“SOAR? ..but we’re not big enough to have a SOC”

I hear this a lot, but it doesn’t matter. If anything, a smaller team has more of a need for SOAR.

Don’t believe me? Listen to Bruce Potter (CISO, Expel) and Mike Johnson (CISO, Fastly) on the CisoSeries blog (fast forward 1m38s)

A listener writes in asking “How do you thrive, and how do you survive as a team of 1?”

The panel discuss many general points, including:

  • think about how to amplify yourself
  • democratise others to do work on your behalf
  • only so many hours in a day for you to get things done
  • bring in others to help
  • be the architect for security
  • think about the bigger picture, of how to apply your knowledge
  • find the multipliers

Whilst the panel lean towards distributing responsibilities and finding allies to do work on your behalf (lucky them), I was just hearing:

  • Yes, SOAR
  • Yes, SOAR
  • Yes, SOAR
  • Yes, DBot
  • Yes, SOAR
  • Yes, SOAR

Essentially, automate the hell out of it.  If you have 1 or 2 people, surely automation is the only way to scale.

Example:  User submits a request (priority 3?), which goes to the bottom of the priority queue, which takes 2 days to find, and 30 minutes to fix.  That’s a long wait for something simple.  People see the IT team as blockers, not enablers.

Now imagine SOAR performing all those simple/fast requests with a turnaround of 2 minutes.   2 days wait -> 2 mins wait is a 144,000% increase in service you give without any additional head count or training.

This has a few benefits:

  • Smaller ticket queue
  • Increased perception of service (your end users feel that your service is always-on)
  • More time and less interruptions whilst you are doing more important tasks

That’s just the basics of what SOAR does. Taking that further and using all the functionality of SOAR Case Management here too:

  • The remaining 50% of tickets are already prioritised so you wont miss a high priority just because you ‘started at the top of the inbox and worked down’
  • Playbooks can interact with non-SOAR users meaning your end users always had the possibility to “click here to escalate this to a security person now” if it can’t wait
  • Daily/Hourly reporting to you on the queue size with nice breakdowns on priority, incident type etc.
  • Even cooler would be SOAR checking the baseline of tickets. Imagine a security incident happens and many users report a similar issue, if we see this rise we contact you straight away “warning, phishing requests at 205% of normal”

Honestly I could go on lots more on how SOAR in the background supports a smaller team, but I think this makes the point.

Andy

How SOAR saved my marriage!

After recently getting married, I quickly discovered my wife was cheating on me, with these three:

As soon as I left the house to go shopping, seeing the family, or working away my (NOT-SO-)good lady would jump into bed, turn on the TV and spend quality time watching series without me, getting ahead in a series we were watching together !

This is disastrous and would no doubt lead to a playbook on how get divorced. Urgent actions were needed, so I turned to SOAR!!

(Really this is a blog post about automating the whitelisting/blacklisting of IP/domains. Either for a SOC team who are detecting new attacks, or whether it’s members of staff managing their own policies. But hey I love drama, pun intended. Read to the end where I discuss “This In Business”)

I need a process that:

  • Automatically detects this activity
  • Automatically remediates this activity
  • Validate if I’m home
  • Communicates with the culprit (played by my hussy wife)
  • Seeks confirmation from sysadmin (in this post the victim is played by the flawless handsome and honorable me)
  • Audit logs, SLA, etc

Setup

SOAR running on a virtual machine at home

The DNS activity/alert is generated by PassiveDNS on a Raspberry PI on a network sniffer port

My home network has lots of Unifi in. Unifi do amazing kit with a full API available to control the WAP, Firewall rules, network config etc. I <3 the Unifi!

Workflow Process

To avoid a SIEM at home, I simply have PassiveDNS forward logs for Netflix DNS requests direct to SOAR.

PreProcessing is then used to make sure that all prior tickets/incidents are closed (i.e. check this is a new situation)

SOAR then queries my Unifi controller to see if my personal mobile phone is connected to the WIFI. If “yes” then I am home, if “no” I’m likely out travelling.

The VICTIM (innocent me) who is likely in a hotel/shop is then either sent an email with a choice to block the activity instantly, or to request a justification….

….or if I’m being an uber admin, I can use the mobile app to decide….

If I chose to ask “EnforceJustification” a questionnaire is send to the wicked one!

Answers are forwarded to the sysadmin

Of course being the benevolent kind generous soul I am, I of course decide to Allow this traffic (between you and me, I watched this the other day, so I’m already ahead of her… #guilty)

And thus our marriage is saved. Should I train to become a marriage counsellor?

