Tag Archives: SOAR

How to Develop a SOAR Workflow to Automate a Critical Daily Task

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/11/15/how-to-develop-a-soar-workflow-to-automate-a-critical-daily-task/

How to Develop a SOAR Workflow to Automate a Critical Daily Task

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time as well as investing your time and budget into making a new security platform your own. I’ve been working with Rapid7 for years now and have become a kind of evangelist for the user-friendly, low-code workflows that make SOAR a joy to manage and an important efficiency driver in our security program.

In this blog post, the third in a series of how-to guides on getting going with SOAR in general and with Rapid7 InsightConnect in particular, I’ll provide an overview of my experience developing a URL Blocking workflow to fit my organization’s specific needs – and perhaps those of your organization as well!

A Workflow to Automatically Block URLs in Multiple Systems

I built this workflow to address two very common use-cases:

  • A user reports receiving a phishing email that does in fact contain a suspicious link
  • We learn about phishing or other scams from threat intelligences sources that leverage external links

Upon learning about this likely malicious link, our team needs to conduct an investigation to decide what to do about it – historically this was a manual three-step process:

  1. Investigate the link and associated domain by pulling in threat intelligence from multiple sources to see what is known about it.
  2. If it is determined to be malicious, block the URL and potentially the whole domain in our email security system (Mimecast), our DNS filter (Cisco Umbrella) and our Palo Alto firewalls.
  3. Figure out who, if anybody, in our organization that had already clicked the link and if anyone, move to further steps in the response

As you can imagine, executing each of these steps manually can take a significant amount of time. Now, imagine conducting this process multiple times a day – especially since time is the enemy. Also, what if your security team is experiencing turnover? On my team, we recently lost an analyst and gained another. We needed a reliable and repeatable processes that any analyst can execute with minimal training.

That’s where a workflow such as this becomes so useful! New analysts don’t need to know all the places to block a URL in our organization. By executing a single workflow from Microsoft Teams, the URL that has been determined to be malicious is guaranteed to be blocked, in all the necessary places, every time. In addition, the workflow can also figure out if someone previously went to that link, and thus whether a given user or endpoint requires further investigation.

This was hard and slow to do manually, which I estimate consumed 30-60 minutes of analyst time, each time. To conduct this investigation manually, you have to go to each log source and look and search for the URL and update the local policies to block it going forward. But with the workflow I built, it becomes an instant process that only requires a minute or two of review after execution. It’s no wonder my security analyst team asked for this workflow specifically.

Want to see it in action? Check out this short video.

How Did I Develop this SOAR Workflow?

The best and easiest place to start for many SOAR workflows is with your Chatapps – I started with Microsoft Teams, but you can use Slack as well, it doesn’t really matter. They both do a great job of facilitating communications with select staff members, initiating SOAR workflows, and presenting the results.

Next, use Rapid7 plugins (how Rapid7 InsightConnect integrates into 3rd-party systems) based on the IT and security systems your organization uses and that are required for your particular automation workflow. And then put your logic and human decision and communication points into the workflow.

Once the workflow is complete, you’ll still need to do some testing to make sure it works as designed. There are always little things – for example, certain plugins like different formats. Cisco Umbrella just requires a domain, whereas for a firewall, you’ll need to use the entire URL when searching logs and updating block lists. The same goes for Mimecast and other email security platforms. But start small! Build out the logic more as you get more comfortable with the whole approach and as you get feedback from your user group.

How long did it take to get this URL blocking workflow up and running?

This URL-blocking workflow has about 20 steps or so. As far as time to develop. I put together the bones of it in a day or two, with just a few hours of total effort. The input validation, the testing part, actually took the longest–but no more than a week from start to finish to get this particular workflow out the door. And donating it to the InsightConnect community also took very little effort.

The key here is to not be afraid to keep testing and iterating. When in doubt, don’t hesitate to reach out to the Community via the Discuss Community to ask for advice.

Now, by leveraging this SOAR-based automation, it takes less than a minute to block a malicious URL everywhere it needs to be blocked. Previously, if you had to block a URL manually, one by one, it could take 40 minutes to an hour from start to finish. We run this workflow 10-20 times in a typical week. So that saves between 7-20 hours of analyst time a week; as much as half an FTE just from this one security automation! And the increased blocking completeness and speed is a further risk reduction bonus.

My Advice for SOAR Workflow Builders?

