Security orchestration

Last updated

Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities. [1] [2] [3]

Contents

Organizations uses SOAR platforms to improve the efficiency of physical and digital security operations. [4] SOAR enables administrators to handle security alerts without the need for manual intervention. When the network tool detects a security event, depending on its nature, SOAR can raise an alert to the administrator or take some other action. [2]

Components

"Orchestration" connects the different security tools and systems of the Information system. It integrates custom-built applications with built-in security tools, so they all work with each other. It also connects diverse endpoints, firewalls and behavior analysis tools. [5]

"Automation" takes the huge amount of information generated through orchestration and analyzes it through machine learning processes. SOAR handle a lot of manual tasks of log analysis and can also handle ticket requests, vulnerability checks and auditing processes. [5]

"Incident response" allows security teams to react when a potential threat is indicated. This component also handles post-incident activities such as threat intelligence sharing in an automated way. [5]

Playbooks and runbooks

SOAR allows security administrators to define the potential incidents and the response, thanks to playbooks and runbooks. [2]

A playbook is a document that describes how to verify a cybersecurity incident and how the incident should be responded. The purpose of the playbook is to document what the runbook should do. Playbook can be used as a manual backup in case the SOAR fails. [2]

A runbook implements the playbook data into an automated tool so that it performs predefined actions to mitigate the threat. [2]

Related Research Articles

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

Business process automation (BPA), also known as business automation, refers to the technology-enabled automation of business processes.

<span class="mw-page-title-main">Runbook</span> Record of procedures for IT system staff

In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use runbooks as a reference.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

Granular configuration automation (GCA) is a specialized area in the field of configuration management which focuses on visibility and control of an IT environment's configuration and bill-of-material at the most granular level. This framework focuses on improving the stability of IT environments by analyzing granular information. It responds to the requirement to determine a threat level of an environment risk, and to allow IT organizations to focus on those risks with the highest impact on performance. Granular configuration automation combines two major trends in configuration management: the move to collect detailed and comprehensive environment information and the growing utilization of automation tools.

HP Network Management Center (NMC) is a suite of integrated HP software used by network managers in information technology departments. The suite allows network operators to see, catalog and monitor the routers, switches, and other devices on their network. IT staff is alerted when a network device fails, and it predicts when a network node or connection point may go down. The suite was designed to address operational efficiency.

Marketing automation refers to software platforms and technologies designed for marketing departments and organizations automate repetitive tasks and consolidate multi-channel interactions, tracking and web analytics, lead scoring, campaign management and reporting into one system. It often integrates with customer relationship management (CRM) and customer data platform (CDP) software.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Robotic process automation (RPA) is a form of business process automation that is based on software robots (bots) or artificial intelligence (AI) agents. RPA should not be confused with artificial intelligence as it is based on automotive technology following a predefined workflow. It is sometimes referred to as software robotics.

Infrastructure as code (IaC) is the process of managing and provisioning computer data center resources through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. The IT infrastructure managed by this process comprises both physical equipment, such as bare-metal servers, as well as virtual machines, and associated configuration resources. The definitions may be in a version control system, rather than maintaining the code through manual processes. The code in the definition files may use either scripts or declarative definitions, but IaC more often employs declarative approaches.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.

The industrial internet of things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including manufacturing and energy management. This connectivity allows for data collection, exchange, and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits. The IIoT is an evolution of a distributed control system (DCS) that allows for a higher degree of automation by using cloud computing to refine and optimize the process controls.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

Identity threat detection and response (ITDR) is a cybersecurity discipline that includes tools and best practices to protect identity management infrastructure from attacks. ITDR can block and detect threats, verify administrator credentials, respond to various attacks, and restore normal operations. Common identity threats include phishing, stolen credentials, insider threats, and ransomware.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.

Managed detection and response is a type of cybersecurity service providing customers with a cyberdefense technology and the associated remotely delivered human expertise. Those services help organizations monitor, detect, analyze and respond to advanced cyber threats. MDR is a form of managed security service (MSS).

References

  1. "Definition of Security Orchestration, Automation and Response (SOAR) - Gartner Information Technology Glossary". Gartner. Retrieved 2023-04-28.
  2. 1 2 3 4 5 Mike Chapple, James Michael Stewart, Darril Gibson (2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex ed.). pp. 845–846. ISBN   978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)
  3. "Security Orchestration, Automation and Response (SOAR) Platforms, Solutions and Use Cases". D3 Security. Retrieved 2023-06-21.
  4. "What is SOAR (Security Orchestration, Automation and Response)? | Definition from TechTarget". Security. Retrieved 2023-04-28.
  5. 1 2 3 "The Important Role of SOAR in Cybersecurity". Security Intelligence. Retrieved 2023-04-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.