


The 2019 Security Orchestration and Automated Response Solutions (SOAR) Market Guide released by the authoritative consulting agency Gartner states that “by 2022, more than 30% of security companies with a security team of more than 5 people will use SOAR. Security Orchestration Automated Response Solution”. Today we will introduce how enterprises can use the NSFOCUS SOAR system to complete security orchestration and automated response within three minutes.
Looking at the pain points and demands of enterprises in security operations from the security incident handling process
In the traditional security operations and maintenance of enterprises In event handling, the following process is generally followed:
Table: Traditional security operation and maintenance process
After the above 7 steps, an information security incident handling process That's the end. In this process, multiple departments with different roles will participate, the disposal process is cumbersome, the efficiency is difficult to quantify, and the handling processes for different events are difficult to standardize.
At the same time, enterprises often face the following pain points in security operation and maintenance: too many event alarms, and valid event alarms are drowned, making it difficult to handle security incidents in a timely manner. Enterprises often lack security analysis and processing professionals. Security analysis experience is difficult to solidify, and security experts can easily get stuck in repetitive security processing work, making it difficult to exert their true value. The most important thing is that enterprises are restricted by processes and personnel, and traditional security response takes too long.
Therefore, enterprises have added the following demands in the development and evolution of security operations:
Improve the signal-to-noise ratio: increase effective high-fidelity alarms, so that limited security expert resources can focus on real risks and issues.
Reduce MTTR: Solidify the safe disposal process, continuously accumulate operational experience, and continue operations, so that the response and disposal time is continuously reduced.
NSFOCUS SOAR security orchestration and automated response solution
Picture: NSFOCUS SOAR component entrance
ISOP intelligent security operation platform has been Integrating the SOAR security orchestration automated response function, you can use the security orchestration and automated response processing functions from the NSFOCUS ISOP Intelligent Security Operation Center Operation and Maintenance Response-Linked Orchestration Portal to start the enterprise's automated security orchestration response journey.
Picture: NSFOCUS SOAR security orchestration and automated response solution
The SOAR component in ISOP deeply integrates people, security technology, and processes through visual orchestration; it solidifies through manual operation and maintenance experience The Playbook scripts are connected in series and parallel to build a workflow for security incident handling, automatically triggering different security devices to perform response actions. Case management is based on a more comprehensive and end-to-end understanding of the security event context, helping enterprises to integrate complex incident response processes and tasks. Transform flows into consistent, repeatable, measurable and effective workflows, and transform passive emergency response into automated continuous response.
Five cores help enterprises achieve security orchestration response

