Making Your Incident Response Program SOAR With Threat Intelligence (Part 1)

Posted: 21st February 2019
By: The Recorded Future Team

In today’s cybersecurity environment, automated incident response (IR) has become compulsory in that businesses can discover attacks as quickly as possible and prevent, or at least limit, the damage that can occur to digital assets. In this blog, we’ll examine how SIEM solutions have fallen short in helping to automate incident response, and how a new, more effective approach to incorporating better automation and threat intelligence is emerging — security orchestration, automation, and response (SOAR).

Today’s Technologies

As organizations look to digitally transform as much of their business as possible, automating tasks has become a big deal; the more organizations can let machines and applications handle routine tasks to free up time for humans to handle the edge cases that require deeper thought, all the better. This premise certainly holds true when it comes to security management programs — and more specifically, a security team’s incident response program.

Common sticking points for IR automation, however, are the technologies used for information security assessment, detection, and protection. These technologies often feed the incident response team with countless logs and events that are necessary to make the decisions that would then be considered for automation, but not always in a way that is either actionable or programmable.

Furthermore, the logs and events are either riddled with false positives, or they are missing the vital information that’s necessary to make the best decision in the first place. The decision for how to respond needs to be good enough not only for that event or incident at that moment in time, but also to stand the test of time — perhaps even help on a strategic front beyond the typical tactical activities that a number of organizations find themselves in.

SIEMs Alone Can Fall Short

The challenge doesn’t stop there, however. Many organizations rely on security information and event management (SIEM) technologies alone to help them manage their IR programs. Most first-generation SIEM platforms provide worthwhile event collection, aggregation, normalization, and correlation, which reduces the noise a security response team deals with in the security operations center.

However, using these platforms and tools to respond to a breach, outbreak, or denial-of-service (DoS) attack often leaves security analysts holding the bag when it comes to finding the source of the activity or getting the context surrounding the event to help better understand the impact. It’s also difficult to analyze the scope and impact of the situation, identify the means required to stop the bleeding, protect the assets at risk, and repair any damage caused by the incident. And, of course, the analysts are also on the hook to help determine what it will take to prevent a similar event in the future.

A survey conducted by the Ponemon Institute illustrates just how much large organizations struggle with SIEM solutions. The survey of SIEM users in 559 large organizations across the U.S. found that while 76 percent of respondents value SIEM as a security tool, just 48 percent are satisfied with the intelligence they get from it. 68 percent said that while their SIEM is useful, they would need additional staff to maximize its value.

So exactly how can you automate the “mess” of information that comes in when an incident occurs? Is it even possible? And, even if you can find the decision points that lend themselves to automation, can you trust that the data used to drive your automated decision-making is sufficient, accurate, timely, and relevant?

Many organizations don’t believe this is possible; they don’t trust SIEM systems to make the right decisions all of the time. Therefore, they keep their security analysts deeply entrenched in event and incident lists, leaving them to sift and dig through the logs and events as they attempt to work through their end-to-end IR process.

SOAR to the Rescue

In fairness, some mature organizations do believe it’s possible to make sense of the “mess” of information. The answer to their program’s ability to tackle this challenge typically involves the use of a SOAR solution.

In 2017, Gartner coined the term SOAR to describe the emerging category of platforms born of incident response, security automation, case management, and other security tools. According to ESG research, 19 percent of enterprise organizations have adopted security operations, automation, and orchestration technologies extensively, 39 percent percent have done so on a limited basis, and 26 percent are currently engaged in a project to automate or orchestrate security operations.

SOAR solutions combine both automation and orchestration (hence the name). Automation is used to programmatically execute a series of tasks without human intervention, and orchestration is used to integrate multiple, disparate security management and IT operational systems together to connect the automated tasks in a meaningful, actionable way.

There’s one additional component that’s required to make SOAR a realistic security solution: the data. This is where threat intelligence comes in — bringing timely, validated, and relevant threat data that is used to help make the best response decisions possible.

The key to making this all work is the IR workflows that tie together a SIEM solution such as Splunk, LogRhythm, or QRadar — alongside a SOAR solution such as DFLabs or SwimLane — with real-time threat intelligence together such as Recorded Future. This requires security teams to look beyond the technology — and even extend their view beyond pure data processing — and develop a series of playbooks designed to tell stories of threats and attacks, and how to handle them using the collection of tools, services, and humans they have available. The workflows, if defined appropriately, enable security organizations to automate as much as possible and give humans the knowledge they need to validate responses and to pick up the slack if there are gaps in the automation.

The Importance of Threat Intelligence for MTTD and MTTR Metrics

In evaluating the value of SOAR solutions, two key metrics to apply include MTTD (mean time to detection) and MTTR (mean time to response). These numbers are key because many security breaches go undiscovered for months, giving hackers free rein and more time to access sensitive information. The faster you discover the breach, the less damage they can do.

And after a breach is discovered, it may still take a long time for IR teams to respond. They may be flooded with too much information, and they may lack the proper tools to conduct forensic analysis of breaches. This will delay their ability to pinpoint the cause of a breach and identify all the systems that have been impacted, which are essential to formally beginning the response process. The sooner the response, the better the breach can be contained.

The context provided by threat intelligence helps across all security functions; specifically in the case of incident response, it allows IR teams to evaluate alerts more quickly and confidently. Let’s say an alert comes in flagging a suspicious IP address. It could be worth blacklisting or investigating further, or it could be a false positive — it may take the IR team hours of manual research to come to a solid conclusion. And even then, their search may not be comprehensive. With a threat intelligence solution that automatically gathers and processes data from across the internet, this much-needed context is available in seconds instead of hours or days.

To learn more about how Recorded Future can help organizations better understand and prevent threats, request a personalized demo today.