What is SOAR

The acronym, SOAR, refers to security orchestration, automation, and response. SOAR is best described as an assembly of solutions and/or tools that give an organization the ability to gather security data from different sources, as well as the capability to respond to entry-level security threats without human intervention.

With the help of SOAR’s automation and orchestration of many security processes, it can address many major challenges that security teams are facing today. source

SOAR Use Cases

1. Phishing Attacks

Alerts to suspected phishing emails come from a variety of detection sources, such as SIEMs and logging services, as well as end-users who forward emails that look like they contain malicious content. As the SOAR platform aggregates the suspected phishing emails, it automatically triggers a process to inform affected end users about the possible malicious emails that are being investigated.

As part of the triage process, the SOAR platform extracts compromised indicators. By looking at the header and content of the email — such as the subject, email address, and attachments — the SOAR platform assigns an incident severity value and checks for reputation red flags by cross-referencing the data against external threat intelligence databases. If any malicious indicators are found, affected users are informed with instructions on what to do. The SOAR platform also scans all email accounts and endpoints to identify other instances of the malicious email and then deletes all instances. The SOAR platform then adds the malicious compromised indicators to blacklists tracked by other security tools.

In cases where malicious indicators are not detected, the SOAR platform checks if any attachments arrived in the suspected email and detonates them in a sandbox for further analysis. If that analysis doesn’t set off any alarms, the SOAR platform forwards the incident to the IT security team for manual investigation. If the team is satisfied that the email isn’t malicious, the SOAR platform sends an email to the affected user, notifying them of the false alarm.

2. Endpoint Attacks

Here, the SOAR platform ingests threat feed data from an endpoint detection tool and queries the tool for machine and endpoint names that have malicious indicators, such as SHA1, MD5, and SHA256. The SOAR platform then cross-references retrieved files and hashes with SIEM data and verifies whether any indicators were picked up and resolved by SIEM actions. The SOAR platform also notifies analysts if SIEM actions have already resolved any malicious indicators.

For any indicators that have not been picked up by the SIEM, the SOAR platform communicates with the same endpoint tool to run queries across multiple endpoints that kill malicious processes and remove infected files. After the queries have been run, the SOAR platform updates the endpoint tool database with new indicator information to eliminate repeat offenses.

3. Failed User Logins

When the number of failed logins on an end-user device exceeds the allowed maximum attempts (usually three to five attempts), the SOAR platform automatically informs the affected user and asks them to confirm whether they made the attempts. If the end-user responds with a “yes,” the SOAR platform resets the password and sends a new email to the affected user with revised login credentials.

If the end-user confirms that they were not the one making the failed login attempts, the SOAR platform sends a new email notifying them of the account takeover attempt. The SOAR platform also executes investigative actions such as extracting the IP and location where the failed attempts were made from and quarantining the affected endpoint.

4. Logins From Unusual Locations or Devices

When end-user logins occur from an unusual location or on a new device, the SOAR platform queries the VPN service for the originating IP address and checks the GeoIP lookup for each timestamp on those IPs. Queries can also be sent in cases when logins occur from two geographical locations at points in time that cannot realistically be traveled to as quickly as the two logins occur — such as a user account logging in from Boston and then from Los Angeles just 15 minutes later.

To reconcile the VPN data, the SOAR platform queries Active Directory for all email addresses and checks them against a cloud-access security broker (CASB) to retrieve IPs and once again gets GeoIP to look up each timestamp on the IPs. The SOAR platform then cross-references IPs gathered from the VPN service with IPs gathered from the CASB. When spotting a VPN IP from one country that differs from the country of the CASB IP, the SOAR platform sends an automated email to the affected user to confirm their location. If the user responds confirming the breach, the SOAR platform blocks the concerned IP and notifies the IT security team for further investigation.

5. SSL Certificate Management

For this use case, the SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. For problematic certificates, the SOAR platform pulls user details from the Active Directory of the affected user and sends an automated email to the user and their manager, informing them of the certificate in question and directing them to make updates.

The SOAR platform then rechecks the status of problematic certificates at a preset amount of time later to confirm if appropriate changes were made. If any certificates still haven’t been updated, the SOAR platform sends automated emails to the affected user, their manager, and other relevant administrators to escalate the situation.

6. Endpoint Diagnostics

Here, the SOAR platform identifies unmanaged endpoints, adds contextual notations, and opens a ticket to investigate the issue. If any endpoints are outside the scope of communications of agents, the SOAR platform attempts to kick-start the agents by using pings. If this fails, the SOAR platform notates its actions and opens a service incident ticket.

7. Vulnerability Management

After receiving a potential threat notification from a vulnerability management tool, the SOAR platform correlates the data with data from other relevant security tools and then adds notations on the newly gathered data. The SOAR platform also queries the vulnerability management tool for any diagnoses, consequences, and remediations tied to the vulnerability.

If any vulnerability context is found, it’s added to the incident data. Based on the gathered context, the SOAR platform calculates the severity of the incident and hands over control to security analysts for manual investigation and remediation of the vulnerability.

8. Compromised Indicator Hunting

For this use case, the SOAR platform ingests a list of compromised indicators as attached CSV or text files and extracts any compromised indicators (such as IPs, URLs, and hashes). The SOAR platform then hunts for the extracted compromised indicators on any threat intelligence tools that are deployed. Where applicable, the SOAR platform checks endpoints and identifies if any endpoint has been compromised by a malicious compromised indicator. If malicious indicators were found on any threat intelligence tool, the SOAR platform updates the databases of other tools and watch lists.

9. Malware Analysis

The SOAR platform ingests data from SIEMs, email boxes, threat intelligence feeds, and malware analysis tools, and then extracts any files that need to be detonated. The SOAR platform also uploads the file to the malware analysis tool, which detonates the malware and generates a report. If the file is found to be malicious, the SOAR platform updates relevant watchlists and takes further action such as quarantining infected endpoints, opening tickets, and reconciling data from other third-party threat feeds. source

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.