Shulou(Shulou.com)05/31 Report--

This article is about how to easily complete the enterprise security choreography response SOAR, the editor feels very practical, so share with you to learn, I hope you can learn something after reading this article, say no more, follow the editor to have a look.

According to the 2019 Market Guide for Security orchestration and Automation response Solutions (SOAR) issued by Gartner, an authoritative consultancy, "by 2022, more than 30 per cent of security enterprises with a security team of more than five people will use SOAR security orchestration automation response solutions". Today, we will introduce how enterprises use Green Alliance SOAR system to complete security orchestration and automatic response in three minutes.

On the pain points and demands of Enterprises in Safety Operation from the Perspective of Security incident disposal process

In the traditional security operation and maintenance and event handling of enterprises, the following procedures are generally followed:

Table: traditional security operation and maintenance process

After the above 7 steps, the disposal process of an information security incident is concluded. In this process, there will be a number of departments with different roles to participate, the disposal process is more tedious, the efficiency is difficult to quantify, and the disposal process of different events is difficult to be unified and standardized.

At the same time, enterprises often face the following pain points in security operation and maintenance: there are too many event alarms, and effective event alarms are submerged, which makes it difficult to deal with security incidents in time. The enterprise side is often lack of safety analysis and disposal professionals, safety analysis experience is difficult to solidify, and security experts are easy to get caught up in repeated safety disposal work, so that it is difficult to give play to its real value. Most importantly, enterprises are restricted by processes and personnel, and the traditional security response time is too long.

Therefore, enterprises have increased the following demands in the development and evolution of security operations:

Improve signal-to-noise ratio: increase effective high-fidelity alarms to focus limited security expert resources on real hazards and problems.

Reduce MTTR: solidify the safety disposal process, continue to accumulate operational experience, and continue to operate, so that the response disposal time continues to reduce.

Security arrangement and automatic response Scheme of Green League Science and Technology SOAR

Figure: green Alliance SOAR component entrance

The ISOP intelligent security operation platform has integrated the SOAR security orchestration automation response function. From the operation and maintenance response-linkage orchestration entrance of the Green League ISOP Intelligent Security Operations Center, you can use the security orchestration and automatic response handling functions to start the enterprise automated security orchestration response journey.

Picture: green League SOAR security orchestration and automatic response scheme

SOAR components in ISOP deeply integrate human, security technology and process through visual choreography. The Playbook script solidified by manual operation and maintenance experience builds a series-parallel workflow for security event handling, which automatically triggers different security devices to perform response actions. Case management is based on a more comprehensive and end-to-end understanding of the security event context, helping enterprises transform complex event response processes and task flows into consistent, repeatable, measurable and effective workflows. Change passive emergency response to automatic continuous response.

Five cores help enterprises to achieve secure orchestration response

1. Lifecycle case management

Figure: case management

Case is the most basic function of SOAR component, which runs through the whole life cycle of security event disposal, including the selection and execution of log source, security rules, intelligence forensics and Playbook script for information security event research. As long as the alarm security event in the enterprise can match the case, the automatic response disposal can be completed, and the case has a more comprehensive and end-to-end understanding of the security event context. it helps to transform complex event response processes and tasks into consistent, repeatable, measurable and effective workflows.

In enterprise security operation, common security incidents can be corresponded to different types of SOAR cases. Cases of the same nature (such as mining, intrusion, denial of service, extortion, fishing, chain theft, information disclosure, etc.) can choose a kind of common disposal methods, and the flow processing function of the case can assign different Playbook scripts to cases of different nature. And supervise the completion of enterprise safety incident automation closed-loop response disposal.

2. Visual security drag and drop choreography

Figure: visual case choreography 1

Figure: visual case choreography 2

Some cases corresponding to common attacks are built into the SOAR component of ISOP. In addition, enterprises can quickly create cases and corresponding Playbook scripts through visual drag-and-drop choreography. There are often dependencies among different steps of security research. The security event analysis process provides context for security handling by visual drag-and-drop, avoiding traditional OPS switching between different pages and reducing the complexity of security event handling. Once the case is successfully created and enabled, the subsequent events that hit the case can be disposed of in an automated way, reducing the cost of collaborative communication and process flow between different departments.

Figure: case disposal process tracking

Cases can help enterprises process and continuously investigate and analyze a group of related events and track their responses. During the execution of the case, the execution status of each intermediate process of security events (success, execution, failure) can be displayed in the visual scheduling process, thus realizing the visualization of the end-to-end operation and maintenance process.

3. Automatic disposal of Playbook scripts

Figure: script Playbook running status

The Playbook script is equivalent to the workflow of the security engineer and can drive the automatic closed-loop security disposal of case matching events. The ISOP SOAR module may involve the concurrent execution of multiple scripts, and the running status of different scripts can be viewed as a global overview through the interface (execution in progress, success, failure).

The experience of security event handling process in an enterprise can be solidified into a Playbook script and applied to automatic response disposal, and the disposal actions can include equipment blocking, work order sending, e-mail notification, etc., so that security experts can be released from tedious and repetitive security operation and maintenance.

4. Plug-in response device integration

Automatic security choreography response "Last kilometer Road" blocking response is generally performed by security devices. Green Alliance ISOP one-button blocking module has accumulated a large number of response processing devices, such as firewall, ADS, UTS, IDS, WAF, etc., and the response actions include: session blocking, IP blocking, domain name blacklist, traffic traction cleaning, etc., these devices can be plugged and played directly through the SOAR module without secondary development. We only need to develop the plug-in according to the northbound management and control interface provided by the third-party equipment to complete the automatic linkage scheduling response of the third-party equipment.

The security devices connected to the SOAR system can be called through the Playbook script to complete automatic response handling, without the need for security operators to log in to independent security devices to configure blocking policies.

5. Automatic operation and maintenance large screen display

Picture: large screen display of automatic operation and maintenance

The large screen of automatic operation and maintenance can present an overview of enterprise automation response disposal from a global perspective, such as automatic response operation efficiency, case event statistics, case event disposal trend, script execution information, and so on. Operation and maintenance indicators are displayed in a measurable and quantifiable manner.

The value that Green Alliance SOAR system brings to enterprise security operation 1. Reduce the security incident disposal time MTTR

For known case events, through the case matching trigger mechanism, the enterprise can complete the security orchestration and automate the closed-loop response process within three minutes.

Table: comparison of response disposal time between traditional operation and maintenance and automatic operation and maintenance

2. Release the safety operation and maintenance personnel from the repetitive work

Solidify the experience of security experts into Playbook to automate the whole process of analysis, research, and disposal of known attacks, so that security experts can devote their energies to work scenarios that require advanced security skills, such as red-blue confrontation, threat hunting, threat modeling, APT analysis, vulnerability mining, and so on, so as to create higher value for enterprise security operation and maintenance work.

3. Standardize the safety disposal process and reduce the cost of collaborative communication between departments.

The essence of SOAR system is the choice of research and judgment strategy and disposal strategy corresponding to different threat scenarios, which is the embodiment of the core value of Playbook in the enterprise attack and defense competition. The standardization of operation and maintenance process is the premise of Playbook script solidification. With the help of SOAR Playbooks generation, we can standardize the complicated and irregular disposal process and consolidate the standardization construction of enterprise information security operation process.

The above is how to easily complete the enterprise security choreography response SOAR, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.