SOAR Value Realised

I previously talked about the value of SOAR and I think this playbook ticks off many of those:

  • Reduce alert overhead
  • Quicker to act
  • Standardise your workflow
  • Standardise approvals
  • Revitalise legacy/simple tools

This In Business

Many of us are familiar with this phone call from a member of staff who was denied a work related website:

“How dare you block my access to the internet, I need that website to do my job! You’re stopping business! Stop being paranoid! I’m going to report this!”

So let’s adapt the above process:

  • A workflow initiated by the end user (through a ticketing system, SIEM, emails, or other)
  • Playbook asks the user which domain to whitelist, for how long, and for what justification
  • Playbook then checks if this domain was requested before. If denied, ticket can be closed. If approved a few times should we consider a long term whitelist?
  • Playbook then enriches the domain against Threat Intel: Is it known malicious, is it less than a week old, is it an inappropriate category of site
  • Playbook enriches with ActiveDirectory to determine that users manager
  • Playbook emails manager for approval with all the details and buttons of “yes approve” or “no, block”
  • If the manager approves the domain is whitelisted
  • And after the correct amount of time, automatically removes the policy change to clean up.

We now have a process that is operational 24/7, works at the speed of the affected staff (not the huge workload of the security team), takes no effort on your team, does threat enrichment and sanity checking, cleans up after itself, has SLA, RBAC, is fully audited. All the while, no member of staff was given access to any security tool!

Useful ?

Andy

Keeping Control during Automation in SOAR

I previously posted “but donโ€™t forget that over-automating can lead to reduced visibility“.  Machines do what we tell them (to a fault), how do we retain some control?

Example – At Demisto, when you ask for access to our help-center, the email is processed by a SOAR playbook to validate the request, manage access, and respond to the user, like self-service. 

However recently it took a wrong turn so I had to open and take control and override our usual logic.  This was easy as each incident (which the automation belongs to) is tracked like case management, so we simply “re-open”, open up the playbook to find the issue, and correct it.

So what best practise can we utilise to keep control over SOAR?

Human Checks – Before any critical steps (e.g. pushing IP to firewall) you might want to ask a human analyst to verify (either using ticket management, email/slack question, or using the Mobile App)

Playbook Design – Many playbooks have forks based upon automated decisions. Consider the chain of events in a ticket if is restarted from a certain point taking a different action. Do any original steps have to be undone? A good design allows users to quickly make changes and walk away.

Human Notifications – If anything is seen slightly odd (too much data in a reply) then continue a human analyst of the observation with a direct link “click here to see the playbook in operation”

Summary Page – All key data and decisions should be in the tickets summary page, so any analyst/team leader having a quick view can see the key points of ticket (e.g. User not found resulting in playbook taking a specific course of action)

Andy

SOAR in Banks

Great article
https://biztechmagazine.com/article/2019/07/how-security-orchestration-and-automation-make-banks-cyber-resilient?utm_source=linkedin.com&utm_medium=referral

“Visibility is critical in all contexts: network, endpoint, DNS, email, web and, most importantly, the hybrid cloud, where monitoring workloads and accessibility presents a big challenge.”

Agreed, in a way SOAR isn’t a security tool, it orchestrates them, so make sure you have visibility. Even a free/open/cheap tool with SOAR can show value if it’s integrated to a complete workflow.

Andy

best-practices-for-the-soc-team

Lots of great points in the article, I’ve taken a few out below.
https://www.infosecurity-magazine.com/opinions/best-practices-for-the-soc-team/

“Organizations are being forced to hire Tier 1 analysts with little or no experience, and spread their Tier 2 analysts too thin”

To help your Tier1 team, either hire anyone in IT and just do data collection, or use Automation:

” …if there is no judgment to be made, you donโ€™t need a human analyst โ€“ you need to automate. “

To help your Tier2 team

“Analysts should be equipped with tools that can help them automatically investigate incident “

Andy

Bruce Schneier Talk

I recently attended a talk by Bruce Schneier talking about Automation and his new book “Click here to kill everybody” (charming)

Though the talk wasn’t specific to SOAR, it’s still relevant to IT Security I think this borders on similar concepts to SOAR, so here are my personal notes from the talk