Rapid7 InsightConnect is one of those tools that does not and should not exist in a vacuum. You actually need the support and involvement of your other IT teams to deliver maximum value. Get that buy-in! It’s a security orchestration tool. So orchestrating multiple people, processes and technology is what it’s there to do!

How to Accelerate Your SOAR Program to Full Speed in Less Than a Year

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/09/21/how-to-accelerate-your-soar-program-to-full-speed-in-less-than-a-year/

How to Accelerate Your SOAR Program to Full Speed in Less Than a Year

Every new technology comes with a learning curve specific to your organization. First you learn the basics, then you accelerate. Rapid7’s offerings are no different.

As a Senior Information Security Engineer at Brooks, I have firsthand experience with this process. I oversaw the implementation of Rapid7’s security orchestration, automation, and response (SOAR) product, InsightConnect, within my organization. We went from zero to 20+ workflows in just one year. Here are some reflections and advice about setting up a SOAR program, through the lens of my story about that successful and innovative year.

Workflow 1: Let Rapid7 hold your hand

In a previous blog regarding our initial deployment of InsightConnect, I shared key advice about how to set up a SOAR tool and get the program started. Looking back on that successful process, I believe that you should start with a goal that’s manageable – and delivers immediate value to help prove and cement the value of the initiative. For example, a phishing-related workflow is a great place to start. But there are other options as well, depending on your organization’s needs. Consider the following questions:

  • What pain point within your organization presents an immediate need?
  • What processes do you already want or need to try to automate?

Consider your team’s key technologies as well, but as you think through these questions, approach the solution in a technology-agnostic way. Instead, focus on the process, which can usually be applied to multiple technologies, and the corresponding desired outcome.

After that, you’ll want to work with your security analysts (assuming you’re not the security analyst!) to determine their pain points as well. What are the most common alerts they get? Where do they spend the most time? Or my favorite question to ask, “What requires the most browser tabs?” Your immediate focus should be how to make their job easier and more efficient.

From there, lean heavily on Rapid7’s product resources and services, and especially existing workflows that you can find in the Rapid7 Extensions Library – this will cut your work in half.

Workflows 2 to 5: Integrate with Slack and Teams

Once you’ve gone live with your first workflow, continue to look to the Rapid7 Extensions Library for workflows you can download and adapt to your needs. Some of the best examples of that use Slack or Microsoft Teams as the primary interface – you can find them easily by searching for workflows by category. And when you find an appropriate workflow, don’t get caught up on the specific technologies in the workflow. Again, focus on the process that you’re automating – after all, blocking an IP on one firewall is essentially the same as blocking an IP on another firewall, as it’s just a matter of swapping the integration plugin.

A major reason I advise starting with Slack and Teams-related workflows is that they’re the most numerous in the library and are valuable to most organizations. But this is the point where buy-in from key stakeholders across your organization becomes essential. Work with whoever runs your Teams or enterprise Slack account to input the appropriate API keys – they’re an extended part of your security automation team.

From there, look into workflows for incident response and enrichment – again, in the extensions library. Searching Virustotal or forcing a password reset or revoking Office 365 access can be very useful areas of automation, since you likely conduct those processes a lot. They can take a lot of time because they often rely on other teams when integration and automations aren’t already in place. Since time is of the essence in a phishing-related compromise, they’re super impactful.

One reason response and enrichment workflows are so useful for Workflows 2 to 5 is that it helps you understand that SOAR is not just about full automation. In fact, it’s about supporting human decision-making. So many security decisions require human insight and experience to make the right decision. What SOAR can do is to automatically collect the necessary context, tee up the decision to the security analyst, and then broadly automate the execution of those decisions.

Workflows 6 to 10: Hone in on your analysts’ pain points

At this point, it’s going to become easier for you and your team to build and implement your own, more heavily customized workflows. You’ll understand things like decisions trees, loops, and markdown cards – essential tools to take your security automation workflows to the next level. You’ll then be prepared to start customizing more workflows specifically catered to the needs of your organization and your analysts. Start here:

  1. Find out what your analysts’ top 5 alerts are. They’ll likely be something along the lines of DNS, EDR, Firewalls, or email-related alerts.
  2. Return to the Rapid7 workflow library to find existing workflows you can adopt and customize to address those alert categories.

