Event Recording
John Tolbert: Why Enterprises are Choosing SOAR for SOCs
So, yeah, welcome everyone to our event on so, and SecOps, I thought it'd be good to start off talking about why, what soar is and why companies and different kinds of organizations are beginning to use them. So source stands for security, orchestration, automation, and response. We'll dive into each of those in a little bit more detail over the next few minutes, sort of setting the stage for it. You know, security incidents, as we hear about on the news almost every day are increasing and complexity in the costs associated with remediating them continues to go up. It's not a problem that gets better on its own. Studies show that the meantime to detect a security incident is still around five or six months. And then the meantime to resolve is somewhere in the neighborhood of about two months. And, you know, it can be much longer depending on the type of incident and how prepared, what level of damage there was. Studies also show a range of costs associated with remediating between four, 9 million per incident. And again, that could be much higher just depending on what, what actually happened in your environment.
So where did store come from? Well, first there was SIM security incident and event management. They were designed to be, you know, centralized repositories of security log information from around an enterprise. You know, they came into being 15, 20 years ago and they have become sort of a centerpiece in many security architectures and, and rightfully so. I mean, it's good to collect data. It's absolutely necessary to collect data, but collecting data about what goes on in the enterprise is not, you know, just the goal in itself. So it can contribute to creating actionable intelligence and, you know, giving you a plan for the way forward. But you know, many times it doesn't really provide the ability to automate those responses that, that you would want to do. So then come source security, orchestration automation, and response. Startups appeared, you know, seven to 10 years ago to try to address what they saw.
Some of the shortcomings of SIM platforms, you know, SIM platforms sometimes would suffer from lots of false positives and again, not really being able to automate and, and do a lot of the investigative tasks easily. We also saw the entrance of threat intelligence management vendors. Threat intelligence is of course, you know, cyber threat intelligence is things like IOCs indicators of compromise. They might be indie file hashes or lists of bad IPS or URLs, things like that that get shared around. And there are many open sources for that and many commercially available available subscriptions and threat intelligence management vendors, consolidate that and bring that in typically now to source system. So it's available directly within your so console, but we've also seen CTI management vendors who are evolving to becoming, you know, full blown. So platforms themselves. I think that's a, a really interesting development in the market in the last five or six years. And then lastly, SIM platforms have been adding a lot of these features. They haven't remained, you know, at a standstill they've been growing and evolving and adapting, sore capabilities themselves. And in some cases, many of the SIM platforms have actually purchased a couple of the so platforms and have integrated that into their overall solution.
So let's talk about the top five use case categories. I mean, there are many use cases for, so, but let's just try to group them into the top five. So threat hunting is something you've probably heard quite a bit about it's, it's something that's quite useful to do in an environment today. It's a proactive way of looking for potential bad activities inside your enterprise. You can take IOCs and customize them and, and your so Analyst your threat hunters can then go out and use that to look for signs of, of things that your other tools may have missed. And they can do that by engaging with different tools that you may have and in your environment via API, there's the CTI management aspect. I was mentioning a minute ago, pulling in those multiple feeds. You know, a lot of these sources will have the same entries over and over again.
So you have to de-duplicate that you also find that specific bits of IOCs are sort of short, short shelf life. You know, the I IP addresses are, are malicious for a while. And, and or so these things change quite rapidly. Same thing with being able to do realtime queries against multiple CTI sources. That's a useful thing, investigations, that's probably the bread and butter of what you can do with a, so it integrates with its MIT service management solutions. And by being able to create a sign route tickets for Analyst to work on, it can help smooth the workflow between shifts and your sock. And again, allow for querying in both directions, both to your SIM for actual information about what's going on in your environment, plus against CTI sources, automation, and response. This has been an area for major improvement. I think there are many of the tasks that analysts have to do are quite repetitive, especially on the investigation side.
So once you collect, let's say what you think is a suspicious IP address, being able to automatically go out and get threat intelligence about that, and then search across your entire environment. For any instance of that in, in your various logs is a very useful and time saving effort. So playbooks are important in this regard because this is the concept. It sort of drives a lot of security automation today, and this can be anything from, you know, a step by step guide for how to discover and remediate problems, as well as, you know, single click automation or full automation. In some cases, examples of some of the actions that one can do inside a playbook and with your store system would be to automatically collect that evidence and then search across all your nodes and your enterprise block, an IP or URL at the firewall or at the web gateway.
