IT teams are increasingly adopting security orchestration, automation and response (SOAR) tools to improve security operations’ efficiency. Often, when debating SOAR solutions, security personnel tend to focus on the automation and orchestration aspects. However, we find that some SOAR solutions fall short by not properly leveraging the vast amount of threat intelligence (TI) that is available. Open source threat feeds, subscribed threat feeds, abstracting data from blogs or research data, internally acquired threat intelligence and even crowdsourced intelligence can all be leveraged to guide security operations and train SOAR solutions to properly identify, prioritize, investigate and resolve potential incidents.
Applying TI to decision-making helps security teams become more predictive, empowering them to see the likeliest threats and use that visibility to prioritize how they’ll protect their organization using intelligent SOAR solutions. When a previously unseen threat presents itself, it places your security team in reactive mode. But if you’re only reacting, then security analysts are stuck playing a never-ending game of catch-up and clean-up.
When you start to introduce TI in a strategic way to a security program—and integrate it with advanced SOAR platforms, it gives you a more holistic view of what’s happening outside your organization and allows you to map that external information to your organization’s own threat landscape.
Another way of putting it: finding TI about current threats, aggregating it, analyzing it, and using it to identify the most relevant threats is applicable to your business.
TI Applied to SOAR Solutions for Incident Detection and Response
Threat Intelligence (TI) adds critical insights when you validate incidents. After an attack, security teams can be inundated with alerts: how do they determine which ones to focus on? If you look at how an analyst works through the alerts and incidents in their queue, almost all of them include indicators of compromise (IOCs) – IPs, domains, file hashes, etc.
Part of the process of identifying the nature and severity of any attack is understanding which of these indicators have been observed in relation to other known threats and threat actors. Analysts need rich, contextual intelligence built right into their process; having that information allows them to validate certain indicators, tag them for future incidents, and decide what responses can be automated. This saves analysts a huge amount of time, because they can move faster and with higher accuracy. What’s more, as analysts gain additional context on certain indicators, smart SOAR platforms can automatically feed this context back into the security team’s intelligence program, improving future detections and even automatically informing control infrastructure, such as firewalls, proxies, AV, etc. to automate future prevention.
In addition to helping analysts understand the TI context of a specific indicator, intelligent SOAR solutions also help security teams understand when an indicator may be related to other indicators that are used by the same threat, actor, or campaign. This means that analysts can expand their investigations beyond just what triggered the alert, and search – manually or automatically – for any observations of related, relevant indicators and behavior. This helps analysts more confidently uncover the entire scope of an attack, demonstrating the real-world value of advanced SOAR solutions.
SOAR Use Cases
Modern organizations leverage SOAR solutions for versatile tasks across cybersecurity. Common SOAR use cases include:
- Phishing detection and response: Automating triage and remediation of phishing alerts.
- Endpoint detection and response: Integrating multiple tools for swift containment.
- Incident alert triage: Automatically sorting and enriching alerts from SIEMs.
- Vulnerability management: Scanning and prioritizing vulnerabilities, then automating remediation.
- Threat hunting: Aggregating and analyzing indicators across environments for proactive investigation.
- Case management: Documenting every step of incident response for audit and compliance.
- Automated playbooks: Executing best practices for repeatable, efficient incident handling.
SOAR solutions continually increase the efficiency and effectiveness of these security operations by blending automation, orchestration, and threat intelligence.
TI makes NetWitness Orchestrator a smarter, better choice
Although most SOAR solutions talk about TI, the way that NetWitness Orchestrator uses this information is different in the market for a number of reasons. First and foremost, the richness of the intelligence in the platform evolved from prior TI platform capabilities, so the solution is built on a strong heritage and knowledge base.
TI loses value as it ages, so NetWitness Orchestrator continuously adapts its TI to reflect the dynamic nature of threats. Indicators, actors, and campaigns change constantly, and the solution aggregates emerging TI quickly and at scale, ensuring that the solution is using and learning from the most up-to-date and relevant information available.
Giving analysts the full picture is also an essential feature of NetWitness Orchestrator; accuracy and fully exposed context are critical here, since not all intelligence is created equal. For example, there may be an indicator as part of an investigation that has been tagged as suspicious – an analyst needs to understand not only the nature of the indicator but the context of how and who reported it in the first place.
With a robust, mature TI solution, analysts can begin automating threat hunting efforts based on known threat actors and campaigns. By closely tying intelligence to Security Orchestration, Automation and Response (SOAR) playbooks, the system can help sweep an environment for observations of behavior related to the system’s TI and surface high-value alerts and leads for analysts to chase down. NetWitness Orchestrator even automates workflows to remediate issues in the environment, escalates issues to IT ticketing systems, and implements preventative controls.
SOAR Benefits
Organizations deploying SOAR solutions enjoy clear SOAR benefits, including:
- Accelerated incident response: Automation means faster reaction to security threats.
- Reduction in manual effort: Alert handling, enrichment, and remediation are streamlined.
- Lowered risk and human error: Consistent processes reduce mistakes.
- Unified threat intelligence: Gathering, analyzing, and applying threat feeds boosts situational awareness.
- Enhanced visibility: All security data and actions are visible on unified SOAR platforms.
- Compliance and audit readiness: Easy documentation for regulatory needs.
- Improved collaboration: Centralized case management facilitates teamwork in security operations.
These SOAR benefits make a substantial impact on both the effectiveness and the efficiency of security teams.
Final Thoughts
TI is a critical piece to the incident detection and response puzzle, but the way that TI is applied can vary from solution to solution. SOAR solutions will continue to evolve to better leverage TI throughout the incident response lifecycle in order to detect and properly prioritize incidents for investigation, and speed analysis and evidence collection – which ultimately equates to faster resolutions and more efficient security operations.
Learn more about NetWitness Orchestrator
SOAR FAQs
1. What are SOAR solutions?
SOAR solutions are platforms designed to automate, orchestrate, and respond to security incidents while integrating with threat intelligence and other tools for robust security operations.
2. How does SOAR differ from SIEM?
SIEM focuses on collecting and analyzing security data; SOAR platforms use this data to automate response actions, coordinate among tools, and streamline workflows.
3. What are common SOAR use cases?
Phishing response, incident triage, vulnerability management, case management, and automated threat hunting are top use cases for SOAR solutions.
4. How can SOAR benefit my organization?
With improved efficiency, automation, reduced risk, and better collaboration within security operations, SOAR solutions can transform your team’s performance.
5. Are there SOAR platforms for different kinds of organizations?
Yes, there are various SOAR platforms tailored for different sizes and types of businesses, all delivering powerful SOAR benefits and use cases.