Expect to commit a couple of hours here and there over a couple of weeks to perfect each workflow to fit your organization. This may sound like a lot, but I promise – the lift isn’t too hard. The Rapid7 extensions library and tool does a lot of lifting for you!

Workflows 10 to 20: Take your workflows to the next level

Once you’ve implemented roughly 10 workflows, you’re ready to start honing in on specific pain points that likely require a bit more and customization – for example, ad-hoc actions for investigations like revoking active Office 365 sessions, searching for and deleting specific emails, or automatically blocking likely malicious URLs based on threat intelligence feeds you’re subscribed to.

The more you create, the more comfortable you’ll be  creating workflows from scratch. In my experience, by the time you get to 20 workflows, you should expect that you or a team member could get a typical workflow designed and shipped in 1 to 2 weeks, assuming they spend 4 to 8 hours a week on it. Check out two of my team’s prized custom workflows:

However, that’s not to say that you can’t still make existing workflows your own. It’s to your benefit to keep up with the latest developments in Rapid7’s marketplace. I check the marketplace every few weeks and subscribe to the newsletter for new workflows or plugins. I’ve also learned to use the plugin API to make custom API calls for plugins Rapid7 doesn’t yet have!

In my next blog, I’ll take a deeper dive into the why and how of high-value security automation workflows. I’ll also give you some insights into the benefits we’ve seen at Brooks thanks to our SOAR program.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Grey Time: The Hidden Cost of Incident Response

Post Syndicated from Joshua Harr original https://blog.rapid7.com/2022/09/13/grey-time-the-hidden-cost-of-incident-response/

Grey Time: The Hidden Cost of Incident Response

The time cost of incident response for security teams may be greater – and more complex – than we’ve been assuming. To see that in action, let’s look at a hypothetical scenario that should feel familiar to most cybersecurity analysts.

An everyday story

A security engineer, Casey, is tuning a SIEM to detect a specific threat that poses an increased risk to their organization. This project has been allotted some set amount of time to get completed. The research and testing that Casey must do in order to get the query and tuning correct, accurate, and effective are essential to the business. This is one of many projects this engineer has on their plate. They are getting into the research and starting to understand the attack at a level they will be able to begin writing some preliminary factors of the alert, and then…

An employee forwards an email that they believe to be phishy. Casey looks at the email and confirms it requires further investigation. However, the engineer must respond to the user by giving them the process to send the email as an attachment to look into headers and other details that could help identify the artifacts of a malicious email. After that, the engineer will do their assessment and respond appropriately to the event.

Now, 25 minutes have passed. Casey returns to focus on tuning the alert but needs to go back over the research a bit more to confirm where they left off. Another 10 minutes have passed, and they are back where they were then the phishing alert came in. Now they are gathering the right information for the project and trying to get the right people involved, then…

An EDR alert comes in. It is from a director’s laptop. This begins to take priority, as the director needs this laptop for their presentation to a customer, and they leave for the airport in 3 hours. Casey steps away to analyze the alert, eradicate the malware, and begin a scan across the organization to determine if the malware hash value is seen elsewhere. 30 minutes go by, because an incident report needs to be added to the ticket. Casey sits back down and, for another 20 minutes, must recalibrate their thoughts to focus on the task at hand.

Grey time

Scenarios like this are happening in almost every organization today. High-risk security projects are delayed because fires pop up and need to be responded to. In the scenario we’ve just laid out, this engineer has lost one hour and 25 minutes from their project work due to incidents. These incidents may have a risk to them if not dealt with promptly, but the project that this engineer is working on carries a high risk of impact if not completed.

Cal Newport, a computer science professor at Georgetown University, famously explained in his seminal book “Deep Work” that it takes each person a different amount of time to pivot from one task to another. It’s how our brains work. I’m calling that amount of time that it takes to pivot “grey time.” Grey time is not normally added into the time it takes to respond to incidents, but we should change that.

Whether it takes 30 seconds, 5 minutes, or 15 minutes to respond to an incident, you have to add 5 to 25 minutes of grey time to the process to pivot back to the work previously being performed. The longer the break from the task, the longer it may take to get back into the project fully. Grey time is just as detrimental to an organization as not responding to the incidents. There are quite a few statistics out there that help us quantify distractions and interruptions:

Incidents can be distractions or interruptions. The fact is that some events that security professionals respond to are benign and do not lead to actioning an incident response plan or prevent prioritized work from being completed.