If you find that user's been compromised, you could suspend that user in your IAM system. And then you could even do things like cutoff at whole nodes, from communication, delete all instances of an email kill processes and terminate network connections. Lastly, store tools are very useful in socks and network operations centers for being a really good management console. I mean, we often talk about single pane of glass. It may not be possible to get to a single pane of glass, but certainly reducing the amount of consoles Analyst and managers have to look at is very helpful. So, so tools provide dashboards reports, some allow for tracking of time on Analyst tasks and recommendations for how to further automate.
So where does so sit in your environment? So SIM is kind of here in the center, it's pulling in information from, you know, all your different infrastructure devices, your EPP EDR solution, your NextGen firewall web application firewall, and your various cloud instances, all that flows up into SIM. So sort of sits on top of that, allowing it to query that, and then also query CTI sources as needed. But you see the orange lines show that this is sort of bidirectional. So not only is it pulling in information, but from, so you can command various actions from the console to all the different tools out there. And the soar console could either be run on-prem or in the cloud. Increasingly we find vendors who are offering it in the cloud.
So let's look at how soar might help with investigations that may be happening today. A couple of the major attacks that we've been hearing about for the last couple of months. So we have the solar winds incident that started that we were all aware of as of December, but had been perpetrated probably for at least nine to 12 months before that it, solar winds is an network monitoring software, incredibly popular used by hundreds of thousands of organizations worldwide. This was an attack on the it supply chain. There were up to perhaps 18,000 different victims. Potentially hundreds were actually verified. This was used to further compromise victims, active directory authentication office 365, to be able to read their email and then even email security and endpoint security systems were compromised as a result too. There were massive cleanups that are still ongoing. In many cases, Microsoft exchange another instance of a fairly massive attack. This was against the on premise email servers. As of last report, there's still about 10,000 unpatched email servers out there that could be victims. This gave access to compromised exchange servers, email, and has also led to the implantation of back doors in other systems. So a state actor was initially involved, but what's really strange about this is cyber crime opportunities came along and exploited it soon thereafter.
And in most cases we have reported about, we see that if you have a sign of an initial compromise, it means secondary infections are also likely. So the cyber crime criminals have implanted back doors as well. Lastly, we'll talk about ransomware here. So ransomware may not be new, but these attacks are ongoing and quite severe for those that experience them. The course they cause data loss, financial loss backups are necessary part of the strategy, but they're just not enough. You have to have other security tools in place. And they're often used in conjunction with a PT events. So we see a P T actors detonating ransomware to throw off analysts after, after they've exfiltrated information. And likewise, this remediation efforts here can take weeks to recover from.
So I thought we'd look at, you know, how solar winds might or how solar might be able to help in like a solar winds incident. So I've listed some of the TTPs and IOCs that you might see as a result of the solar winds attack. These are things that have been reported. These are, and then SIM is again, instrumental for all of it as is CTI source sitting on top drawing from those two sources, then, then orchestrating and automating responses and things like your endpoint protection and detection, network detection and response identity and access management, user behavioral analysis, unified endpoint management, configuration, and vulnerability management. So just to look at a couple here, we'll say to identify some of the affected software versions, we'll look at CTI we'll look at config management, solar winds was known to have used command and control communications over VPN.
So in addition to your data sources, you might need to command actions via NDR network detection and response. It was also known that solar winds, malicious executable, persisted as a windows task. So again, there you might want to use E P D R or your configured vulnerability management to look for that the solar winds attackers added accounts to active directory. So that's the case where you would wanna look in your IEM, your active directory system. It added tokens and certificates to services to be able to get access to things like email and office 365. So looking forward remediating using E P D R and IM directly from the solar console is a possibility skipping ahead, here. There's other things that were known about solar winds is that had some unusual Sam attributes. You could pick that information up from CTI, look in your stem, maybe coordinate with your identity and access management, your active directory Federation services. Look for signs that some of these bizarre Sam attributes or attribute values were in place.
And then lastly, data exfiltration to look to see if anything actually left your organization. Of course, SIM would be instrumental. CTI would be helpful to know what to look for. And then you'd wanna look across both endpoints and networks. So directing those investigations from so to your E P D R and NDR would be a very big time saver in the case of the exchange server hack. We could see that, you know, so could be used to, first of all, identify all the exchange servers in your environment, connective vulnerability management, see which versions are using versions that are vulnerable grab and update the servers with the latest patches and, and automate that patching as much as possible. Look for IOCs, for evidence of other kinds of secondary infections. And then you can use soar to disseminate that to those downstream systems like EDR and, and NDR.
