In any SOC, there are certain incident types that cause the biggest headaches and tie up the most resources. Smart SOAR comes equipped with out-of-the-box playbooks for the most common use-cases, with the flexibility to adapt to your exact needs. Codify industry best practices and your internal expertise in unique automation-powered workflows that combat the most pressing threats in your environment.
Assessing potential phishing incidents is one of the most essential SOAR use cases, because (1) most major breaches still begin with social engineering, and (2) large organizations deal with a very high volume of genuine or suspected phishing attempts. With Smart SOAR, when a phishing attempt is reported to the SOC, an analyst can trigger an automated phishing playbook that parses out the elements of the email, including the potentially malicious attached file. The file is then uploaded to a sandbox for analysis and risk scoring. If it is confirmed as a genuine incident, Smart SOAR can then orchestrate the appropriate response. Smart SOAR reduces the required manual steps to just a few clicks, enabling you to efficiently assess every potential phishing incident.
Smart SOAR helps companies investigate suspected ransomware incidents, confirm true positives, and take the appropriate steps to minimize the impact. The initial threat point for ransomware attacks is typically phishing. Threat actors use this attack vector to install malware or backdoors (e.g. Cobalt Strike /external calls to Dropbox). As described in the Phishing use case, Smart SOAR streamlines investigation of and response to phishing incidents. When potential ransomware is detected by an EDR or other tool, Smart SOAR will run a malware triage playbook, based on NIST and US government best practices. If ransomware is confirmed, a nested playbook will locate any other instances of the malicious file and quarantine the affected hosts. The playbook will also block the hash on the network and firewall.
Cryptojacking—hijacking a machine to run cryptomining scripts—is a common attack against enterprise cloud environments, such as AWS EC2 instances. Cryptomining scripts can potentially be detected by Amazon GuardDuty or an application performance monitoring tool like Datadog APM, but neither tool has the ability to fully investigate and remediate the threat on its own. Cryptojacking alerts can be automatically escalated to Smart SOAR from the detection tool, or an unconfirmed case could be pushed to Smart SOAR for further investigation. In either case, Smart SOAR would retrieve the event and run a prebuilt automation-powered playbook for cryptojacking, which includes domain analysis and EC2 instance analysis.
Without a unified dashboard to connect endpoint alerts to SOAR capabilities, security teams are stuck in disjointed response processes that lack important context, necessitate constant switching between screens, limit investigative ability, and prevent proper tracking and reporting. When a potentially compromised endpoint is detected in an EDR, NextGen SOAR can determine the risk level and orchestrate a response. NextGen SOAR can detonate the suspicious file in a sandbox, query endpoints for other instances of the file, and take remediation actions such as removing the file, blocking the hash, and quarantining endpoints.
Without a system for assessing and remediating vulnerabilities, security teams are left trying to make sense of each vulnerability scan and determine the appropriate ad hoc response process. NextGen SOAR solves these issues by feeding vulnerability scans into automation-powered response workflows. When an integrated vulnerability management tool runs a scan across endpoints and detects a vulnerability, NextGen SOAR reads and parses the scan report and generates an incident response playbook. The user can notify the necessary teams from NextGen SOAR or generate an IT ticket to schedule a patch or update. If the organization has existing scripts for patch management, the playbook can trigger those directly.
Every organization spends a great deal on security tools, but how do they know if the tools are actually detecting malicious activity? Without regular testing, vulnerabilities can easily go undiagnosed. However, many organizations don’t have the budget for a dedicated red team or the internal resources to run frequent attack simulations. Smart SOAR integrates with AttackIQ so that clients can run simulations of their most high-risk attack types to ensure they are being prevented by security tools. Smart SOAR can then ingest the test results and automatically orchestrate the next steps, such as querying SIEM logs for more information, or sending email notifications to system administrators to check tool configurations.
SIEM events require contextualization to determine their validity and criticality. Typically, that requires analysts to query for additional information or copy and paste threat intelligence from other tools into a case repository. Too many mundane tasks taking too much time ends up giving your adversaries an advantage. Our feature-rich, bidirectional integrations with multiple SIEM vendors, including cloud and on-premise SIEMs helps you validate alerts generated by your SIEM automatically, taking the burden off your analysts.