Here is where Security Orchestration, Automation, and Response (SOAR) comes into play. Those manual tasks security professionals are doing that take time away from risk-informed projects to secure the business can be automated. If tasks cannot be automated fully, we can at least automate the process of pivoting from tool to tool. SOAR can eliminate the manual notation in a ticketing system and the documentation of an incident report. It can also reduce time to respond and help eliminate grey time.

Grey time reduction through SOAR

In an industry where alert fatigue and employee attrition are pervasive issues, the need is high for SOAR’s extensive automation capabilities. Think about the tasks in your organization that you would automate if you could, because they are taking up more time than necessary. We can do some quick math to find your organization’s annual cost of manual response for each of those tasks, including grey time.

  1. First, think of a repetitive action your team does repeatedly.
  2. Assign a “task minutes” ™ value, which is approximately how long it takes to do that task.
  3. Then, estimate the “task instances per week” (ti) value.
  4. Multiply by 52 to find your “task minutes per year.”
  5. Divide by 60 to find your “task hours per year.”
  6. Multiply by your average hourly employee rate for the team that works on that task to find your annual cost of manual response.

I encourage you to do this for each playbook or process you have.

  • Task minutes ™ x task instances per week (ti) = total task minutes per week (ttw)
  • tw x 52 = total task minutes per year (tty)
  • tty / 60 = total hours per year (ty)
  • ty x hourly employee rate (hr) = cost of manual response

What we haven’t done here is add in the grey time. On average, it takes about 23 minutes and 15 seconds to regain focus on a task after a distraction. So, with that in mind, let’s round out this post by quantifying our story from earlier.

Let’s say that Casey, our engineer, takes 30 minutes for each phishing email, and malware compromises take 15 minutes to contain and eradicate. Both incident reports take about 20 minutes. Let’s also say that the organization sees about 16 phishing instances per week (ti) and phishing with the reporting takes 50 minutes. Let’s add in the grey time at 20 minutes to make it 70 minutes ™.

  • 70 x 16 = 1,120 minutes (tw)
  • 1,120 x 52 = 58,240 minutes (tty)
  • 58,240 / 60 = 970.7 hours (ty)

Using the national average salary of an entry-level incident and intrusion analyst at $88,226, we can break that down to an hourly rate of $42.41. From there, 970.7 (ty) x 42.41 (hr) = $41,167.39.

That’s just over $41K spent on manual responses to phishing each year. What about the malware? I’ll shorthand it because I believe you get the picture. Let’s say malware incidents happen about 10 times a week.

  • 25 min + 20 min = 45 min (Tm)
  • 45 x 10 = 450 (TTw)
  • 450 x 52 = 23,400 (TTy)
  • 23,400 / 60 = 390 (THy)
  • 390 x $42.41 = $16,539.90
  • $16,539.90 + $41,167.39 = $57,707.29

That’s nearly a full-time employee salary for just two manual processes!

SOAR past grey time

SOAR is becoming increasingly needed within our information security programs. Not only are we wasting time on manual processes that could be automated, but we are adding grey time to our workday and decreasing the time we have to work on high-priority projects that are informed by business risk and necessary to protect revenue and business operations. With SOAR, you can refocus your efforts on risk-relevant tasks and limit manual task interruptions. You can also reduce grey time and increase the effectiveness of your security program. With SOAR, it’s all blue skies – and no grey time.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/08/24/cybersecurity-analysts-job-stress-is-bad-but-boredom-is-kryptonite/

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Years ago, “airline pilot” used to be a high-stress profession. Imagine being in personal control of equipment worth millions hurtling through the sky on an irregular schedule with the lives of all the passengers in your hands.

But today on any given flight, autopilot is engaged almost 90% of the time. (The FAA requires it on long-haul flights or anytime the aircraft is over 28,000 feet.) There are vast stretches of time where the problem isn’t stress – it’s highly trained, intelligent people just waiting to perhaps be needed if something goes wrong.

Of course, automation has made air travel much safer. But over-reliance on it is now considered an emerging risk for pilots. The concerns? Loss of situational awareness, and difficulty taking over quickly and deftly when something fails. FAA scientist Kathy Abbott believes automation has made pilot error more likely if they “abdicate too much responsibility to the automated systems.” This year, the FAA rewrote its guidance, now encouraging pilots to spend more time actually flying and keeping their skills sharp.

