Tag Archives: InsightConnect

How to Develop a SOAR Workflow to Automate a Critical Daily Task

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/11/15/how-to-develop-a-soar-workflow-to-automate-a-critical-daily-task/

How to Develop a SOAR Workflow to Automate a Critical Daily Task

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time as well as investing your time and budget into making a new security platform your own. I’ve been working with Rapid7 for years now and have become a kind of evangelist for the user-friendly, low-code workflows that make SOAR a joy to manage and an important efficiency driver in our security program.

In this blog post, the third in a series of how-to guides on getting going with SOAR in general and with Rapid7 InsightConnect in particular, I’ll provide an overview of my experience developing a URL Blocking workflow to fit my organization’s specific needs – and perhaps those of your organization as well!

A Workflow to Automatically Block URLs in Multiple Systems

I built this workflow to address two very common use-cases:

  • A user reports receiving a phishing email that does in fact contain a suspicious link
  • We learn about phishing or other scams from threat intelligences sources that leverage external links

Upon learning about this likely malicious link, our team needs to conduct an investigation to decide what to do about it – historically this was a manual three-step process:

  1. Investigate the link and associated domain by pulling in threat intelligence from multiple sources to see what is known about it.
  2. If it is determined to be malicious, block the URL and potentially the whole domain in our email security system (Mimecast), our DNS filter (Cisco Umbrella) and our Palo Alto firewalls.
  3. Figure out who, if anybody, in our organization that had already clicked the link and if anyone, move to further steps in the response

As you can imagine, executing each of these steps manually can take a significant amount of time. Now, imagine conducting this process multiple times a day – especially since time is the enemy. Also, what if your security team is experiencing turnover? On my team, we recently lost an analyst and gained another. We needed a reliable and repeatable processes that any analyst can execute with minimal training.

That’s where a workflow such as this becomes so useful! New analysts don’t need to know all the places to block a URL in our organization. By executing a single workflow from Microsoft Teams, the URL that has been determined to be malicious is guaranteed to be blocked, in all the necessary places, every time. In addition, the workflow can also figure out if someone previously went to that link, and thus whether a given user or endpoint requires further investigation.

This was hard and slow to do manually, which I estimate consumed 30-60 minutes of analyst time, each time. To conduct this investigation manually, you have to go to each log source and look and search for the URL and update the local policies to block it going forward. But with the workflow I built, it becomes an instant process that only requires a minute or two of review after execution. It’s no wonder my security analyst team asked for this workflow specifically.

Want to see it in action? Check out this short video.

How Did I Develop this SOAR Workflow?

The best and easiest place to start for many SOAR workflows is with your Chatapps – I started with Microsoft Teams, but you can use Slack as well, it doesn’t really matter. They both do a great job of facilitating communications with select staff members, initiating SOAR workflows, and presenting the results.

Next, use Rapid7 plugins (how Rapid7 InsightConnect integrates into 3rd-party systems) based on the IT and security systems your organization uses and that are required for your particular automation workflow. And then put your logic and human decision and communication points into the workflow.

Once the workflow is complete, you’ll still need to do some testing to make sure it works as designed. There are always little things – for example, certain plugins like different formats. Cisco Umbrella just requires a domain, whereas for a firewall, you’ll need to use the entire URL when searching logs and updating block lists. The same goes for Mimecast and other email security platforms. But start small! Build out the logic more as you get more comfortable with the whole approach and as you get feedback from your user group.

How long did it take to get this URL blocking workflow up and running?

This URL-blocking workflow has about 20 steps or so. As far as time to develop. I put together the bones of it in a day or two, with just a few hours of total effort. The input validation, the testing part, actually took the longest–but no more than a week from start to finish to get this particular workflow out the door. And donating it to the InsightConnect community also took very little effort.

The key here is to not be afraid to keep testing and iterating. When in doubt, don’t hesitate to reach out to the Community via the Discuss Community to ask for advice.

