Time is money! and security!: How SOAR automates cyber attack protection for you

In the context of "defending" companies - in terms of IT security - time emerges as one of the most critical factors

"It's not a matter of whether you will be attacked - but when!"  

You will have heard this statement in this or a similar form many times before. In fact, the number of cyberattacks on companies has significantly increased in recent years. Due to increasing digitalization, it is only a matter of time before certain actors try to attack companies in their digital realms. We have already made this clear in the first two articles in our series on cloud security, which we will link to again at the end of this article.

Time is a decisive factor in an attack on a company. Why?

The faster an attack is detected and initial containment measures are implemented, the faster and more effectively negative consequences for the company can be minimized.. A distinction must be made here between two concepts: "Mean time to detect" (MTTD) and "Mean time to respond" (MTTR).

MTTD and MTTR: two crucial core factors

One factor in the context of minimizing the "mean time to detect" is of course the coverage of the IT landscape with services that detect attacks. Both the industry and the "malicious actors" (black hats) are rapidly evolving in this regard. Services such as XDR platforms, SIEM systems and traditional solutions for securing networks (firewall, WAF, etc.) are already widely adopted and support many companies in detecting attacks.

Both the industry and malicious actors (Blackhats) are rapidly evolving in this regard. Services such as XDR platforms, SIEM systems, as well as traditional network security solutions (firewalls, WAF, etc.) are already widely adopted and support many companies in attack detection.

As soon as an attack is detected, a response to the incident must take place immediately. The time it takes to respond to an incident is referred to as the "Mean Time to Respond" (MTTR): How long does it take me to perform/initiate a response to the detection of an attack? Further information on this is provided here.

Reactions and countermeasures across system boundaries

Many attack detection services now offer options for executing certain countermeasures. These measures are mostly applied in isolation to a specific ecosystem. For instance, endpoint protection can isolate a server on the OS side. However, attacks persist and often involve an entire 'cyber kill chain.' An attack rarely occurs through just one system. Typically, an attacker moves across various systems and services in order to reach their target. It becomes evident at this point: relying on a single system alone is no longer sufficient for countermeasures.

This is where comes into play, which we will look at in more detail below. We will be guided by these two questions:

• What does SOAR mean?
• What can SOAR do?

What does SOAR stand for?

SOAR stands for Secure Orchestrated Automated Response: a secure, organized automated response to incidents and attacks. This can be, for example, the automated blocking of user accounts or the execution of automatic scans of clients or servers.

What can SOAR do?

SOAR provides security teams with a time advantage, enabling them to orchestrate and automate countermeasures across ecosystem boundaries simultaneously. These countermeasures follow predefined sequences that, in turn, control actions across different systems. Especially in the era of skill shortages, there is significant interest in automations that operate 24/7.

In typical customer projects, SOAR can be divided into three areas: countermeasures, enrichment, and notifications. Ideally, all three scenarios are used in conjunction for the most optimized deployment.

Countermeasures

Arguably the most popular aspect of SOAR. This includes the specific actions taken to actively contain the intrusion, such as locking accounts, isolating servers (network and endpoint), or creating firewall rules.

The following application example:

A user carelessly enters the login data for their email account on a website. The attacker attempts to log in from one of his systems with the intercepted access data. He plays a clever trick and is successful. He gains access to the user's mailbox and online storage. Confidential internal documents were stored there. The attacker starts the download of several confidential documents at once. The security tools detect this unusual behavior. Even before an administrator or SOC operator can deal with the detected incident, the SOAR automation reacts, blocks the user and informs the supervisor of the regular account user and the SOC team that countermeasures have been initiated. The SOC team thus benefits from a time advantage, as a countermeasure is automatically executed.

This is a simple scenario. It is entirely conceivable to map more complex situations.

Enrichment

When looking at an incident within a SIEM, one of the most important steps is the evaluation.

• Is the detection correct (true positive)?
• Has legitimate behavior been identified as potentially threatening (false positive)?

In this context, enrichment can assist by querying known databases/feeds regarding the detected entities (e.g. IP addresses). 'Have these entities (IPs, URLs, etc.) been flagged negatively before?' - this could be a pertinent question. This establishes connections to the field of threat intelligence.

Notifications

In today's IT landscape, various collaboration and communication tools are in use, each with different processes and configurations. Automation can steer across various platforms through platform independence. For instance, Microsoft Teams can be utilized to inform teams or supervisors. In ticketing systems, tickets are automatically created for incident documentation. These automations can be explicitly tailored to internal processes.