How to build SOAR

Companies considering purchasing a Security Orchestration, Automation and Response (SOAR) solution are often concerned that their existing incident response projects are not yet mature enough to implement a comprehensive platform with automation and orchestration capabilities. Starting from scratch can seem overwhelming when you have almost no foundation, especially if no one on the team has experience with incident response or security orchestration solutions.

Although no one wants to just add automation to an inefficient process, if the old method itself is no longer good enough, it is obviously unscientific to further consolidate this old way of handling security incidents.

If you want to improve your company's security operations, but don't know where to start, the following steps may help you prepare to migrate to the SOAR platform.

1. Take stock of current operations

Companies that believe they do not have an incident response program have their own reasons. With or without SOAR or an incident response platform, every company has some way of managing security incidents, even if it may involve a lot of improvisation and ad hoc processes.

As you prepare to implement a SOAR platform, take some time to talk with company stakeholders to understand current processes and the effectiveness (or ineffectiveness) of those processes. This should include an inventory of grooming tools:

• What is the existing infrastructure for IT and information security?

• Are there any tools for data enrichment operations?

Once you figure out what tools are available, you can map them into an incident response life cycle, such as the one described in the NIST 800-61r2 standard, and Identify what the company is currently missing.

Next, review the incident response process or manual that the company follows. See how the security operations center (SOC) collaborates internally? How does it work with other teams such as IT and data privacy organizations? How does the company maintain legal and regulatory compliance during incident response? How are company teams managing today's common security incidents like phishing or malware?

If there are metrics available, review them carefully to identify what is working well and where improvements are needed. For example:

• How long does it take to detect and respond to security alerts?

• What activities take up too much of a security analyst’s time?

If no formal metrics are available, ask security analysts and managers to provide their own assessments.

2. Find out which features are most applicable to your company and the platform that provides these features

There are many SOAR platforms on the market to choose from, but to narrow down your choices, you can spend Take some time to identify the features that are most critical to you. What processes do you want to automate first? What problem is your security team’s toughest problem? Are there recurring security incidents, data silos, or process bottlenecks? Your analyst can help you answer these questions.

Each platform has its own focus on security operations. These capabilities can be broadly divided into the following categories:

• Alert management: Helps the SOC sort, evaluate and close the ongoing flow of security alerts from SIEM and other source systems.

• Classification: Helps analysts make decisions by gathering contextual information from external and internal sources such as threat intelligence and historical event records.

• Incident response: Includes playbook, task management, link analysis and other functions to support effective and repeatable response workflow.

• This sentence can be rewritten as: "Reporting and analysis capabilities support automated or scheduled report generation, generate detailed SOC metrics, and provide customizable instrumentation for different system user roles plate.".

• Compliance and tracking: such as audit trails, chain of custody and common compliance reporting templates.

• Case management includes features that enable investigators to collaborate with other teams, a catalog to store related incident cases, guided investigative workflows, and evidence management.

3. Try drafting a playbook

You can try drafting a playbook for your most critical use cases to gain insights on how to use the SOAR platform practical understanding. Then, identify steps that you feel could be enhanced with automation and orchestration.

Vendors or industry bodies provide examples of online playbooks that should provide a reference for your steps. By evaluating the company's existing processes and discussing them with company analysts, more valuable information can be obtained, including common or important use cases. You can use the most typical use cases, such as phishing, suspected data leaks, or malware infections, as a starting point for your security environment.

Implementing a SOAR solution, incident response platform, or any other important security tool will be difficult if you don't have any formal incident response program. As long as you follow the above steps, you will be able to better understand your situation, know what route you should take and what results you should achieve.

The above is the detailed content of How to build SOAR. For more information, please follow other related articles on the PHP Chinese website!