Now, by leveraging this SOAR-based automation, it takes less than a minute to block a malicious URL everywhere it needs to be blocked. Previously, if you had to block a URL manually, one by one, it could take 40 minutes to an hour from start to finish. We run this workflow 10-20 times in a typical week. So that saves between 7-20 hours of analyst time a week; as much as half an FTE just from this one security automation! And the increased blocking completeness and speed is a further risk reduction bonus.

My Advice for SOAR Workflow Builders?

Rapid7 InsightConnect is one of those tools that does not and should not exist in a vacuum. You actually need the support and involvement of your other IT teams to deliver maximum value. Get that buy-in! It’s a security orchestration tool. So orchestrating multiple people, processes and technology is what it’s there to do!

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/08/24/cybersecurity-analysts-job-stress-is-bad-but-boredom-is-kryptonite/

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Years ago, “airline pilot” used to be a high-stress profession. Imagine being in personal control of equipment worth millions hurtling through the sky on an irregular schedule with the lives of all the passengers in your hands.

But today on any given flight, autopilot is engaged almost 90% of the time. (The FAA requires it on long-haul flights or anytime the aircraft is over 28,000 feet.) There are vast stretches of time where the problem isn’t stress – it’s highly trained, intelligent people just waiting to perhaps be needed if something goes wrong.

Of course, automation has made air travel much safer. But over-reliance on it is now considered an emerging risk for pilots. The concerns? Loss of situational awareness, and difficulty taking over quickly and deftly when something fails. FAA scientist Kathy Abbott believes automation has made pilot error more likely if they “abdicate too much responsibility to the automated systems.” This year, the FAA rewrote its guidance, now encouraging pilots to spend more time actually flying and keeping their skills sharp.

What you want at any job is “flow”

Repetitive tasks can be a big part of a cybersecurity analyst’s day. But when you combine monotony (which often leads to boredom) with the need for attentiveness, it’s kryptonite. One neuroscientific study proved chronic boredom affects “judgment, goal-directed planning, risk assessment, attention focus, distraction suppression, and intentional control over emotional responses.”

The goal is total and happy immersion in a task that challenges you but is within your abilities. When you have that, you’re “in the zone.” And you’re not even tempted to multi-task (which isn’t really a thing).

Combine InsightConnect and InsightIDR, and you can find yourself “in the zone” for incident response:

  • Response playbooks are automatically triggered from InsightIDR investigations and alerts.
  • Alerts are prioritized, and false alerts are wiped away.
  • Alerts and investigations are automatically enriched: no more manually checking IP’s, DNS names, hashes, etc.
  • Pathways to PagerDuty, Slack, Microsoft Teams, JIRA, and ServiceNow are already set up for you and tickets are created automatically for alerts.

According to Rapid7‘s Detection and Response Practice Advisor Jeffrey Gardner, the coolest example of InsightIDR’s automaticity is its baselining capability.

“Humans are built to notice patterns, but we can only process so much so quickly,” Gardner says. “Machine learning lets us take in infinitely more data than a human would ever be able to process and find interesting or anomalous activity that would otherwise be missed.” InsightIDR can look at user/system activity and immediately notify you when things appear awry.

The robots are not coming for your job – surely not yours. But humans and machines are already collaborating, and we need to be very thoughtful about exactly, precisely how.

Like inattentive commercial pilots, Tesla drivers using Autopilot don’t much look at the road even though they’re required to, and they remain wholly responsible for everything the vehicle does. Teslas are also being hacked, started, and driven off.  A 19-year-old took 25 Teslas. We’re designing our jobs – and life on earth, too.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

360-Degree XDR and Attack Surface Coverage With Rapid7

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/08/18/360-degree-xdr-and-attack-surface-coverage-with-rapid7/

360-Degree XDR and Attack Surface Coverage With Rapid7

Today’s already resource-constrained security teams are tasked with protecting more as environments sprawl and alerts pile up, while attackers continue to get stealthier and add to their arsenal. To be successful against bad actors, security teams need to be proactive against evolving attacks in their earliest stages and ready to detect and respond to advanced threats that make it past defenses (because they will).