And then again, given the, the exchange server was hacked by cyber criminals, cyber criminals have implanted other kinds of back doors and ransomware you'd want to use the soar platform to do, you know, proactive threat hunting and, and stay abreast of all the IOCs that are being developed. Look across your SIM for instances of that. And then actually dive down into your E P DDR NDR and XDR and email servers, and look for signs of that, and then attempt to remediate it in the case of ransomware. Just one quick example, hypothetical, let's say your EPD R detects ransomware encryption attempt from an email EPD R can terminate that, but then it also notifies SIM, which gets picked up by. So, so can create a ticket, integrate that with your I T SM system query SIM for other similar instances, and then query CTI to get new indicators and then update E P D R add all this to the ticket and do this automatically, you know, sometimes within seconds, sometimes within minutes steps that would take an Analyst, you know, hours to do this really gives Analyst to jump on the investigation this way. And then as part of the remediation. So can direct the email gateway to remove all similar emails and perform, you know, things to dispose of the ticket at the end of the event.
So finally, let's take a look at the strengths, challenges, opportunities, and threats. I think so really excels at a variety of things here, automating those repetitive tasks. Again, it can, it can save lots of time just by helping analysts to get the information up front. It can consolidate the workflows, reduce the number of screens and consoles that Analyst Analyst and managers have to interact with. It can enable collaboration again between teams across shifts on complex tickets to duplicate that CTI and really focus on orchestration and automation of responses with the primary goal being, you know, decrease the meantime to detect and re respond. There are some challenges it's complex to implement complex to run. So really depends on those integrations with those EPP EDR, NDR IDs, all those kinds of tools without it, it is less effective. There are opportunities here specifically for managed security service providers for companies that may not have the staff or expertise to run.
So it can be outsourced vendors can offer these kinds of services as well. And then for cases where there aren't integrations for popular tools, third party developers can get in and create those as needed on the threat side. As part of the leadership compass, I found that a lot of the so tools are missing some integrations for some of the leading European developed security tools. I think that's gonna be addressed probably in the next year or so, and then sore is great, but it doesn't fix everything. And the most advanced adversaries actually understand not, not just the common security tools that you use, but they're also beginning to understand how automation is involved. So in, in closing, I would say, so is a very useful thing. It's not just for large enterprises or governments anymore. It's something that's that should be coming to all enterprises, because it has a lot of advantages for, you know, on the automation and, and time saving side. So I know I'm down at the bottom of the hour and happy to take questions. And now in the wonder me room, and I'll see you on the panel later,
So where did store come from? Well, first there was SIM security incident and event management. They were designed to be, you know, centralized repositories of security log information from around an enterprise. You know, they came into being 15, 20 years ago and they have become sort of a centerpiece in many security architectures and, and rightfully so. I mean, it's good to collect data. It's absolutely necessary to collect data, but collecting data about what goes on in the enterprise is not, you know, just the goal in itself. So it can contribute to creating actionable intelligence and, you know, giving you a plan for the way forward. But you know, many times it doesn't really provide the ability to automate those responses that, that you would want to do. So then come source security, orchestration automation, and response. Startups appeared, you know, seven to 10 years ago to try to address what they saw.
Some of the shortcomings of SIM platforms, you know, SIM platforms sometimes would suffer from lots of false positives and again, not really being able to automate and, and do a lot of the investigative tasks easily. We also saw the entrance of threat intelligence management vendors. Threat intelligence is of course, you know, cyber threat intelligence is things like IOCs indicators of compromise. They might be indie file hashes or lists of bad IPS or URLs, things like that that get shared around. And there are many open sources for that and many commercially available available subscriptions and threat intelligence management vendors, consolidate that and bring that in typically now to source system. So it's available directly within your so console, but we've also seen CTI management vendors who are evolving to becoming, you know, full blown. So platforms themselves. I think that's a, a really interesting development in the market in the last five or six years. And then lastly, SIM platforms have been adding a lot of these features. They haven't remained, you know, at a standstill they've been growing and evolving and adapting, sore capabilities themselves. And in some cases, many of the SIM platforms have actually purchased a couple of the so platforms and have integrated that into their overall solution.
