Shulou(Shulou.com)05/31 Report--

This article introduces you how to build SOAR, the content is very detailed, interested friends can use for reference, hope to be helpful to you.

Companies considering buying security orchestration, automation, and response (SOAR) solutions tend to worry that their existing event response projects are not mature enough to implement a comprehensive platform with automation and orchestration capabilities. It seems difficult to start from scratch without any foundation, especially if no one on the team has experience in responding to incidents or securely orchestrating solutions.

Although no one wants to just add automation to the inefficient process, if the old method itself is not good enough, it is obviously even more unscientific to further consolidate this old way of handling security incidents.

If you want to improve your company's security operations, but don't know where to start, the following steps may help you prepare to migrate to the SOAR platform.

1. Take stock of the current operation status

Companies that think they don't have an incident response program have their own reasons. With or without a SOAR or incident response platform, every company has some way to manage security events, even though it may involve a lot of improvisation and ad hoc processes.

As you prepare to implement the SOAR platform, you can take some time to talk to your company's stakeholders about the current processes and their effectiveness (or ineffectiveness). This should include a list of carding tools:

What is the existing infrastructure for IT and information security?

Are there any tools available for data enrichment operations?

Once you've figured out what tools are available, you can map them all into the event response life cycle, such as the one described in the NIST 800-61r2 standard, and identify what the company currently lacks.

Next, take a look at the incident response process or manual that the company follows. Take a look at how the Security Operations Center (SOC) collaborates. How do you work with other teams such as IT and data Privacy organizations? How does the company maintain legal and regulatory compliance in the incident response process? How do corporate teams manage current common security events such as phishing or malware?

If there are available metrics, please review them carefully to find out what works well and what needs to be improved. For example:

How long does it take to detect and respond to security alerts?

Which activities take up too much of the security analyst's time?

If no formal metrics are available, ask security analysts and managers to give their own assessments.

two。 Find out the features that are most suitable for your company and the platform that provides them

There are a variety of SOAR platforms on the market, and if you want to narrow your options, you might as well take some time to identify the functions that are most important to you. What are the processes that you want to automate first? What is the most difficult problem for your security team? Are there recurrent security events, data silos, or process bottlenecks? Your analyst can help you answer these questions.

Each platform has its own focus on security operations. These functions can be broadly divided into the following categories:

Alert management: helps SOC sort, evaluate, and close ongoing security alert streams from SIEM and other source systems.

Classification: helps analysts make decisions by collecting contextual information from external and internal sources such as threat intelligence and historical event records.

Event response: includes functions such as tactical manual, task management, link analysis, etc., to support an effective and repeatable response workflow.

Reporting and analysis: this includes the ability to automate or schedule reports, generate detailed SOC metrics, and customize dashboards for different user roles using the system.

Compliance and tracking: such as audit trail, chain of custody, and generic compliance report templates.

Case management: includes support for collaboration between investigators and other teams, case storage catalogs for related events, guided investigation workflow, and evidence management.

3. Try to draw up a tactical manual

To get a concrete sense of how to use the SOAR platform, try drawing up a playbook for your most important use cases. Then, point out the steps you think can be enhanced by automation and orchestration.

Examples of online tactical manuals can be easily obtained from suppliers or industry organizations, which should give you a reference on the relevant steps. Evaluate the company's existing processes and ask the company's analysts for more valuable information, including common or important use cases. You can start with the most typical use cases in your security environment, such as phishing, suspicious data leaks, or malware infections.

If you don't have any formal event response project, it can be difficult to implement a SOAR solution, an event response platform, or any other important security tool. However, as long as you follow the steps described above, you will have a better understanding of your situation, the path you want to take and the results you need to achieve.

On how to create SOAR to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.