Eliminate blindspots and extinguish threats earlier and faster

Rapid7’s external threat intelligence solution, Threat Command, reduces the noise of numerous threat feeds and external sources, and prioritizes and alerts on the most relevant threats to your organization. When used alongside InsightIDR, Rapid7’s next-gen SIEM and XDR, and InsightConnect, Rapid7’s SOAR solution, you’ll unlock a complete view of your internal and external attack surface with unmatched signal to noise.

Leverage InsightIDR, Threat Command, and InsightConnect to:

  • Gain 360-degree visibility with expanded coverage beyond the traditional network perimeter thanks to Threat Command alerts being ingested into InsightIDR, giving you a more holistic picture of your threat landscape.
  • Proactively thwart attack plans with Threat Command alerts that identify active threats from across your attack surface.
  • Find and eliminate threats faster when you correlate and investigate Threat Command alerts with InsightIDR’s rich investigative capabilities.
  • Automate your response by attaching an InsightConnect workflow to take action as soon as a detection or a Threat Command alert surfaces in InsightIDR.
360-Degree XDR and Attack Surface Coverage With Rapid7
Threat Command alerts alongside InsightIDR Detection Rules

Stronger signal to noise with Threat Command Threat Library

The power of InsightIDR and Threat Command doesn’t end there. We added another layer to our threat intelligence earlier this year when we integrated Threat Command’s Threat Library into InsightIDR to give more visibility into new indicators of compromise (IOCs) and continued strength around signal to noise.

All IOCs related to threat actors tracked in Threat Command are automatically applied to customer data sent to InsightIDR, which means you automatically get current and future coverage as new IOCs are found by the research team. Alongside InsightIDR’s variety of detection types — User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and custom detections — you’re covered against all infiltrations, from lateral movement to unique attacker behaviors and everything in between. The impact? Your team is never behind on emerging threats to your organization.

Faster, more efficient responses with InsightConnect

Strong signal to noise is taken a step further with automation, so teams can not only identify threats quickly but respond immediately. The expanded integration between InsightConnect and InsightIDR allows you to respond to any alert being generated in your environment. With this, you can easily create and map InsightConnect workflows to any ABA, UBA, or custom detection rule, so tailored response actions can be initiated as soon as there is a new detection.

See something suspicious that didn’t trip a detection? You can invoke on-demand automation with integrated Quick Actions from any page in InsightIDR.

360-Degree XDR and Attack Surface Coverage With Rapid7
Mapping of InsightConnect workflows to an ABA alert in InsightIDR

Sophisticated XDR without any headaches

With Rapid7, you’ll achieve sophisticated detection and response outcomes with greater efficiency and efficacy — no matter where you and your team are on your security journey. Stay up to date on the latest from InsightIDR, Threat Command, and InsightConnect as we continue to up-level our cross-product integrations to bring you the most comprehensive XDR solution.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

5 SOAR Myths Debunked

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2022/07/27/5-soar-myths-debunked/

5 SOAR Myths Debunked

A recently published ESG research ebook, sponsored by Rapid7, SOC Modernization and the Role of XDR, shows that organizations are increasingly leveraging security orchestration, automation, and response (SOAR) systems in an attempt to keep up with their security operations challenges. This makes sense, as every organization is facing the combined pressure of the growing threat landscape, expanding attack surface, and the cybersecurity skills shortage. To address these challenges, 88% of organizations report that they plan to increase their spending on security operations with the specific goal of better operationalizing threat intelligence, leveraging asset data in their SOC, improving their alert prioritization, and better measuring and improving their KPIs. All of these initiatives fall squarely into the purpose and value of SOAR.

