Monday, June 3, 2019

Security Automation and Orchestration (SOAR)

  • Security Automation and Orchestration (SOAR)
SOC 3D is the first Security Automation and Orchestration (SOAR) platform combining automation, orchestration, and big-data powered investigation into a single and comprehensive incident response platform that triples SOC efficiency, provides unprecedented visibility and reduces time-to-respond by 90%.
https://www.cyberbit.com/solutions/security-operations-automation-orchestration/

  • The Evolution of SOAR Platforms
he “single pane of glass”—the term for a single unified console that has all the information an analyst needs—is something of a holy grail in the security operations world. Unfortunately, vendors often exaggerate their ability to deliver this type of interface. However, the evolution of SOAR platforms is bringing them very close to realizing the vision of a centralized dashboard.
https://www.securityweek.com/evolution-soar-platforms


  • How to build an incident response playbook

An incident response playbook is defined as a set of rules, describing at least one action to be executed with input data and triggered by one or more events. It is a critical component of cybersecurity—especially in relation to security orchestration, automation and response (SOAR)
Here are the steps the IACD recommends following to construct an incident response playbook:

    Identify the initiating condition.
    List all possible actions that could occur in response to the initiating condition.
    Categorize all possible actions into “required” and must occur to mitigate the threat, or “optional” and considered more of a best practice.
    Build the playbook process order using only the “required” elements determined in step 3.
    Determine if steps from the “optional” category can be grouped by activity or function (e.g., monitoring, enriching, responding, verifying, or mitigating).
    Modify the process created in step 4 to indicate where any optional processes would occur.
    Insert the categorized optional actions into the options box below the process steps box.
    Identify the end state or another initiating condition to another playbook.
    List the regulatory laws and requirements that the playbook satisfies.
https://swimlane.com/blog/incident-response-playbook/
Incident Response Playbook Example
Intelligently Automate Incident Response 

  • Automated Website Unblock Requests


Another good example of an automation worthy processes is website unblock requests. Many organizations use a web proxy to block unwanted and/or malicious web traffic. Sometimes these proxies block sites necessary for employees to do their job, so the employees have to specifically request access to the blocked sites. Normally, this process involves a security analyst doing some research on the requested site to determine if it is ok for the employee to visit. Why not automate that process for greater efficiency? When given the blocked URL, either in a defined Common Event Format (CEF) field or through parsing and extracting the URL from an existing ticket in your current IT service management platform (e.g. ServiceNow, JIRA, BMC Remedy, etc.), perform some automated lookups on the URL to see if it’s “known bad” from the reputation services you use, get a screenshot of the URL and/or detonate it in a Sandbox.
https://www.splunk.com/blog/2017/11/02/playbooks-going-beyond-incident-response-use-cases.html
  • Phishing remains the most common attack vector behind successful breaches. However, investigating phishing emails involves time-consuming, manual tasks such as investigating and detonating attachments, checking URLs, or following up on suspicious requests for sensitive information. Orchestration and automation solutions can execute tasks like these behind the scenes while your team works on the rest of your investigation and response, ensuring the situation is handled effectively and efficiently while accelerating response time. Outside of the investigations, you can also build workflows to automate remediation steps for when a phishing email is identified.


Scan attachments and URLs
Use plugins for safe browsing, sandboxes, and more to contain and investigate suspicious attachments and check suspicious URLs.
Workflows to identify threats
Leverage workflows to analyze email URLs and file attachments using multiple intelligence sources. Add steps to output reports detailing each indicator identified.
Designate decision points
After the routine scans and investigations have occurred, configure workflows to trigger a decision point on how best to proceed. Examples include marking as verified phish, automatically posting a message alerting others in your organization to the phishing threat via Slack, and other actions.


Provisioning new accounts
Different employees require different access levels to various tools and systems within your organization. Easily orchestrate tools such as Okta or Active Directory together, and kick off automation regarding designated user accounts.

Deprovisioning departing employees
No matter the reason why an employee is leaving, it’s a security best practice to remove access to their account as quickly as possible. When an employee leaves, security and IT teams can immediately deactivate the account via a single automated workflow.
Shutting the [access] doors

User accounts are commonly exploited in phishing attacks. In the event of an incident, automatically deprovision affected user accounts, remove user access from key systems, and revoke permissions as needed until the threat is contained.

Identify malicious activity
When dealing with malware, it’s important to know the signs to look for and how to stop malware in a timely manner to reduce the spread of infection. Automate processes to identify indicators like misspelled process names or abnormal log activity.
Investigate the threat
When malware is detected, leverage workflows to analyze it using plugins from today’s leading malware analysis solutions and common sandbox tools, such as Cuckoo. You’ll be able to investigate malicious files in a safe space, before they get into your network.
Containment and removal
All malware will require some type of containment/removal action. Leverage automation to identify the affected users and assets, leaving decision points for security practitioners to remove the necessary user accounts, isolate the malware, or disconnect machines from the network

Alert Enrichment
Leave the heavy-lifting to the machines
Reduce the noise

ChatOps: Distributed Alerting
Teams are always striving to reduce the time between security alert generation and resolution to a theoretical null. First popularized by the security team at Slack, a Distributed Alerting strategy avoids alert fatigue and staffing issues in the SOC by immediately bringing up alerts into the Slack instance of the person who generated it. Augmented with multi-factor authentication (MFA), analysts spend less time dealing with multiple alerts and more time triaging true positives due to a better signal-to-noise ratio.


