- SOAR 101
In any SOC, there are certain incident types that cause the biggest headaches and tie up the most resources. XGEN SOAR comes equipped with out-of-the-box playbooks for the most common use-cases, with the flexibility to adapt to your exact needs. Codify industry best practices and your internal expertise in unique automation-powered workflows that combat the most pressing threats in your environment.
Assessing potential phishing incidents is one of the most essential SOAR use cases, because (1) most major breaches still begin with social engineering, and (2) large organizations deal with a very high volume of genuine or suspected phishing attempts. With XGEN SOAR, when a phishing attempt is reported to the SOC, an analyst can trigger an automated phishing playbook that parses out the elements of the email, including the potentially malicious attached file. The file is then uploaded to a sandbox for analysis and risk scoring. If it is confirmed as a genuine incident, XGEN SOAR can then orchestrate the appropriate response. XGEN SOAR reduces the required manual steps to just a few clicks, enabling you to efficiently assess every potential phishing incident.
XGEN SOAR helps companies investigate suspected ransomware incidents, confirm true positives, and take the appropriate steps to minimize the impact. The initial threat point for ransomware attacks is typically phishing. Threat actors use this attack vector to install malware or backdoors (e.g. Cobalt Strike /external calls to Dropbox). As described in the Phishing use case, XGEN SOAR streamlines investigation of and response to phishing incidents. When potential ransomware is detected by an EDR or other tool, XGEN SOAR will run a malware triage playbook, based on NIST and US government best practices. If ransomware is confirmed, a nested playbook will locate any other instances of the malicious file and quarantine the affected hosts. The playbook will also block the hash on the network and firewall.
Cryptojacking—hijacking a machine to run cryptomining scripts—is a common attack against enterprise cloud environments, such as AWS EC2 instances. Cryptomining scripts can potentially be detected by Amazon GuardDuty or an application performance monitoring tool like Datadog APM, but neither tool has the ability to fully investigate and remediate the threat on its own. Cryptojacking alerts can be automatically escalated to XGEN SOAR from the detection tool, or an unconfirmed case could be pushed to XGEN SOAR for further investigation. In either case, XGEN SOAR would retrieve the event and run a prebuilt automation-powered playbook for cryptojacking, which includes domain analysis and EC2 instance analysis.
Without a unified dashboard to connect endpoint alerts to SOAR capabilities, security teams are stuck in disjointed response processes that lack important context, necessitate constant switching between screens, limit investigative ability, and prevent proper tracking and reporting. When a potentially compromised endpoint is detected in an EDR, XGEN SOAR can determine the risk level and orchestrate a response. XGEN SOAR can detonate the suspicious file in a sandbox, query endpoints for other instances of the file, and take remediation actions such as removing the file, blocking the hash, and quarantining endpoints.
Without a system for assessing and remediating vulnerabilities, security teams are left trying to make sense of each vulnerability scan and determine the appropriate ad hoc response process. XGEN SOAR solves these issues by feeding vulnerability scans into automation-powered response workflows. When an integrated vulnerability management tool runs a scan across endpoints and detects a vulnerability, XGEN SOAR reads and parses the scan report and generates an incident response playbook. The user can notify the necessary teams from XGEN SOAR or generate an IT ticket to schedule a patch or update. If the organization has existing scripts for patch management, the playbook can trigger those directly.
Every organization spends a great deal on security tools, but how do they know if the tools are actually detecting malicious activity? Without regular testing, vulnerabilities can easily go undiagnosed. However, many organizations don’t have the budget for a dedicated red team or the internal resources to run frequent attack simulations. XGEN SOAR integrates with AttackIQ so that clients can run simulations of their most high-risk attack types to ensure they are being prevented by security tools. XGEN SOAR can then ingest the test results and automatically orchestrate the next steps, such as querying SIEM logs for more information, or sending email notifications to system administrators to check tool configurations.