In the same research, ESG also uncovered both praise and challenges for SOAR systems. On the praise side, there is very broad agreement that SOAR tools are effective for automating both complex and basic security operations tasks. But on the challenges side, the same respondents report unexpectedly high complexity and demands on programming and scripting skills that are getting in the way of SOAR-enabled value realization.

5 SOAR Myths Debunked

The SOC Modernization and the Role of XDR ebook, my years in the security industry, and my last year heavily focused on security operations and SOAR bring to mind five common SOAR myths worth debunking.

Myth #1: SOAR-enabled security automation is about eliminating security analysts

Security professionals, you can put away your wooden shoes (Sabot). There is no risk of job losses resulting from the use of SOAR tools. While in some cases, security tasks can be fully automated away, in the vast majority of SOAR-enabled automations, the value of SOAR is in teeing up the information necessary for security analysts to make good decisions and to leverage downstream integrations necessary to execute those decisions.

If you love manually collecting data from multiple internal and external sources necessary to make an informed decision and then manually opening tickets in IT service management systems or opening admin screens in various security controls to execute those decisions, stay away from using SOAR! Want to hear directly from an organization regarding this myth? Check out this Brooks case study and a supporting blog. The point of SOAR is to elevate your existing security professionals, not eliminate them.

Myth #2: SOAR requires programming skills

While SOARs require programming logic, they don’t generally require programming skills. If you know what process, data, decision points, and steps you need to get the job done, a SOAR system is designed to elevate the implementer of these processes out of the weeds of integrations and code-level logic steps necessary to get the job done.

The purpose of a well-designed SOAR is to elevate the security analyst out of the code and into the logic of their security operations. This is why a SOAR is not a general-purpose automation tool but is specifically designed and integrated to aid in the management and automation of tasks specific to security operations. Programming skills are not a prerequisite for getting value from a SOAR tool.

Myth #3: SOAR is only for incident response

While clearly the origin story of SOAR is closely connected to incident response (IR) and security operations centers (SOCs), it is a myth that SOARs are exclusively used to manage and automate IR-related processes. While responding effectively and quickly to incidents is critical, preparing your IT environment well through timely and efficient vulnerability management processes is equally important to the risk posture of the organization.

We see here at Rapid7 that just as many vulnerability management use cases are enabled with our SOAR product, InsightConnect, as are incident response ones. If you want to see some real life examples of incident response and vulnerability management use cases in action, check out these demos.

Myth #4: You must re-engineer your security processes before adopting SOAR

Some organizations get caught in a security catch-22. They are too busy with manual security tasks to apply automation to help reduce the time necessary to conduct these security tasks. This is a corollary to the problem of being too busy working to do any work. The beauty of SOAR solutions is that you don’t have to know exactly what your security processes need to be before using a SOAR. Fortunately, thousands of your peer organizations have been working on hundreds of these security processes for many years.

Why create from scratch when you can just borrow what has already been crowdsourced? Many SOAR users freely publish what they consider to be the best practice security process automations for the various security incidents and vulnerabilities that you will likely encounter. SOAR vendors, such as Rapid7, curate and host hundreds of pre-built automations that you can study and grab for free to apply (and customize as appropriate) to your organization. These crowdsourced libraries mean that you do not need to start your security automation projects with a blank sheet of paper.

Myth #5: SOAR tools are not needed if you use managed security service providers

There is no question that managed security service providers in general and managed detection and response (MDR) providers – such as Rapid7 – in particular can deliver critical security value to organizations. In fact, in the same ESG research, 88% of organizations reported that they would increase their use of managed services for security operations moving forward. The economic value of an MDR service like Rapid7’s was demonstrated in a newly published Forrester TEI report. But what happens to SOAR when you leverage an MDR provider?

