I’ve asked myself this many times, when is a automation a good solution? When is it not?
Let’s look analyse how an analyst might perform a Phishing query:
- Copy paste the email into a new ticket
- Inform the end user their request was acknowledged
- Extract the URLs, copy paste them into Threat Intel platforms
- Extract the IPs, copy paste them into Threat Intel Platforms
- Get the file hash, copy paste them into Threat Intel Platforms
- Copy the file, upload to a sandbox, paste results back into the ticket
- Check if the URL in the email was similar to your corporate domain
- If not malicious, email the end user and close the ticket
- If malicious then we do more….
- Email the end user saying “yes”, update the ticket
- Update severity to “high”
- Query SIEM, query other mailboxes for known IOC
Let’s analyse the workflow:
- Most of this is simply copy pasting
- The data structure is always the same
- The process is always the same (and it’s extremely repetitive and boring!)
- Analyst is logged on and is interacting with half a dozen different interfaces (leads to eye fatigue)
- All the involved solutions (ticket systems, threat intel, SIEM, mail… ) all have APIs.
Let’s now analyse a potential workflow for insider data theft:
- Analyse evidence to identify the Threat Actor
- Identify scope of breach across network
- Attempt to identify the intent
- Inform the relevant parties (HR, Legal, etc), maybe include the Law
- When appropriate, lock the user out of the appropriate system
- Analyse potential losses, whether that’s IP theft, PII theft, financial, reputational and act accordingly
- etc
Let’s analyse the workflow:
- This is a process that happens infrequently (hopefully)
- Whilst this process is standardised at a conceptual level, which can be represented in a playbook for process definition…
- …every run through will be completely different
- You will often interact with different data, in different systems
- Original notifications to teams will be the same, but every communication will be completely unique
- Humans don’t have API
- Intent, reputation and loss need dedicated human input to determine.
To be clear, there is a great value in formally mapping this second scenario to a playbook, but I wouldn’t call it a primary use case for SOAR.
Summary
So what tasks are no-brainers for a SOAR platform? I believe it’s a process that…
- …is always the ~same
- …has many steps
- …takes time to do
- …is boring!
- …can access/utilise API
I originally listed “…works across multiple platforms”, and whilst that’s fascinating to see in motion, I’ve taken it out because even SOAR enriching and empowering a single isolated technology can be a great solution for the right usecase.
Andy