOAR fails. [2]

A runbook implements the playbook data into an automated tool so that it performs predefined actions to mitigate the threat. [2]

Related Research Articles

<span class="mw-page-title-main">Runbook</span> Record of procedures for IT system staff

In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use runbooks as a reference.

In the fields of computer security and information technology, computer security incident management involves the monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events. Computer security incident management is a specialized form of incident management, the primary purpose of which is the development of a well understood and predictable response to damaging events and computer intrusions.

<span class="mw-page-title-main">Splunk</span> American technology company

Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

Granular configuration automation (GCA) is a specialized area in the field of configuration management which focuses on visibility and control of an IT environment's configuration and bill-of-material at the most granular level. This framework focuses on improving the stability of IT environments by analyzing granular information. It responds to the requirement to determine a threat level of an environment risk, and to allow IT organizations to focus on those risks with the highest impact on performance. Granular configuration automation combines two major trends in configuration management: the move to collect detailed and comprehensive environment information and the growing utilization of automation tools.

HP Network Management Center (NMC) is a suite of integrated HP software used by network managers in information technology departments. The suite allows network operators to see, catalog and monitor the routers, switches, and other devices on their network. It alerts IT staff when a network device fails and predicts when a network node or connection point may go down. The suite was designed to address operational efficiency.

<span class="mw-page-title-main">Sumo Logic</span> U.S. information technology company

Sumo Logic, Inc. is a cloud-based machine data analytics company focusing on security, operations and BI use-cases. It provides log management and analytics services that use machine-generated big data. Sumo Logic was founded in April 2010 by ArcSight veterans Kumar Saurabh and Christian Beedgen, and is headquartered in Redwood City, California.

Marketing automation refers to software platforms and technologies designed for marketing departments and organizations to more effectively market on multiple channels online and automate repetitive tasks.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Infrastructure as code (IaC) is the process of managing and provisioning computer data center resources through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. The IT infrastructure managed by this process comprises both physical equipment, such as bare-metal servers, as well as virtual machines, and associated configuration resources. The definitions may be in a version control system. The code in the definition files may use either scripts or declarative definitions, rather than maintaining the code through manual processes, but IaC more often employs declarative approaches.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture by seeking to deceive an attacker, detect them and then defeat them.

IT process automation (ITPA) is a series of processes which facilitate the orchestration and integration of tools, people and processes through automated workflows. ITPA software applications can be programmed to perform any repeatable pattern, task or business workflow that was once handled manually by humans.

DataOps is a set of practices, processes and technologies that combines an integrated and process-oriented perspective on data with automation and methods from agile software engineering to improve quality, speed, and collaboration and promote a culture of continuous improvement in the area of data analytics. While DataOps began as a set of best practices, it has now matured to become a new and independent approach to data analytics. DataOps applies to the entire data lifecycle from data preparation to reporting, and recognizes the interconnected nature of the data analytics team and information technology operations.

The industrial internet of things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including manufacturing and energy management. This connectivity allows for data collection, exchange, and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits. The IIoT is an evolution of a distributed control system (DCS) that allows for a higher degree of automation by using cloud computing to refine and optimize the process controls.

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

Breach and attack simulation (BAS) refers to technologies that allow organizations to test their security defenses against simulated cyberattacks. BAS solutions provide automated assessments that help identify weaknesses or gaps in an organization's security posture.

Identity threat detection and response (ITDR) is a cybersecurity discipline that includes tools and best practices to protect identity management infrastructure from attacks. ITDR can block and detect threats, verify administrator credentials, respond to various attacks, and restore normal operations. Common identity threats include phishing, stolen credentials, insider threats, and ransomware.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.

References

  1. "Definition of Security Orchestration, Automation and Response (SOAR) - Gartner Information Technology Glossary". Gartner. Retrieved 2023-04-28.
  2. 1 2 3 4 5 Mike Chapple, James Michael Stewart, Darril Gibson (2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex ed.). pp. 845–846. ISBN   978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)
  3. "Security Orchestration, Automation and Response (SOAR) Platforms, Solutions and Use Cases". D3 Security. Retrieved 2023-06-21.
  4. "What is SOAR (Security Orchestration, Automation and Response)? | Definition from TechTarget". Security. Retrieved 2023-04-28.
  5. 1 2 3 "The Important Role of SOAR in Cybersecurity". Security Intelligence. Retrieved 2023-04-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.