The reality is that managed providers complement and extend your security teams and thus don’t fully replace them. While managed providers can and do automate aspects of your security operations – most typically detections and investigations – rarely are they given full reign to make changes in your IT and security systems or to drive responses directly into your organization. They provide well-vetted recommendations, and you, the staff security professionals, decide how and when best to implement those recommendations. This is where SOAR comes in, doing what it does best: helping you manage and automate the execution of those recommendations. In fact, debunking the myth, SOAR tools can directly complement and extend the value of managed security service providers.

Clearly, there is no shortage of things to do and improve in most organizations to bend the security curve in favor of the good guys. My hope is that this latest research from ESG and the SOAR myth-busting in this blog will help you and your organization bend the security curve in your favor.

Download the e-book today for more insights from ESG’s research.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Deploying a SOAR Tool Doesn’t Have to Be Hard: I’ve Done It Twice

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/07/21/deploying-a-soar-tool-doesnt-have-to-be-hard-ive-done-it-twice/

Deploying a SOAR Tool Doesn’t Have to Be Hard: I’ve Done It Twice

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the  challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time. I’ve done it at two different companies, so I’ll share some lessons learned and examples of how we got over some speed bumps and past friction points. I’ll also describe the key steps that helped us create a solid SOAR program.

At Brooks we selected Rapid7’s InsightConnect (ICON) as our security automation tool after a thorough product review. I was familiar with ICON because I had used it at a previous company. There are other SOAR tools out there, but InsightConnect is my preferred option based on my experience, its integrations, support, and Rapid7’s track record of innovation in SOAR. InsightConnect is embedded in everything we do now. We use it to slash analyst time spent on manual, repetitive tasks and to streamline our incident response and vulnerability management processes.

When you’re starting out with SOAR, there are two important things you need to put in place.

  • One is getting buy-in from your active directory (AD) team on the automation process and the role they need to play. At Brooks, we have yearly goals that are broken down into quarters, so getting it on their quarterly goals as part of our overall SOAR goal was really important.  This also applies to other areas of the IT and security organizations
  • The second is getting all the integrations set up within the first 30 to 60 days. It’s critical because your automation tool is only as good as the integrations you have deployed. Maybe 50% to 60% of them fall under IT security, but the other 30% or 40% are still pretty important, given how dependent security teams are on other organizations and their systems. So, getting buy-in from the teams that own those systems and setting up all the integrations are key.

Start with collaboration and build trust

A successful SOAR program requires trust and collaboration with your internal partners – essentially, engineering and operations and the team that sets up your active directory domain – because they help set up the integrations that the security automations depend on. You need to develop that trust because IT teams often hesitate when it comes to automation.

In conversations with these teams, let them know you won’t be completely automating things like blocking websites or deleting users. In addition, stress that almost everything being done will require human interaction and oversight. We’re just enriching and accelerating the many of the processes we already have in place. Therefore, it will free up their time in addition to ours because it’s accomplishing things that they do for us already. And remember we have the ability to see if something happened that may have been caused by the SOAR tool, so it’s automation combined with human decision-making.

For example, say something starts not working. The team asks you: “Hey, what’s changed?” With ICON up and running, you can search within seconds to see, for example, what firewall changes have happened within the last 24 hours. What logins have occurred? Are there any user account lockouts? I can search that in seconds. Before, it used to take me 15 to 30 minutes to get back to them with a response. Not any more. That’s what I call fast troubleshooting.

Meet with your security analysts and explain the workflows

Right from the beginning, it’s important to meet with your security analysts and explain the initial workflows you’ve created. Then, get them thinking about the top five alerts that happen most often and consume a lot of their time, and what information they need from those alerts. For instance, with two-factor authentication logs, the questions might be, “What’s the device name? Who’s the user’s manager? What’s their location?” Then, you can work in the SOAR tool to get that information for them. This will help them see the benefit firsthand.

This approach helps with analyst retention because the automation becomes the platform glue for all of your other tools. It also reduces the time your analysts have to spend on repetitive drudge work. Now, they’re able to give more confident answers if something shows up in the environment, and they can focus on more creative work.

