Accelerate Incident Response with Security Orchestration and Automation

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

These days, it seems like vulnerabilities or new attacks are constantly in the news, meaning security professionals are constantly responding to incidents. With so many assets to protect (devices, web apps, servers, etc.), it’s hard to prioritize what should be tackled first and then address issues in a timely manner.

Fortunately, security orchestration and automation response (SOAR) can be a saving grace in security for many resource-strapped or highly targeted companies. In this post, you’ll learn:

How orchestration and automation can be used to improve incident response plansThe most prevalent orchestration and automation incident response use casesTips for identifying when it is appropriate to apply orchestration and automationHow SOAR improves incident response capabilities

security orchestration and automation solution offers incident response capabilities that enhance many areas of a security program. There are three benefits in particular to highlight:

1. Improved response uptime

What if having a clean backlog meant you could improve uptime to 100%? When configured properly, security orchestration and automation workflows can help prevent the cyclical pileup of new security events by automatically handling routine issues. In most cases, these events require a simple follow-up, such as a quick patch, routine password update, or the deprovisioning of a user, but they regularly take a backseat to other priorities. Security orchestration and automation tools enable you to dictate which tasks can be handled automatically, as opposed to letting them accumulate and putting your overall security posture at risk.

2. Reduced margin for error

User error is real, and if you’ve ever been in the trenches responding to alert after alert (most of which end up being false positives, anyway), you know what it’s like when alert fatigue sets in and details begin to slip through the cracks. With security orchestration and automation, most alerts can be handled automatically—and because machines excel at following monotonous, step-by-step routines, they’re arguably the better candidates for this.

For example, security orchestration and automation tools can regularly aggregate malicious URLs from various threat feeds and add entries to a DNS sinkhole to redirect malware and prevent devices from getting infected in the first place. And even if they do get hit, automation can kick in to immediately detect and then quarantine the affected assets to prevent the threat from persevering. With processes like this in place, you can greatly reduce your risk while knowing that every step in the process is handled.

3. Simplified remediation playbooks

Remediation playbooks are often quite complex and involve multiple tools that take time to integrate (often by manually copying and pasting inputs from one tool to another). With many steps to keep processes like compliance, logging, documentation, and communication streamlined and structured, they increase the risk of nonessential steps slipping through the cracks. By leveraging a security orchestration and automation response solution, you can simply plug your tools into pre-designed workflows or processes and the machines handle the rest—no human intervention required unless designated.

Additionally, there’s usually no central hub from which to view workflow progress across tools. This requires security teams to jump from tool to tool to parse through the data and generate a response manually, a process we all know is prone to error—and quite frustrating. Speed and accuracy are gold when it comes to incident response, but if information and workflows are decentralized and uncoordinated, that can hinder progress and security. Thankfully, this is another area in which security orchestration and automation shines. Orchestration is able to take a complex set of steps and automate the execution of them, ensuring no step slips and reporting the status of the workflow in real-time.

Related blog: “Security Orchestration and Automation: What’s the difference?”

Automation in action: Common incident response use cases

Automation use cases are limitless; here are some of the most common ones:

Phishing attacks

Phishing attacks are the biggest security threat to companies today. For some, it’s a constant bombardment (talk about alert fatigue). Once a phishing email is detected, the next step is to delete the email in whichever inboxes it appeared. There is almost no situation in which you wouldn’t want to delete a phishing email, but it’s also a mundane, routine response task that often gets overshadowed by bigger tasks. Security orchestration and automation can take tasks like these and put them into motion behind the scenes while your team works on the rest of the investigation and response, ensuring the email is handled and speeding up the response time.

Threat containment

As mentioned earlier, security orchestration and automation can easily quarantine a device to prevent network egress and lateral movement to other devices. User permissions may also need to be changed in order to stop a compromised account from executing malicious code, stealing data, or bringing down the site or app. Orchestration and automation can deprovision user accounts the moment a trigger event is detected, such as escalation of privileges to admin, or when malware is detected. It can also aid in endpoint remediation by automatically monitoring and killing processes, as well as tracking file permissions and changes. This all can run in the background, handling key yet tedious tasks quickly and with much more accuracy.

Vulnerability patching

Within just 30 days after a vulnerability is discovered, the chances it will be exploited quickly rise. Security orchestration and automation can assist in patching serious vulnerabilities as soonas a fix is released, ensuring that there is no lag and closing the window in which an adversary can sneak in. You can maintain human decision points where needed, customize workflows to dynamically create a set of patches, and alert the IT team that they’re ready for execution.

You + SOAR = Incident response at scale

Automation is best used when it’s applied strategically to offload tedious, repetitive tasks and to enable your team to make better decisions and respond to the most important matters, faster. A complement to your existing team and workflows, it can help you improve your security posture and maximize your response operations.

Ready to experience the speed and power of SOAR technology on the incident detection and response lifecycle? Watch our on-demand demo.

Get Started

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
298 Followers
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel