Orchestration & Automation
What is SOAR?
Security Orchestration Automation and Response (SOAR) refers to the automation layer in XDR solutions that helps reduce the mundane, repetitive tasks associated with responding to alerts and incidents. This ranges from simple notification workflows, to partial automation where initial investigation tasks are performed automatically, to completely automated remediation workflows in which mitigation and remediation steps are handled automatically.
Example Use Cases
The following are some example use cases for automated orchestration and response. This is not an exhaustive list, and Armor can also create custom playbooks for your specific use cases (see Custom SOAR Playbooks below).
Integration with Endpoint Solutions
It is common for incident responders to take actions on affected endpoints to mitigate an attack. SOAR can be used to isolate software or prevent further executions on an affected endpoint in response to an alert or incident. It can also use any other capabilities that are exposed by the EDR solution (such as quarantining or removing files, blocking certain user interactions, and more).
Integration with the Network Stack
In response to an incident, it may also be desirable to isolate a host from the network – this prevents lateral movement from a potentially infected host to other hosts on the same network. You may also want to restrict internet access from the host to prevent it from contacting C2/botnet nodes and exfiltrating data. These network policies can be imposed in progressively more restrictive ways to minimize side effects to your applications while still prioritizing security.
Integration with your Applications
Your applications and business logic can be informed by the behavioral profiles build by the SIEM and analytics platform. For example, you can analyze the traffic to your application and correlate it with any application telemetry you’re also ingesting into the SIEM. Then use these correlations to trigger conditions in your application (such as blocking a specific user or presenting them with a CAPTCHA).
Capturing Forensic Evidence
Collection of forensic evidence during the initial triage and investigation steps is critical. This is often a task that is both time-intensive and time-sensitive. This makes it an ideal candidate for automation. Depending on the type of incident, you may need to collect telemetry or data that is not regularly collected. You can integrate tools like osquery that can execute dynamic queries against target hosts and networks and pull that information back into the incident context.
Disabling Suspicious Accounts
It is also common for incidents and alerts to reveal suspicious user and service accounts. Depending on the context, it may be preferable to disable these accounts while the investigation is underway. You can leverage the SOAR platform to integrate with your providers to disable users, roles, and API keys until the incident is contained.
Cloud-Native Approach
In the same way that Armor focuses the SIEM component of the XDR solution on cloud-native technologies, the SOAR capabilities we deliver are also based on cloud-native runtimes such as Azure Functions, AWS Lambda Functions and Google Cloud Functions. We also support codeless applications such as Azure Logic Apps, Google AppSheet, and Amazon Honeycode.
By leveraging cloud-native runtimes, you’re free to move automation workloads to whatever platform best suits your needs. It also offers the flexibility of building and testing them in the same CI/CD pipelines you’re already using, without needing to emulate or duplicate proprietary runtime environments.
Progressive Automation
Not every scenario is instantly ready for automation. We recommend using a progressive automation strategy that starts with non-obtrusive, non-obstructive actions (such as notifications and evidence collection), and optionally progresses towards full automation with “suggested” commands and manual review steps, that can eventually be executed automatically without review.
Custom SOAR Playbooks
At the Professional and Enterprise subscription levels, Armor includes the creation of custom SOAR playbooks. We’ll work with you to determine your automation goals and build the necessary integrations to achieve these. While these are included as part of the subscription price, each will be represented by its own statement of work with its own timeline, depending on the scope and complexity of the integration.