A nice easy place to start in SOAR is with an inbound alert (SIEM, email, manual creation/API) that updates a blacklist and maybe informs a user. It’s something we all do, often, and this can be a nice money and time saver. But as we look bigger and wider what other technologies can we bring in as we mature alongside SOAR?
So here is my attempt to list all the categories of Security Tools that we as professionals can have at our disposal. I’m confident this isn’t exhaustive but it opens the eyes to the possibilities, I wonder how many you have and whether they are reaching their potential (I’ll talk more in the future about how we can use them together).
- Firewalls
- Endpoint, EDR, MDM
- Proxy, Reverse proxy, WAF, CASB
- Messaging (Email, SMS, etc)
- NIDS / HIDS / IPS
- DLP and Data Discovery
- Full Packet Capture and Netflow
- Asset Management
- Malware Detonation service
- Vuln Scanning and Management
- Deception and Network Access Control
- SIEM
- Case Management and Ticketing
- User management and Authentication
- Threat Intelligence
- UEBA
- …more?
https://www.ncsc.gov.uk/guidance/20-critical-controls
https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
https://en.wikipedia.org/wiki/Security_controls