By Anup Kanti Deb, Segment Leader – Threat Management Solution
IBM Security (Asia Pacific)
Background : The Cyber Security Landscape
The cybersecurity landscape has evolved over time and organizations in the quest to stay ahead are embracing Security Orchestration Automation and Response (SOAR) platform to provide unprecedented visibility, refined processes and time to efficiently respond to cyber threats. Given the complexities of attack vectors, the volume and severity of attacks coupled with the challenge of industry skill shortage and global regulatory demands, the paradigm shifts has necessitated the adoption of SOAR technologies across Security Operations Centre including service providers building the foundation of SOAR technologies to address the needs of their customers.
To combat growing cyber threats, most organisations have invested in multiple security tools. In the early 90’s it was all about protection within the perimeter and therefore investments across the network, Firewall, IDS and anti-viruses was common. In early 2000, we witnessed the exponential growth of the internet and compliances around Sarbanes-Oxley and PCI (Payment Card Industry security standards) which originally drove the adoption of SIEM, further Security Information and Event Management (SIEM) emerged as a primary detection tool for organisations.
Over the last few years whilst the traditional log source collection from network, firewall, end points, IPDS and various sources is critical for detection, we have lately seen the emergence of Flow Data, Threat Intelligence data, User Behaviour Analytics and Artificial Intelligence / Machine Learning becoming a critical component for detection and monitoring capability providing real time alerts.
The Decade of Response
In today’s era, speed, agility and decisive actions are key to any response process as attackers have become extremely sophisticated, severe and more persistent. Given the massive amount of digitalisation and use of digital technologies across the workplace, the surface vectors have expanded exponentially resulting in the emergence of Security Orchestration, Automation and Response technology. Gartner defines SOAR solutions as a solution stack of technologies that enable organisations to collect security threats data and alerts from different sources, where incident response covering investigation and triage can be performed leveraging a combination of human and machine learning to help define, prioritize, standardize and automate incident response functions.
The Relevance of SOAR
Since SOAR operates real time, the benefits are multiple. The Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are few key security matrix that enable SOC managers to increase and measure SOC productivity by integrating with existing security tools. The ability to do more with less by allowing the platform to automate repetitive task and empowering security teams to respond to complex attacks and focus on more strategic tasks. SOAR also helps security analyst with guided response combined with the capability to collaborate and apply machine learning such that it can help alleviate security analysts to stay ahead of today’s complex cyber threat environment.
The OODA Loop
While implementing a SOAR platform it is now a trend to increasingly consider building the cyber security strategy on the steering principles as adopted successfully in battlefields, tried and tested by the military organisations around the worldand progressively getting adopted in the cyber world. This concept is called the OODA loop and the applicability of OODA loops for Security Orchestration, automation and response is becoming extremely relevant and effective as cyber incident response technology matures within an organisation.
OODA loops stands for observe, orient, decide and act. It is a combat method originally developed by a U.S. Air Force fighter pilot and Pentagon consultant John Boyd to help fighter pilots be more effective and successful in dogfights. It essentially encapsulates all the steps a pilot needs to execute to defeat adversaries in the form of a continuous loop. Observing their environment, orienting that data for relevant context with other critical information at disposal, deciding what to do and, finally, acting decisively. If a pilot could execute the principle of OODA loop faster than the enemy or slow down the enemy’s ability to execute their loops, the advantage and benefits are colossal. Pilots were trained to execute this successfully and modern warfare planes, including the F16, were redesigned to support the OODA loop. The results were dramatic.
The OODA loop technique has become a standard combat method in most of the military organizations and is now finding its way into the cyber security world. It is appropriate to consider a SOAR platformsdesign and architecture to be based on the fundamental principle of the OODA loop. Incident response is becoming more like real-time combat with cybercriminals, and security should view incident response orchestration as a series of OODA loops that need to be executed at speed and razor-sharp precision to combat cyber threats.
When the principles of OODA loop is implemented effectively, automation and orchestration can deliver dramatic time savings in an incident response process. One global company faced challenges with the speed of its incident response at scale, which was too manual, slow and disjointed. Many parts of its processes, particularly in the orient stage, took analysts significant time to complete. By the company’s calculations, one particular, and common type of incident took more than 80 minutes on an average to close out.
To accelerate its response, the company began the process of implementing automation and orchestration judiciously in their incident response process. With an intent to integrate with several security tools and orchestratethe process,the organisation developed the SOAR platform as a central hub to assign responsibilities, manage playbooks, coordinate tasks and automate appropriate steps. Analysts can now complete certain tasks with the click of a button and fully automate triage and enrichment with a high level of fidelity. Responders get critical information faster and exactly when they need it. As a result, the average time to resolve that 80-minute incident plummeted to an impressive one minute.
Conclusion
The use of SOAR platform thus continues to scale newer heights and appears here to stay entrenched in a SOC environment given its ability to combine people, process and technology together to make security alerts instantly actionable and importantly providing insights, context and sophistication needed to combat cyber threats thereby enabling a step forward in building cyber resiliency within an organisation. A well calibrated cyber resiliency program encompasses a adoption of a combination of detection, response and recovery framework. Therefore a SOAR platform can help refine and provide intelligent feedback to the rules and use cases an organization requires to calibrate its detection solution that allows organization to respond faster and enabling security analysts to effectively manage today’s increasingly complex attacks.
Download: Six steps for building a Robust Incident Response Function
Learn more about incident response and orchestration.