Streamline business operations
Trigger actions to push comments to solutions like JIRA or Slack. With your security ecosystem set up to deliver alerts,incident notifications, and other data via your existing tools, security operations become more streamlined, collaborative, and efficient.
Two-way flow of information
Automation can deliver alerts that come in from your security tools straight into your chat applications and delegate tasks back to other connected tools, making communication and case management bi-directional.

Threat Hunting
being proactive in this area can enable your analysts to better uncover and defend against complex advanced persistent threats (APTs)—the attacks that are almost guaranteed to succeed and that, with a massive dwell time, allow attackers to wreak widespread havoc.
The more data sets you are able to analyze, the more thorough your proactive search for compromise will be. With orchestration, you can easily add additional tools to your data set without adding substantial time to your hunt cycle.
Automate repeatable tasks
By automating the ongoing tasks associated with threat hunting, such as recurring scans, your team will have more time to do what they do bes 
Notify and respond faster
Create and kick off designated response workflows based on the type of threat you’ve discovered. 

Monitor advisory lists
Coordinating vendor vulnerability response used to be a manual process requiring multiple stakeholders. With an automation solution, you can build workflows to automatically monitor advisory lists via RSS feed plugins, and set up decisions and action points as needed.
Notify stakeholders
When a vulnerability needs to be addressed, automatically trigger the creation of service tickets via integrations with leading solutions like JIRA and ServiceNow.

https://www.rapid7.com/info/security-orchestration-and-automation-playbook/
Sample Workflow
Phishing Investigations
Sample Workflows
Provisioning Users
Sample Workflows
Deprovisioning Users
Sample Workflow
Alert Enrichment
Sample Workflow
ChatOps: Distributed Workflow
Sample Workflow
Threat Hunting
Sample Workflow
Patching and Remediation
The BigFix solution comprises several application products that provide consolidated security and operations management, simplified and streamlined endpoint management, while increasing accuracy and productivity.
Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager

Verify remediation – Do you think your host has been patched against a specific vulnerability? Fire an exploit and find out!
Automate mundane, manual functions to free up IT and security teams to address critical issues. By leveraging ServiceWatch, IT operations management software from ServiceNow, teams can trigger automatic patching, configuration changes to security infrastructure, or other standard workflows to contain and fix security incidents and vulnerabilities. Automatic post-incident reports are created, crucial for auditing purposes

  • the Splunk Phantom platform creates a complete picture of an incident, moving through Orient and Decide with crafted playbo
https://web.tufin.com/hubfs/partners/Splunk-TAP-partner-brief.pdf

  • What is ChatOps? Conversations, put to work

ChatOps is a collaboration model that connects people, tools, process, and automation into a transparent workflow. This flow connects the work needed, the work happening, and the work done in a persistent location staffed by the people, bots, and related tools. The transparency tightens the feedback loop, improves information sharing, and enhances team collaboration. Not to mention team culture and cross-training.
They also replaced repetitive tasks with automation, and replaced annual change control meetings with DevOps’ continuous collaboration.
And they pulled it all together into a central tool like Hipchat. That’s ChatOps in a nutshell.

These rooms are replacing email threads and meetings and are starting to evolve into new chat-based workflows.
As the members of a chat room perform their work, pull, share, or display information, others start to learn how to accomplish the same task. They develop a shared vision and establish a perspective on how their work impacts or informs others.

Technical teams have begun automating common tasks with advanced bots, while non-technical teams have started to deploy chat-based apps. Workloads are increasingly being done inside of chat and information is being brought into chat for collaboration via integration.

https://www.atlassian.com/blog/software-teams/what-is-chatops-adoption-guide?_ga=2.254598990.775318353.1497538188-1315074878.1497538188
ChatOps in Project Management
How ChatOps Can Help You DevOps Better
  • ServiceNow versus Splunk/Phantom for automation
Phantom is on prem , python based platform and ServiceNow is SaaS, providing rich JS APIs.
Phantom architecture is based on containers made of one or more artifacts which are composite objects that can be automated on. SN is all about tables and client and server JS scripts which can be run in many places, on form load or submit, field change , before stored in database, after stored in database and few more. 
https://medium.com/@IrekRomaniuk/servicenow-versus-splunk-phantom-for-automation-ad7bfe4e8cfa
SSH command workflow in ServiceNow
Playbook running ssh command on remote host in Phantom
  • What is SIEM? What is SOAR? How are they different?

What is SIEM?

Firewalls, network appliances and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing and analyzing incidents and events. This is often done using machine learning, specialized analytics software and dedicated sensors.
A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity and finally, issues alerts accordingly.

So why isn’t a SIEM solution effective on its own?
It usually needs regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data.

What is SOAR?
Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds
OAR takes things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.

SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform—like Swimlane—including interaction with third-party products for comprehensive integration.

Using SIEM and SOAR for improved SecOps

https://swimlane.com/blog/siem-soar/

What is SOAR? SOAR connects all of the other tools in your security stack together into defined
workflows, which can be run automatically. In other words, SOAR lets you increase your team's
efficiency by Automating repetitive manual processes

https://training.fortinet.com/pluginfile.php/1625390/mod_scorm/content/1/story_content/external_files/NSE%202%20SOAR%20Script_EN.pdf