So let's talk about the top five use case categories. I mean, there are many use cases for, so, but let's just try to group them into the top five. So threat hunting is something you've probably heard quite a bit about it's, it's something that's quite useful to do in an environment today. It's a proactive way of looking for potential bad activities inside your enterprise. You can take IOCs and customize them and, and your so Analyst your threat hunters can then go out and use that to look for signs of, of things that your other tools may have missed. And they can do that by engaging with different tools that you may have and in your environment via API, there's the CTI management aspect. I was mentioning a minute ago, pulling in those multiple feeds. You know, a lot of these sources will have the same entries over and over again.
So you have to de-duplicate that you also find that specific bits of IOCs are sort of short, short shelf life. You know, the I IP addresses are, are malicious for a while. And, and or so these things change quite rapidly. Same thing with being able to do realtime queries against multiple CTI sources. That's a useful thing, investigations, that's probably the bread and butter of what you can do with a, so it integrates with its MIT service management solutions. And by being able to create a sign route tickets for Analyst to work on, it can help smooth the workflow between shifts and your sock. And again, allow for querying in both directions, both to your SIM for actual information about what's going on in your environment, plus against CTI sources, automation, and response. This has been an area for major improvement. I think there are many of the tasks that analysts have to do are quite repetitive, especially on the investigation side.
So once you collect, let's say what you think is a suspicious IP address, being able to automatically go out and get threat intelligence about that, and then search across your entire environment. For any instance of that in, in your various logs is a very useful and time saving effort. So playbooks are important in this regard because this is the concept. It sort of drives a lot of security automation today, and this can be anything from, you know, a step by step guide for how to discover and remediate problems, as well as, you know, single click automation or full automation. In some cases, examples of some of the actions that one can do inside a playbook and with your store system would be to automatically collect that evidence and then search across all your nodes and your enterprise block, an IP or URL at the firewall or at the web gateway.
If you find that user's been compromised, you could suspend that user in your IAM system. And then you could even do things like cutoff at whole nodes, from communication, delete all instances of an email kill processes and terminate network connections. Lastly, store tools are very useful in socks and network operations centers for being a really good management console. I mean, we often talk about single pane of glass. It may not be possible to get to a single pane of glass, but certainly reducing the amount of consoles Analyst and managers have to look at is very helpful. So, so tools provide dashboards reports, some allow for tracking of time on Analyst tasks and recommendations for how to further automate.
So where does so sit in your environment? So SIM is kind of here in the center, it's pulling in information from, you know, all your different infrastructure devices, your EPP EDR solution, your NextGen firewall web application firewall, and your various cloud instances, all that flows up into SIM. So sort of sits on top of that, allowing it to query that, and then also query CTI sources as needed. But you see the orange lines show that this is sort of bidirectional. So not only is it pulling in information, but from, so you can command various actions from the console to all the different tools out there. And the soar console could either be run on-prem or in the cloud. Increasingly we find vendors who are offering it in the cloud.
So let's look at how soar might help with investigations that may be happening today. A couple of the major attacks that we've been hearing about for the last couple of months. So we have the solar winds incident that started that we were all aware of as of December, but had been perpetrated probably for at least nine to 12 months before that it, solar winds is an network monitoring software, incredibly popular used by hundreds of thousands of organizations worldwide. This was an attack on the it supply chain. There were up to perhaps 18,000 different victims. Potentially hundreds were actually verified. This was used to further compromise victims, active directory authentication office 365, to be able to read their email and then even email security and endpoint security systems were compromised as a result too. There were massive cleanups that are still ongoing. In many cases, Microsoft exchange another instance of a fairly massive attack. This was against the on premise email servers. As of last report, there's still about 10,000 unpatched email servers out there that could be victims. This gave access to compromised exchange servers, email, and has also led to the implantation of back doors in other systems. So a state actor was initially involved, but what's really strange about this is cyber crime opportunities came along and exploited it soon thereafter.
And in most cases we have reported about, we see that if you have a sign of an initial compromise, it means secondary infections are also likely. So the cyber crime criminals have implanted back doors as well. Lastly, we'll talk about ransomware here. So ransomware may not be new, but these attacks are ongoing and quite severe for those that experience them. The course they cause data loss, financial loss backups are necessary part of the strategy, but they're just not enough. You have to have other security tools in place. And they're often used in conjunction with a PT events. So we see a P T actors detonating ransomware to throw off analysts after, after they've exfiltrated information. And likewise, this remediation efforts here can take weeks to recover from.