  • There will always be vulnerabilities as all software is crap…. we want it cheap, fast and now
  • All computers are platforms and therefore extensible by design
  • Bigger means complex, more attack surface, more insecure
  • Putting 2 Systems together which were not designed together, creates a vulnerability, it’s no one’s fault but it’s there
  • Security hasn’t changed in 10 years but computers platforms are changing a lot (IOT etc)
  • Stealing blood type information from a hospital is bad, changing blood type information is worse (integrity vs confidentiality)
  • Computers break at scale, all at once, think contact-less hotel door, once a vulnerability is discovered every door is ‘broken’ in the same moment
  • It’s a style of failure we’re just not experienced in dealing with
  • Best way to patching legacy kit is simply throw it away and rebuild
  • Replace a phone battery yearly, replace a fridge every decade
  • The world will be swamped with non patched devices soon
  • We are moving further away from “thing to person auth” and even more to “thing to thing” auth, we don’t know how to do this on the scale needed
  • Imagine a city of 1,000,00 cars needing “thing to thing” auth to inform and talk to each other
  • Cyber skills gap, so we need to automate more
  • How do you build something secure, on top of unsecure parts?

The talk summarised with the need for regulation from the govt.

  • Regulation is the only answer. You trust a restaurant won’t poison you, and that the building you’re under wont collapse on you as it’s regulated. Regulation isn’t perfect but it works all around us quite well.
  • Regulate in one place, and every territory should benefit. i.e. companies don’t want 2 code bases, it’s simpler and cheaper to to work it out for the area with the highest standards then use this in other locations

Some food for thought?

Andy

Automating responsibly

I recently wrote about adding a personal touch in SOAR:
https://www.socops.rocks/index.php/2019/04/29/adding-a-personal-touch/

One point included an end user who wants to break out of automation and talk direct to a human with a “click here” button, so they don’t feel ignored/shunned.

I noticed recently this is how a lift works. Lots of buttons to trigger certain functions, but also an alarm button to press when something goes wrong… responsible automation.

My own SOAR demo is guilty of not doing this, it intelligently and informatively acknowledges the request and thanks the user, but until my playbook has reached a conclusion the end user is just a stressed and panicking passive bystander.

Here is my new version, you can see the original acknowledgement email which now gives your staff the ability to ‘break out’.

And here is the logic I wanted: increase the severity, assign it to a team member and start the response SLA counter

Results:

  • Responsible automation
  • Automation that still runs in parallel by default
  • A way to track and SLA time things where things go wrong
  • And ultimately, users that don’t feel neglected

Andy

‘Rethinking the SOC for Long-Term Success’

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1561408460.pdf

Great deck (shame I couldn’t watch it too)! I’ve worked in a SOC and in my role I talk to a different SOC every day and agree massively with all of this. Of course I also love how they mention SOAR ๐Ÿ˜‰

The only thing I would add is that Recommendation 1-4 all require having more time (without being bogged down on alert overload) so Recommendation 5 (SOAR) maybe should be promoted to Recommendation 1?

But I work on SOAR, so of course I would say that ๐Ÿ˜‰

Andy

death-of-the-tier-1-soc-analyst

Link :
https://www.darkreading.com/analytics/death-of-the-tier-1-soc-analyst/d/d-id/1330446

” A combination of emerging technologies, alert overload, and fallout from the cybersecurity talent shortage is starting to gradually squeeze out the entry-level SOC position “

“The Tier 1 SOC analyst will become more like the Tier 2 analyst”

“Gone will be the mostly manual and mechanical process of the Tier 1 SOC”

Yup yup and yup.

Andy

Adding a personal touch

At RSA2019 I heard about a SOAR customer that had to add delays to their playbook “wait 5 minutes before replying” so end users felt their request was being handled with care and not simply scripted.

It reminded me of a story of an Italian tortellini maker that bought 5 different pasta machines to keep the product looking ‘varied’ so customers would believe the pasta was hand made.

So what can we do to give SOAR that human touch?  (DBot if you’re reading this, no offence my friend, I still think you’re great)

Approach #1 – Make automation more human like

Adding a time delay to responses to simulate an overworked team

Use a pre-written list of slightly varying replies with the occasional spelling mistake

Sometimes just close a ticket for no reason (or just don’t open it)

Approach #2 – Human chaperone

Random 10% chance that a human sends the last communication “I’ve been watching the ticket and it all looks good, did it meet your needs?”

If the submitter hasn’t used automation before, acknowledge this in your initial reply “we can see you are new and we’re assigning a human to watch over as you engage through this process”

Run a weekly report of new end users and give them a call to review

“Click here if you ever want to escape this automation and talk to someone”

Include “this is an automated response – an analyst response will follow”

I’d love to hear from anyone that has faced this problem and which gave the best success…

Andy