1. Full life cycle case management
Figure: Case management
Case is the most basic function in the SOAR component, which runs through the entire security incident handling life cycle, including the selection and execution of log sources, security rules, intelligence forensics and incident handling Playbook scripts required for information security incident analysis and judgment. As long as the alarm security events in the enterprise can be matched to cases, automated response processing can be completed. Cases have a more comprehensive and end-to-end understanding of the security event context, which helps to convert complex incident response processes and tasks into consistent and repeatable , measurable and effective workflow.
In enterprise security operations, common security events can be mapped to SOAR cases of different categories. Cases of the same nature (such as: mining, intrusion, denial of service, blackmail, phishing, hotlinking, Information leakage, etc.) can choose a similar disposal method. The case process processing function can assign different Playbook scripts to cases of different natures, and supervise the execution to complete the automated closed-loop response to enterprise security incidents.
2. Visual safe drag and drop arrangement
Figure: Visual case arrangement 1
Figure: Visual case arrangement 2
The SOAR component in ISOP has built-in cases corresponding to some common attacks. In addition, enterprises can quickly create cases and their corresponding playbook scripts through visual drag-and-drop arrangement. There are often dependencies between different steps of security research and judgment, and security events The analysis process uses a visual drag-and-drop method to provide context for security handling, avoiding the need to jump between different pages in traditional operation and maintenance, and reducing the complexity of security incident handling. Once a case is successfully created and activated, subsequent events that hit the case can be handled in an automated manner, reducing the cost of collaborative communication and process flow between different departments.
Figure: Case Disposal Process Tracking
Case can help enterprises conduct streamlined and continuous investigation, analysis and response handling tracking records for a set of related events. During the case execution process , the execution status of each intermediate process of security events (successful, executing, failed) can be displayed in the visual orchestration process, thereby realizing the visualization of the end-to-end operation and maintenance process.
3. Playbook script automated processing
Figure: Script Playbook running status
Playbook script is equivalent to the work flow of a security engineer. Drives automated closed-loop security processing of case matching events. The ISOP SOAR module may involve the concurrent execution of multiple scripts. The running status of different scripts can be globally overviewed through the interface (execution, successful execution, failure).
The experience of the security incident handling process in the enterprise can be solidified into Playbook scripts and applied to automated response handling. The handling actions can include equipment blocking, work order sending, email notification, etc., so that security experts can start from Released from tedious and repetitive security operations and maintenance.
4. Plug-in response equipment integration
Automated security orchestration response "last mile" blocking response is generally executed by security equipment. NSFOCUS ISOP one-click blocking module has accumulated experience in the early stage A large number of response processing devices, such as firewalls, ADS, UTS, IDS, WAF, etc., the response actions include: session blocking, IP banning, domain name blacklist, traffic traction cleaning, etc. These devices can be directly passed through without secondary development. The SOAR module is plug-and-play. You only need to develop a plug-in based on the northbound management and control interface provided by the third-party device to complete the automated linkage orchestration response of the third-party device.
Security devices connected to the SOAR system can complete automated response processing through Playbook script calls, without the need for security operation and maintenance personnel to log in to independent security devices to configure blocking policies.
5. Large screen display of automated operation and maintenance
Picture: Large screen display of automated operation and maintenance
The large screen of automated operation and maintenance can present enterprise automation responses from a global perspective Disposal overview, such as automatic response operation efficiency, case incident statistical information, case incident disposal trends, script execution information, etc., displays operation and maintenance indicators in a measurable and quantifiable manner.
The value that NSFOCUS SOAR system brings to enterprise security operations
1. Reduce the security incident handling time MTTR
For known case events, through the case matching trigger mechanism, Enterprises can complete security orchestration and automated closed-loop response processes in three minutes.
Table: Comparison of traditional operation and maintenance timeliness and automated operation and maintenance response time
2. Release security operation and maintenance personnel from repetitive work
Consolidate the experience of security experts into Playbooks to automate the entire process of analysis, judgment, and disposal of known attacks, so that security experts can devote their energy to red-blue confrontation, threat hunting, threat modeling, APT analysis, and vulnerabilities Mining and other work scenarios that require advanced security skills create higher value for enterprise security operation and maintenance work.
3. Standardize the security disposal process and reduce the cost of collaborative communication between departments.
The essence of the SOAR system is the selection of research and judgment strategies and disposal strategies corresponding to different threat scenarios. This is also the role of Playbook in enterprises. The core value in the competition between offense and defense is reflected. The standardization of operation and maintenance processes is the prerequisite for the solidification of Playbook scripts. SOAR Playbooks can be used as a starting point to standardize complex and irregular processing processes and consolidate the standardization of enterprise information security operation processes.
The above is the detailed content of How to Easily Complete Enterprise Security Orchestration Response SOAR. For more information, please follow other related articles on the PHP Chinese website!

This article examines operational security audit system procurement. It details typical categories (hardware, software, services), budget allocation (CAPEX, OPEX, project, training, contingency), and suitable government contracting vehicles (GSA Sch

This article details crucial security responsibilities for DevOps engineers, system administrators, IT operations staff, and maintenance personnel. It emphasizes integrating security into all stages of the SDLC (DevOps), implementing robust access c

This article explores the roles and required skills of DevOps, security, and IT operations engineers. It details the daily tasks, career paths, and necessary technical and soft skills for each, highlighting the increasing importance of automation, c

This article contrasts Operations Security (OpSec) and Network Security (NetSec) audit systems. OpSec focuses on internal processes, data access, and employee behavior, while NetSec centers on network infrastructure and communication security. Key

This article examines DevSecOps, integrating security into the software development lifecycle. It details a DevOps security engineer's multifaceted role, encompassing security architecture, automation, vulnerability management, and incident response

This article examines essential skills for a successful security operations career. It highlights the need for technical expertise (network security, SIEM, cloud platforms), analytical skills (data analysis, threat intelligence), and soft skills (co

DevOps enhances operational security by automating security checks within CI/CD pipelines, utilizing Infrastructure as Code for improved control, and fostering collaboration between development and security teams. This approach accelerates vulnerabi

This article details operational and maintenance (O&M) security, emphasizing vulnerability management, access control, security monitoring, data protection, and physical security. Key responsibilities and mitigation strategies, including proacti


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Atom editor mac version download
The most popular open source editor

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SublimeText3 Linux new version
SublimeText3 Linux latest version

VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