So I thought we'd look at, you know, how solar winds might or how solar might be able to help in like a solar winds incident. So I've listed some of the TTPs and IOCs that you might see as a result of the solar winds attack. These are things that have been reported. These are, and then SIM is again, instrumental for all of it as is CTI source sitting on top drawing from those two sources, then, then orchestrating and automating responses and things like your endpoint protection and detection, network detection and response identity and access management, user behavioral analysis, unified endpoint management, configuration, and vulnerability management. So just to look at a couple here, we'll say to identify some of the affected software versions, we'll look at CTI we'll look at config management, solar winds was known to have used command and control communications over VPN.
So in addition to your data sources, you might need to command actions via NDR network detection and response. It was also known that solar winds, malicious executable, persisted as a windows task. So again, there you might want to use E P D R or your configured vulnerability management to look for that the solar winds attackers added accounts to active directory. So that's the case where you would wanna look in your IEM, your active directory system. It added tokens and certificates to services to be able to get access to things like email and office 365. So looking forward remediating using E P D R and IM directly from the solar console is a possibility skipping ahead, here. There's other things that were known about solar winds is that had some unusual Sam attributes. You could pick that information up from CTI, look in your stem, maybe coordinate with your identity and access management, your active directory Federation services. Look for signs that some of these bizarre Sam attributes or attribute values were in place.
And then lastly, data exfiltration to look to see if anything actually left your organization. Of course, SIM would be instrumental. CTI would be helpful to know what to look for. And then you'd wanna look across both endpoints and networks. So directing those investigations from so to your E P D R and NDR would be a very big time saver in the case of the exchange server hack. We could see that, you know, so could be used to, first of all, identify all the exchange servers in your environment, connective vulnerability management, see which versions are using versions that are vulnerable grab and update the servers with the latest patches and, and automate that patching as much as possible. Look for IOCs, for evidence of other kinds of secondary infections. And then you can use soar to disseminate that to those downstream systems like EDR and, and NDR.
And then again, given the, the exchange server was hacked by cyber criminals, cyber criminals have implanted other kinds of back doors and ransomware you'd want to use the soar platform to do, you know, proactive threat hunting and, and stay abreast of all the IOCs that are being developed. Look across your SIM for instances of that. And then actually dive down into your E P DDR NDR and XDR and email servers, and look for signs of that, and then attempt to remediate it in the case of ransomware. Just one quick example, hypothetical, let's say your EPD R detects ransomware encryption attempt from an email EPD R can terminate that, but then it also notifies SIM, which gets picked up by. So, so can create a ticket, integrate that with your I T SM system query SIM for other similar instances, and then query CTI to get new indicators and then update E P D R add all this to the ticket and do this automatically, you know, sometimes within seconds, sometimes within minutes steps that would take an Analyst, you know, hours to do this really gives Analyst to jump on the investigation this way. And then as part of the remediation. So can direct the email gateway to remove all similar emails and perform, you know, things to dispose of the ticket at the end of the event.
So finally, let's take a look at the strengths, challenges, opportunities, and threats. I think so really excels at a variety of things here, automating those repetitive tasks. Again, it can, it can save lots of time just by helping analysts to get the information up front. It can consolidate the workflows, reduce the number of screens and consoles that Analyst Analyst and managers have to interact with. It can enable collaboration again between teams across shifts on complex tickets to duplicate that CTI and really focus on orchestration and automation of responses with the primary goal being, you know, decrease the meantime to detect and re respond. There are some challenges it's complex to implement complex to run. So really depends on those integrations with those EPP EDR, NDR IDs, all those kinds of tools without it, it is less effective. There are opportunities here specifically for managed security service providers for companies that may not have the staff or expertise to run.
So it can be outsourced vendors can offer these kinds of services as well. And then for cases where there aren't integrations for popular tools, third party developers can get in and create those as needed on the threat side. As part of the leadership compass, I found that a lot of the so tools are missing some integrations for some of the leading European developed security tools. I think that's gonna be addressed probably in the next year or so, and then sore is great, but it doesn't fix everything. And the most advanced adversaries actually understand not, not just the common security tools that you use, but they're also beginning to understand how automation is involved. So in, in closing, I would say, so is a very useful thing. It's not just for large enterprises or governments anymore. It's something that's that should be coming to all enterprises, because it has a lot of advantages for, you know, on the automation and, and time saving side. So I know I'm down at the bottom of the hour and happy to take questions. And now in the wonder me room, and I'll see you on the panel later,
Video Links
Stay Connected
Related Videos
How can we help you