What you want at any job is “flow”

Repetitive tasks can be a big part of a cybersecurity analyst’s day. But when you combine monotony (which often leads to boredom) with the need for attentiveness, it’s kryptonite. One neuroscientific study proved chronic boredom affects “judgment, goal-directed planning, risk assessment, attention focus, distraction suppression, and intentional control over emotional responses.”

The goal is total and happy immersion in a task that challenges you but is within your abilities. When you have that, you’re “in the zone.” And you’re not even tempted to multi-task (which isn’t really a thing).

Combine InsightConnect and InsightIDR, and you can find yourself “in the zone” for incident response:

  • Response playbooks are automatically triggered from InsightIDR investigations and alerts.
  • Alerts are prioritized, and false alerts are wiped away.
  • Alerts and investigations are automatically enriched: no more manually checking IP’s, DNS names, hashes, etc.
  • Pathways to PagerDuty, Slack, Microsoft Teams, JIRA, and ServiceNow are already set up for you and tickets are created automatically for alerts.

According to Rapid7‘s Detection and Response Practice Advisor Jeffrey Gardner, the coolest example of InsightIDR’s automaticity is its baselining capability.

“Humans are built to notice patterns, but we can only process so much so quickly,” Gardner says. “Machine learning lets us take in infinitely more data than a human would ever be able to process and find interesting or anomalous activity that would otherwise be missed.” InsightIDR can look at user/system activity and immediately notify you when things appear awry.

The robots are not coming for your job – surely not yours. But humans and machines are already collaborating, and we need to be very thoughtful about exactly, precisely how.

Like inattentive commercial pilots, Tesla drivers using Autopilot don’t much look at the road even though they’re required to, and they remain wholly responsible for everything the vehicle does. Teslas are also being hacked, started, and driven off.  A 19-year-old took 25 Teslas. We’re designing our jobs – and life on earth, too.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

360-Degree XDR and Attack Surface Coverage With Rapid7

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/08/18/360-degree-xdr-and-attack-surface-coverage-with-rapid7/

360-Degree XDR and Attack Surface Coverage With Rapid7

Today’s already resource-constrained security teams are tasked with protecting more as environments sprawl and alerts pile up, while attackers continue to get stealthier and add to their arsenal. To be successful against bad actors, security teams need to be proactive against evolving attacks in their earliest stages and ready to detect and respond to advanced threats that make it past defenses (because they will).

Eliminate blindspots and extinguish threats earlier and faster

Rapid7’s external threat intelligence solution, Threat Command, reduces the noise of numerous threat feeds and external sources, and prioritizes and alerts on the most relevant threats to your organization. When used alongside InsightIDR, Rapid7’s next-gen SIEM and XDR, and InsightConnect, Rapid7’s SOAR solution, you’ll unlock a complete view of your internal and external attack surface with unmatched signal to noise.

Leverage InsightIDR, Threat Command, and InsightConnect to:

  • Gain 360-degree visibility with expanded coverage beyond the traditional network perimeter thanks to Threat Command alerts being ingested into InsightIDR, giving you a more holistic picture of your threat landscape.
  • Proactively thwart attack plans with Threat Command alerts that identify active threats from across your attack surface.
  • Find and eliminate threats faster when you correlate and investigate Threat Command alerts with InsightIDR’s rich investigative capabilities.
  • Automate your response by attaching an InsightConnect workflow to take action as soon as a detection or a Threat Command alert surfaces in InsightIDR.
360-Degree XDR and Attack Surface Coverage With Rapid7
Threat Command alerts alongside InsightIDR Detection Rules

Stronger signal to noise with Threat Command Threat Library

The power of InsightIDR and Threat Command doesn’t end there. We added another layer to our threat intelligence earlier this year when we integrated Threat Command’s Threat Library into InsightIDR to give more visibility into new indicators of compromise (IOCs) and continued strength around signal to noise.

All IOCs related to threat actors tracked in Threat Command are automatically applied to customer data sent to InsightIDR, which means you automatically get current and future coverage as new IOCs are found by the research team. Alongside InsightIDR’s variety of detection types — User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and custom detections — you’re covered against all infiltrations, from lateral movement to unique attacker behaviors and everything in between. The impact? Your team is never behind on emerging threats to your organization.