Dedicate a resource to SOAR

I believe it’s important to have one person dedicated to the SOAR project at least half-time for the first six months. This is where teams can come up short. When the staff and time commitment is there, the process quickly expands beyond simple tasks. Then you’re thinking, “What else can I automate? What additional workflows can I pick up from the Rapid7 workflow marketplace and customize for our own use?”

Take advantage of the Rapid7 Extensions Library

The good news is you don’t need to build workflows (playbooks) from scratch. The Rapid7 Extensions Library contains hundreds of workflows which you can use as a core foundation for your needs. Then you can tweak the last 15% to 20% to make the workflow fit even better. These pre-built workflows get you off the ground running. Think of them not as ready-to-go tools, but more as workflow ideas and curated best practices. The first time I used InsightConnect, I used the phishing workflow and started seeing value in less than two weeks.

Implementing a security automation tool within a company’s network environment can be a challenge if you don’t come at it the right way. I know because I’ve been there. But Rapid7’s InsightConnect makes it easier by enabling almost anything you can imagine. With a SOAR solution, your analysts will spend less time on drudge work and more time optimizing your security environment. These are real benefits I’ve seen firsthand at Brooks. You can have them as well by following this simple approach. Best of luck.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Maximize Your VM Investment: Fix Vulnerabilities Faster With Automox + Rapid7

Post Syndicated from Nicholas Colyer original https://blog.rapid7.com/2022/05/16/maximize-your-vm-investment-fix-vulnerabilities-faster-with-automox-rapid7/

Maximize Your VM Investment: Fix Vulnerabilities Faster With Automox + Rapid7

The Rapid7 InsightConnect Extension library is getting bigger! We’ve teamed up with IT operations platform, Automox, to release a new plugin and technology alliance that closes the aperture of attack for vulnerability findings and automates remediation. Using the Automox Plugin for Rapid7 InsightConnect in conjunction with InsightVM, customers are able to:

  • Automate discovery-to-remediation of vulnerability findings
  • Query Automox device details via Slack or Microsoft Teams

Getting started with Automox within InsightConnect

Automox is an IT Operations platform that fully automates the process of endpoint management across Windows, macOS, Linux, and third-party software — including Adobe, Java, Firefox, Chrome, and Windows.

The Automox InsightConnect Plugin allows mutual customers of Rapid7 and Automox to expand their capabilities between products, ultimately streamlining cyber security outcomes and operational effectiveness. Seamlessly transition CVE-based vulnerability findings through discovery to remediation, and perform device queries without needing to leave Slack or Microsoft Teams!

Example workflows you can start leveraging now with the Automox Plugin

  • Generate Rapid7 InsightVM Report and Upload to Automox Vulnerability Sync: An example workflow that leverages threat context for assets and prioritizes them for remediation. An InsightVM report is automatically generated and uploaded using Automox’s Vulnerability Sync for easy remediation, saving internal teams precious time and effort in managing  critically emerging threats – from start to finish.
  • Automox Device Lookup from Microsoft Teams: An example workflow that lets a user query a device in Automox directly from Microsoft Teams.
  • Automox Device Lookup from Slack: An example workflow that lets a user query a device in Automox directly from Slack.

For more information or to start using this plugin, access and install the Automox Plugin for Rapid7 InsightConnect through the Rapid7 Extension Library.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

SOAR Tools: What to Look for When Investing in Security Automation Tech

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/02/10/soar-tools-what-to-look-for-when-investing-in-security-automation-tech/

SOAR Tools: What to Look for When Investing in Security Automation Tech

Security orchestration and automation (SOAR) refers to a collection of software solutions and tools that organizations can leverage to streamline security operations in three key areas: threat and vulnerability management, incident response, and security-operations automation.

