21 Aug Key Black Hat Takeaway – SOAR Ubiquity and Confusion
For better or worse, the Gartner term and acronym for leveraging digitized workflows for orchestration and automation across a diverse set of IT and Security tools for executing Security Operations processes – securing the Software Development LifeCycle (SDLC), to Threat Intelligence synthesis and hunting to alert triage, investigation and response – known as Security Orchestration, Automation & Response (SOAR) – has crystalized into the cyber world lexicon.
As a result, you couldn’t walk at Black Hat without a bumping into a solution provider adopting or aligning in some way with this term. It’s no surprise given the tremendous benefits, when properly deployed, and the industry focus on automation (remember the Gartner Security & Risk Management Summit?). After all, people have been saying for years, “look at how far DevOps automation has come, and Security is years behind, but headed that way.”
The challenge for customers, however, is how to make sense of all the vendor claims of “automated response,” from endpoint, messaging, network, End-User Behavior Analytics (EUBA), etc tools. Having each of these point solutions doing automated response sounds good on the surface – for example, if an endpoint solution observes an attempted download of an unknown file, it can perform an automated check of Threat Intelligence for context, and if none is available or it’s not conclusive, submit the file to the vendor’s sandbox for analysis, quarantining the file in the interim, and once validated as benign release from quarantine, or if deemed malicious, block the file across the enterprise, and identify any machines with the file for removal, forensic analysis, and closer monitoring.
Challenges with having each point solution run automated responses include:
- There’s no comprehensive assessment of risk – e.g. what attacker or campaigns is this file associated with, are other TTP being observed across the attach surface, what sensitive data (if any) resides on affected endpoints, etc.
- What happens when an endpoint detection and response (EDR) tool tries to address this risk at the same time a network solution cuts off networking in response to an alert for the same risk, such that the remaining actions (e.g., sandbox submission) can’t be executed due to lack of EDR management console connectivity?
- These production system changes aren’t subject to ITIL-approved/required change management protocols, with necessary separation of duties, review and approvals.
- There’s no assurance that approved corporate risk management processes/protocols (e.g., what if PII or PHI is on one of the affected machines?) are being followed.
- There is no central audit of the response automations, the supporting data/rationale for executing them, nor any context for knowledge management and eventually when enough observations are captured, machine learning, to improve the overall risk posture of the organization.
The Need for SOAR Clarity
What customers, both Enterprises and Security Service Providers, need is an understanding of how best to leverage the automated response capabilities across their heterogenous IT and Security stacks with the context of comprehensive assessment of potential risk, digitized workflows that interoperate with all components, and provide a complete and consistent detailed audit trail of all actions, both machine and human-initiated, for dashboarding/reporting, and subsequent human and machine learning. This means the ability to address the process complexities (e.g., Compliance reporting when PII or PHI is involved) and the attack complexities (e.g., low and slow Nation State attacks vs. easily spotted malware reuse by Lazy Ivans).
In addition, this comprehensive approach must span “hybrid” environments common to virtually every enterprise. All enterprises deploy a heterogeneous plethora of IT and Security tools while migrating to the cloud (IT more than Security), managing that transition requires visibility and control across both the on-premise and cloud-based (SaaS, IaaS, etc.) planes. While there are Security tools for managing public cloud security and compliance (e.g., PAN’s acquisition of RedLock, now part of the Prisma offering), managing the security and compliance of both private and public data center assets is required (e.g., check out Caveonix, https://www.caveonix.com). Add to this mix the increasingly mobile workforce, and there’s yet another source of risk and level of complexity that must be addressed – infrastructure sprawl. The ability to span all these vectors requires a comprehensive, independent SOAR platform, and is something Security teams must insist on as they evaluation SOAR solutions.
Having automation capabilities within individual point solutions is helpful and necessary, as a comprehensive SOAR platform can leverage these capabilities via API as part of a holistic threat response. However, just as in American Football, there must be a quarterback that calls the play, has a comprehensive view of the field, knowledge of the different players/skills, and an understanding of the how the play fits into the overall game plan or strategy. The Syncurity Independent, comprehensive SOAR platform is designed to provide exactly that, and of course, the Syncurity platform does much more.
At Black Hat, I was amazed at how ubiquitous the notion of automated detection and response was, and how it has permeated the Security solution marketplace. However, as daily practitioners know, there are many challenges to actually doing this effectively given the various constraints and struggles with bad IT hygiene (CMDB anyone?). Combined with the attacker sophistication, process complexity, and infrastructure sprawl, the problem becomes exponentially harder to solve. These complexities make it virtually impossible for any given point solution to holistically assess risk, follow appropriate protocols, execute coordinated actions across the heterogeneous hybrid infrastructure, and capture all the audit level details necessary, including steps required of humans. An open, standards-based, more comprehensive and independent solution is needed.
What do you think? Let us know at https://www.syncurity.net