Igor Semenchov, Security Vision
The Cyberattack Monitoring and Response Centre, or SOC for short, is a complex structural symbiosis of three main elements: technology, people and well-coordinated processes. The technology element involves a wide range of different classes of solutions that protect the company's infrastructure from cyber threats, but the heart of the SOC is the SIEM system. SIEM accumulates, normalises and stores information security events from heterogeneous sources and infrastructure systems and, thanks to a set of rules, analyses the events. Among the large list of events received by the SIEM system, suspected IS incidents are identified.
Then the specialists of the SOC monitoring and analytics lines work with the identified incidents. They investigate the detected IS incidents and form a list of protective actions to prevent the spread of the incident and eliminate threats. In addition to monitoring line specialists, investigations often involve specialists responsible for the object or infrastructure asset in whose area of responsibility the incident occurred. Incident investigations may involve information system administrators, IS and IT department specialists, and the information security incident response team.
During an IS incident investigation, a SOC analyst may connect in parallel to the information security tools associated with the incident, such as antivirus, NGFW, sandboxing, and other security software. The purpose of these connections is to review rules, policies, configuration settings, and other types of information to help build a more complete picture of the incident. In addition to information protection tools, the analyst seeks information from various services. These may include analytics services, a suspicious file analysis platform, a cyber threat intelligence management platform (Threat Intelligence), a proactive threat hunting platform (Threat Hunting), as well as threat databases and knowledge bases.
Working with IS incidents in the SIEM system console is not always convenient - its capabilities do not allow for investigation, escalation, request for additional information, and there is no possibility to route the incident resolution to the responsible specialist. When investigating a complex, non-typical incident, a huge advantage for the analyst is the consolidation of multiple consoles of different protection tools into a single workspace that allows to conduct the process of incident investigation, as well as manage its lifecycle.
To get rid of the difficulties and inconveniences of working with a SIEM system, as well as to simplify and create structure in the incident investigation process, there is a separate class of solutions called SOAR.
What SOAR is. Functionality and value
SOAR (Security Orchestration Automation and Response) is a class of solutions designed to orchestrate, coordinate and centrally manage SIEM as well as security systems. SOAR enriches the data of IS incidents received from SIEM system or other sources, processes the IS incidents and automates the response mechanism, i.e. offers ready-made incident response instructions.
Now let's understand what SOAR platform is, what its functionality is and how SOAR complements SIEM system:
1. Specialised ticketing system, ‘Service Desk’ solution in IS for incident handling. It allows to form an internal knowledge base, as well as to keep records of identified IS incidents and suspected incidents.
2. automation of the incident response and management process. Formation of a dynamic playbook of response to an IS incident depending on the size of the threat and the vector of attack development, which reduces the time of decision-making by an analyst when investigating an incident and prevents the attack from spreading in the infrastructure.
3. The platform reduces the number of consoles an analyst uses when investigating an incident. There is no need to open multiple NWI consoles in parallel, all necessary response and investigation activities are performed in SOAR.
4. The possibility of dividing the functional rights of the platform for employees of different roles, for example, Analysts L1-L3, Auditor, Team Leader, as well as the ability to create their own roles, based on the adopted organisational structure, with the necessary set of functional capabilities and tasks.
5. Automatic enrichment of vulnerabilities identified in the infrastructure with additional information obtained from various threat databases, e.g. CVE, FSTEC DBU.
6. Ability to execute scripts via CMD, bash, Shell, Java, JavaScript, PowerShell, Python and other interpreters to request additional information from the data source or to remotely respond to an attack, such as collecting a memory dump, stopping a necessary system process or other actions.
7. Ability to interact with OpenAI, e.g. ChatGPT chatbot, to solve non-typical analytical tasks.
8. Ability to combine sets of incidents into a single attack according to specified rules, attributes, as well as the ability to present the kill chain in a graphical representation with all available interrelationships and dependent entities.
9. SOAR has additional modules, such as Infrastructure Asset Control, Threat Intelligence, Vulnerability Management, SGRC module and others, which allow to increase security and bring the IS management process to a new level of maturity.
10. Inventory engine helps to collect up-to-date information about hosts in the infrastructure, including helping to detect Shadow IT. Provides the ability to keep track of assets, software, and their versioning.
11. Ability to map the network to a world map, country entity, region, or city, which helps in assessing the spread of the threat and its impact on the infrastructure.
12. Ability to build and customise custom dashboards for visual presentation of IS incident statistics. It is possible to build dashboards of different orientation: operational, strategic and analytical for SOC line specialists, as well as for a manager or CISO, with different levels of detail.
13. Possibility of automatic and manual generation of reports of different content and detail for the required time interval.
14. Ability to set up notification of responsible specialists by email, in existing service desk systems, in telegram or integrate with any corporate messenger capable of interacting with the SOAR platform via API. In addition to sending email alerts, SOAR platform is able to collect responses and combine messages of different users from mail, telegram and other messengers, attaching them to relevant incident cards, thus forming an information historical chain of incident handling.
15. The possibility of integrations with the NCSCI and FinCERT allows to receive information bulletins, as well as to inform the regulator about the identified incidents and conduct two-way communication.
In lieu of a conclusion
SOAR platform solves the problems of a centralised mechanism of incident handling and response to detected IS incidents. It allows routing an IS incident to the responsible specialist, as well as through the described dynamic playbooks to assess the risk of the incident and propose a mechanism to respond to the identified threat.
Over the past few years, two trends have been clearly observed in the information security sphere: the first is the close interest in domestic companies from various foreign groups of hacktivists, cybercriminals, cyber mercenaries and pro-government groups; the second trend is the demand for information security specialists, analysts with broad practical experience. In many companies, there is a situation when IS specialists have a rather large workload due to a shortage of specialists and an ever-increasing number of attacks on infrastructure.
SOAR with its capabilities complements SIEM system and allows to solve both problems by automating workflows and reducing the time spent on incident handling. The SOAR platform helps significantly reduce decision-making time, simplify and automate the incident response mechanism, and free up staff time for more important tasks by automating responses to typical routine threats.