From a single platform, teams can use automation to create efficiencies and stay firmly in control of IT security functions. SOAR solutions, like Rapid7 InsightConnect, also enable process implementation, efficiency gap analysis and incorporate machine learning to help analysts accelerate operations intelligently.

3 core competencies of SOAR

According to Gartner, these are the most important technological features of SOAR:

  • Threat and vulnerability management support vulnerability remediation as well as formalized workflows, reporting, and collaboration.
  • Security-incident response supports how an organization plans, tracks, and coordinates incident responses.
  • Security-operations automation supports orchestration of workflows, processes, policy execution, and reporting.

Your SOAR: Essential elements

A solution tailored to your team will yield the greatest benefits to the organization. With regard to the features mentioned above, security teams typically are looking at some key benefits as must-haves when planning a SOAR solution.

Redistribute brainpower with orchestration and automation tools. Teams build real-time triggers into workflows, which kick-start automation. Triggers listen for certain behaviors, and then initiate workflows when the required input passes through the trigger. Without orchestration from a SOAR tool, the security team would coordinate these workflows manually. SOAR integrates across security tools via APIs, with workflows across these tools detecting and responding to incidents and threats.

Execute security tasks in seconds versus hours by automating a series of steps that make up a playbook. Teams can monitor these automated processes in a user-friendly dashboard or in their preferred chat tools. While orchestration enables integrations and coordination across security tools, playbooks automatically execute the interdependent actions in a particular sequence—without the need for human interaction.

Once implemented, a comprehensive SOAR solution should help streamline and simplify. With InsightConnect, teams can customize workflows as much or as little as they like. Connect teams and tools for clear communication, deploy no-code-connect-and-go workflows, and put automation to work for your business without sacrificing control.

Rapid solutions

SOAR platforms are designed to accelerate response times. A quality solution should be easy to deploy and use; it should also be reliable, nonintrusive, and safe. Teams should tailor it to be as efficient as possible so that it doesn’t end up costing time. This also means enabling mobile device access and control so teams can run playbooks, review security artifacts, and triage events—all on the go. How else can SOAR solve your need for speed?

  • Scalability: Your automation engine will scale with your organization and the number of incidents it eventually incurs. Think about optimizing performance by designing your solution to allow for vertical (CPU and RAM increases) and horizontal (server-instance increases) scaling.
  • Dual action: Security teams receive an average of 12,000 alerts a day. Your SOAR solution should be able to quickly compile relevant context about security events so your team can focus on analysis and response. False positives and threats are resolved faster, and experts can hone in on tasks requiring intervention. With a quality platform, teams can exercise as much human judgment as they deem necessary and automate menial tasks.
  • Extensibility: Designing your SOAR for openness and extensibility will help optimize results. It should incorporate new security scenarios with ease, and ideally, it will integrate with third-party tools like SIEM, IPS, and IDS solutions.
  • Broad ecosystem: Orchestrate any piece of your technology stack with InsightConnect. You’ll spend less time assembling: Pre-built workflows easily integrate across a wide stack so you can more quickly innovate on the things that matter. Plus, create threat-specific workflows so everyone is notified faster, sees the same critical data and is able to take action across multiple technologies with rapid efficiency.

The real return on investment

Pricing models will always vary by tailored solution. For example, costs might be based on the number of users or the number of processes you want to automate or by the size of your environment. Begin your quest for value by searching for:

  • SOAR products that aren’t hiding costs. Your vendor should give a clear picture of charges related to configuration, deployment, and maintenance of the product.
  • SOAR tools with flexible options that work best with your budget. Make sure to accurately evaluate which features you need and those you can do without.

Also, consider the possibility of bringing greater collaboration to your team with features like chat tool integrations and workflow-notes documentation. Playbook and information sharing become easier and resolutions arrive faster. A SOAR workflow should ultimately become a community-based solution, with the potential to bolster your organization’s bottom line and prove out greater investments in security practices.

Want to learn more about Rapid7 InsightConnect can help you with your automation goals? Request a demo today.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.