- SOAR 101
Lots of valuable opportunities for incident response automation are available to security teams, especially when leveraging a SOAR platform. While most security teams are already using some amount of automation, extensive automation in the SOC is still quite rare. In fact, we confirmed this in a recent survey of security professionals that will be published soon.
If you are looking to get started with incident response automation, or to expand your existing use of automation, here are three simple use-cases that will result in significant time-savings for your security team.
1. Threat Intelligence Enrichment
One of the biggest opportunities to save time through automation is by gathering contextual data to help analysts assess threats. For example, if an email is flagged as a possible phishing attempt, a SOAR platform can automatically look up the reputation of the URL in the email, check the geolocation of the domain owner, investigate connections to known attackers, and more. Without automation, analysts have to go to other apps and manually look up this information, sometimes more than 100 times per day. SOAR platforms can integrate with threat intelligence sources to support seamless enrichment, including through aggregated feeds like ThreatQ.
2. Incident Escalation
Because of SOAR’s ability to enrich and analyze security alerts, you can use it to automate triage tasks, including routing alerts to the appropriate personnel for handling. Using threat intelligence and risk scoring, the SOAR platform can send high-risk alerts or complex cases to higher-tier analysts or SOC supervisors. Low-risk alerts and likely false positives can be routed to Tier 1 analysts, resolved automatically, or dismissed based on the organization’s internal rules.
3. Endpoint Actions
When a malicious file or process is detected on an endpoint on your network, it is imperative that you be able to act fast not just on that endpoint, but across all endpoints in case the infection is widespread. Particularly on networks with large amounts of endpoints, automating these actions is a significant time-saver, which in turn lowers risk of major damage from compromised endpoints. By integrating a SOAR platform with your endpoint protection tool, you can orchestrate automated actions such as killing a process, blocking a hash, or quarantining an endpoint.
Advanced Automation with D3 SOAR 2.0
Most SOAR platforms can help you automate the tasks that we’ve described. What sets D3 apart is its ability to go beyond simple automation to enable advanced security operations. One of the important ways in which D3 is moving SOAR forward is through operationalizing the MITRE ATT&CK framework. Instead of following the linear process of ingesting an alert, enriching it with threat intelligence, and triggering a playbook, D3 also strips out all the indicators from every alert and correlates them against the known attacker techniques in ATT&CK. This reveals the attacker’s likely intent, their previous steps that may have been overlooked, and the other alerts that might be part of the same attack.
D3 has built ATT&CK intelligence into the core of its platform, with two new interfaces for leveraging this goldmine of data. The first is the “monitor” dashboard, which gives analysts a home screen from which to view all instances of each ATT&CK tactic and technique in their environment. This dashboard tells analysts exactly what the pressing issues are that need their attention. The second is the “investigate” dashboard, for when analysts need to drill down on a specific incident. This dashboard is where they can expand the web of correlated events, view an incident timeline, and trigger an automated playbook at any point.
To see how basic and advanced incident response automation work together in D3 SOAR, schedule a demo today.