I was asked recently if SOAR works with TLS1.3. Some of you might already know this, but for those that might not:
TLS1.3 is commonly used for encrypting data as it travels over a network, or put another way “encryption on the wire” as opposed to “encryption on disk”. When the data reaches it’s destination this encryption is removed and the recipient can see the original traffic.
SOAR is not an inline tool, by that I mean it does not observe and regulate the moving network traffic (like a firewall/IPS does) so this “in transit” encryption does not meet the SOAR solution. SOAR is infact out-of-band and communicates with these tools that are themselves inline, the problem of TLS visibility remains with them and not SOAR.
Example – A SOAR playbook that is triggered by a user visiting “https://banking.com” will only trigger if the Proxy or IPS that is handling that request is inspecting inside SSL/TLS and can therefore inform SOAR/SIEM of the request.
Of course, SOAR platforms talk to other solutions (IPS, Firewall, Case Management, etc) and for these communications are encrypted, and yes SOAR should be able to use TLS1.3 itself.
Shameless link – before starting SOCOPS.ROCKS I wrote another little blog for self learning and I wrote an article on TLS1.3 (a previous focus of mine), much more information here: