Automating Cloud Incident Response: Putting an A in SOAR

Whenever security people talk about automating anything, the conversation inevitably shifts to Security Orchestration, Automation and Response (SOAR). These systems have long been the Swiss Army Knife of the SOC, with the purpose of automating anything boring or manual. More often than not, though, they fall short when it comes to streamlining the end-to-end incident response process.

For example, let’s take a fairly common incident response workflow that could be greatly augmented with automation. 

Let’s say your EDR solution detects a bad file, one of the first things you’re going to do is look that file up in a threat intel provider like VirusTotal to understand what others know about it. For this scenario, you’d leverage your SOAR solution to define a playbook such that:

• The hash of that file is looked up in VirusTotal
• The initial detection is Enriched with this context from VirusTotal

Then, nine times out of 10, a human analyst reviews the VirusTotal lookup and the EDR alert and takes action against the offending system (e.g. isolate the host, etc.) The problem with this approach is that you're not really saving much time, an analyst still needs to manually review the alert to determine the best course of action. While looking up a hash in VirusTotal only takes a couple of seconds, it could be hours before an analyst reviews the alert, investigates it and decides how to respond. While some automation was implemented, your overall Mean Time To Respond (MTTR) hasn't reduced.

Now, if you’re willing to throw caution to the wind, you could in theory further speed up this workflow by leveraging your SOAR solution to automatically Respond, if a certain threshold is hit.

However, we all know that in reality very few organizations are eager to automatically isolate systems or take other remediation actions solely based on an EDR detection +VirusTotal context. False positives are too common, and VirusTotal is not intended as a detection technology. However, in many cases, digging deeper beyond the visibility provided by your EDR and threat intelligence feeds simply takes too much time and effort.

So what can we do?

In the world of Incident Response, SOAR as it's currently implemented isn’t going to result in automated response — so, what’s the point of SOAR? We’ve all seen plenty of talks on how “SOAR is dead" "long live SOAR” and “SOAR has failed to meet the promise of security automation”.  

The reality is that there’s a key step that SOAR is missing between Orchestration (getting tools and teams to work together) and Automated Response. And this step is fundamentally about confirming or denying the initial alert detection. In this case, this means identifying if a system has actually been compromised with sufficient evidence.

To implement automated response actions, organizations need to also automate many of the investigative steps a human analyst would take to answer the following questions with high confidence:

• Has an incident occurred? i.e. Confirm the alert is not a false positive.
• What was the root cause of the incident? (To be able to fully mitigate and close any gaps to prevent reoccurrence).

Performing this level of analysis automatically will give security teams greater confidence in their ability to also automate initial response actions. Much more so than simply relying on a detection alert and threat intelligence context of the known bad. In order to automate response actions, security teams need to be able to analyze and draw conclusions from a much richer dataset -- and quickly. Before responding, analysts want to know:

• What other known bad files are lurking on that system?
• What commands have been executed that might reference bad things?
• What obfuscation techniques are being deployed?
• Is there vulnerable software running that enabled the incident?
• Were data or credentials exfiltrated?

This is where automation really becomes useful. Gathering, processing, and analyzing all of the data required to answer these questions is time consuming.

By implementing automation to draw critical conclusions from a complex and robust data set, organizations can also consider automated response, greatly reduce Mean Time to Resolution, and have a much larger impact on reducing business risk.

If you’re interested in seeing how Cado can help add these missing steps from your SOAR platform, give our free trial a go.