Arming your Security Operations Center with SOAR
Covid-19 has only exacerbated an already challenging threat landscape for today’s security operations center (SOC), and bad actors are capitalizing on the chaos. Some related vulnerabilities include increased phishing attacks, questionable domain registration and the need for more VPN monitoring.
A security orchestration, automation and response (SOAR) solution optimizes a SOC’s capabilities by automating time-consuming incident response tasks while orchestrating the organization’s people, processes and technology. Three use for SOAR that have become increasingly important during this unprecedented time include phishing, domain monitoring and VPN monitoring. In the post that follows, we will explore each of these use cases in a bit more depth, and take a look at the infographic at the end!
According to a recent report on CIO Dive, between February and March 2020, there was a 667% increase in virus-themed phishing attacks. And a recent report from Forbes saw a surge of 350% in associated phishing websites.
When automating phishing triage, organizations often follow a documented process like this:
- A SOAR solution is set up to monitor an organization’s mailbox where users send suspected spam and phishing emails.
- When an email arrives, it is automatically parsed.
- Details like the header, subject, body and email addresses are placed into data fields in a case record.
- Other potential indicators like the IP address, URL and domain names are also parsed out of the email and added to the appropriate record fields.
- Using integrations with other tools engaged by the SOAR platform enriches the data and helps determine how the case should be handled.
In a phishing use case where the email is determined to be malicious, an appropriate action might be applying a quarantine tag or isolating a host system using an endpoint detection and response tool or an endpoint policy management tool. The SOAR solution can immediately notify the SOC and the user who submitted the email using messaging tools like Slack, SMS or email. Users can be updated with the status of the automated workflow and thanked for the submission and their help in catching potential threats. Malicious emails could also be removed from all user mailboxes to head off any additional risk. Benign emails could trigger notifications to users to thank them for submitting the email and provide the result. Many other possible steps could also exist.
Domain monitoring can be used for detecting and blocking other domains that are related to a current urgent situation. As an example, names like “COVID” or “vaccine” or any names that an organization wanted to evaluate.
A recent report from Computer Business Review showed out of 6,000 domains registered in a single week, more than one third were considered suspicious, and 93 of the domains already considered suspicious were confirmed to be malicious at the time of the report. It is important to remember that attackers don’t always activate a domain or make it weaponized immediately. A domain may lay dormant for a period of time and then become malicious. Ultimately, quite a few more than 93 may have been used maliciously.
Using SOAR, a SOC team can define a set of monitored domains to watch for potential squatting domains. On a customizable interval—typically once per day—the SOAR solution downloads the newly registered domains and compares them to the list of monitored domains for pattern similarities.
SOC teams can review records and make determinations about whether or not they are true squatting attempts. For any domain that does not resolve, the record stays in the queue and the SOAR platform continues attempting to connect on a regular basis. If and when the site becomes active, it will be snapshotted and placed in the analyst queue. When analysts review each record, they can mark the domain as malicious, benign or unknown.
From various IoT devices to employees with lacking cybersecurity awareness, SOC teams have had a lot of vulnerabilities to keep track of since most employees moved to remote environments. Additionally, organizations are attempting to provide secure remote access to office resources via VPNs.
VPN monitoring with SOAR enables staff to ascertain VPN status quickly, identify outages that are occurring and perform basic troubleshooting, such as restarting services. In many instances, the SOAR platform will either be able to restore service automatically or enable users to identify VPN issues, attempt initial triage and escalate any remaining issues.
The benefits of SOAR extend beyond these three use cases. SOAR allows the SOC to make effective use of existing resources. Personnel are not tied to manual, repetitive, time-consuming tasks with orchestration, automation and response occurring at machine speeds. Plus, a true SOAR solution integrates with existing tools to form a single cohesive armament for an optimized SOC.
*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Heather Williams. Read the original post at: https://swimlane.com/blog/arming-your-soc-with-soar/