Security Operations : 6 key capabilities to consider in choosing an orchestration platform

In my previous article, I wrote about the top challenges of the Security Operations Center(SOC) team and the options to address.

Before we go into the details on the capabilities to consider before investing in an orchestration platform, let’s look at the typical SOC workflow

SOC Workflow

To facilitate this workflow SOC infrastructure might use SIEM (Security information and event management), SOAR(Security Orchestration, Automation and Response) and/or XDR(Extended Detection and Response) platforms. These platforms tackle the same problem which is making sense out of the abundant security-related information and events from various security tools. They all have some overlapping functionality and some advantage over another but there is no silver bullet that can turn the SOC operations easier overnight.

While these platforms help in preprocessing the data, there is still a need for humans to review, acknowledge, or even remediate the incidents. These platforms enable high-fidelity detections, prioritization of real threats among the noises, and incident response capabilities.

I see these platforms as Augmented Intelligence rather than Artificial Intelligence(AI).

All these platforms play an assistive role by providing the most important data for the human partner to make a decision on. It will take a while to summon Alexa to mitigate all the daily threats of the day.

In this article I would like to make some recommendations for SOC teams to look for while choosing one of these platforms:

1. Ability to ingest ALL vendor logs — Ability to ingest data from all your network and security infrastructure to provide you a holistic view of your security posture of your organization. Key is “all” the logs. If not, you will be missing key information from your existing investment and you have to keep an eye on that left-out tool separately.
2. Automated playbook — Ability to build customizable playbooks to automate manual steps in incident response. Depending on your infrastructure you may want the playbook action to use REST APIs to query, analyze, remediate the threats along with Terraform if you have cloud endpoints.
3. Identifying subtle threat — Ability to create patterns, parsers and matching-rules to automatically correlate and bubble up multiple weak signals into stronger signal
4. Identification of similar infected hosts — Provision to interact with existing tools to scan the infrastructure and identify all the endpoints affected by same Indicators of Compromise (IoC)
5. Orchestrated, Correlated and Aggregated alerts for effective Case Management — Ability to aggregate alerts from different vendor products by customizable parameters and IoCs will help in the remediation process faster. Provision to add threat intelligence data gathered from playbooks provides additional context for Incident response. Integration with No-code platforms like Twilio, Pagerduty, Zapier etc could also be very effective for alerting the SOC team and case management.
6. Containment and Automatic remediation — Ability to interface with the existing infrastructure tools to contain the threat before it further infiltrates the organization and to remove the infected files & traces from the endpoints rather than re-imaging the endpoint

If the above recommendations are implemented in SOC workflow, then we can see an intelligence augmentation that can help SOC teams to act on threats faster and with accuracy.

Here is my illustration of SOC workflow with Augmented Intelligence

SOC workflow with Augmented Intelligence

The solution built using this approach can connect the dots and it can be a very interesting tool for SOC teams to rely on. By unifying multiple vendors, threat hunting will be accurate and fast.