Faster, more efficient responses with InsightConnect

Strong signal to noise is taken a step further with automation, so teams can not only identify threats quickly but respond immediately. The expanded integration between InsightConnect and InsightIDR allows you to respond to any alert being generated in your environment. With this, you can easily create and map InsightConnect workflows to any ABA, UBA, or custom detection rule, so tailored response actions can be initiated as soon as there is a new detection.

See something suspicious that didn’t trip a detection? You can invoke on-demand automation with integrated Quick Actions from any page in InsightIDR.

360-Degree XDR and Attack Surface Coverage With Rapid7
Mapping of InsightConnect workflows to an ABA alert in InsightIDR

Sophisticated XDR without any headaches

With Rapid7, you’ll achieve sophisticated detection and response outcomes with greater efficiency and efficacy — no matter where you and your team are on your security journey. Stay up to date on the latest from InsightIDR, Threat Command, and InsightConnect as we continue to up-level our cross-product integrations to bring you the most comprehensive XDR solution.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

5 SOAR Myths Debunked

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2022/07/27/5-soar-myths-debunked/

5 SOAR Myths Debunked

A recently published ESG research ebook, sponsored by Rapid7, SOC Modernization and the Role of XDR, shows that organizations are increasingly leveraging security orchestration, automation, and response (SOAR) systems in an attempt to keep up with their security operations challenges. This makes sense, as every organization is facing the combined pressure of the growing threat landscape, expanding attack surface, and the cybersecurity skills shortage. To address these challenges, 88% of organizations report that they plan to increase their spending on security operations with the specific goal of better operationalizing threat intelligence, leveraging asset data in their SOC, improving their alert prioritization, and better measuring and improving their KPIs. All of these initiatives fall squarely into the purpose and value of SOAR.

In the same research, ESG also uncovered both praise and challenges for SOAR systems. On the praise side, there is very broad agreement that SOAR tools are effective for automating both complex and basic security operations tasks. But on the challenges side, the same respondents report unexpectedly high complexity and demands on programming and scripting skills that are getting in the way of SOAR-enabled value realization.

5 SOAR Myths Debunked

The SOC Modernization and the Role of XDR ebook, my years in the security industry, and my last year heavily focused on security operations and SOAR bring to mind five common SOAR myths worth debunking.

Myth #1: SOAR-enabled security automation is about eliminating security analysts

Security professionals, you can put away your wooden shoes (Sabot). There is no risk of job losses resulting from the use of SOAR tools. While in some cases, security tasks can be fully automated away, in the vast majority of SOAR-enabled automations, the value of SOAR is in teeing up the information necessary for security analysts to make good decisions and to leverage downstream integrations necessary to execute those decisions.

If you love manually collecting data from multiple internal and external sources necessary to make an informed decision and then manually opening tickets in IT service management systems or opening admin screens in various security controls to execute those decisions, stay away from using SOAR! Want to hear directly from an organization regarding this myth? Check out this Brooks case study and a supporting blog. The point of SOAR is to elevate your existing security professionals, not eliminate them.

Myth #2: SOAR requires programming skills

While SOARs require programming logic, they don’t generally require programming skills. If you know what process, data, decision points, and steps you need to get the job done, a SOAR system is designed to elevate the implementer of these processes out of the weeds of integrations and code-level logic steps necessary to get the job done.

The purpose of a well-designed SOAR is to elevate the security analyst out of the code and into the logic of their security operations. This is why a SOAR is not a general-purpose automation tool but is specifically designed and integrated to aid in the management and automation of tasks specific to security operations. Programming skills are not a prerequisite for getting value from a SOAR tool.

Myth #3: SOAR is only for incident response

While clearly the origin story of SOAR is closely connected to incident response (IR) and security operations centers (SOCs), it is a myth that SOARs are exclusively used to manage and automate IR-related processes. While responding effectively and quickly to incidents is critical, preparing your IT environment well through timely and efficient vulnerability management processes is equally important to the risk posture of the organization.

We see here at Rapid7 that just as many vulnerability management use cases are enabled with our SOAR product, InsightConnect, as are incident response ones. If you want to see some real life examples of incident response and vulnerability management use cases in action, check out these demos.

Myth #4: You must re-engineer your security processes before adopting SOAR

Some organizations get caught in a security catch-22. They are too busy with manual security tasks to apply automation to help reduce the time necessary to conduct these security tasks. This is a corollary to the problem of being too busy working to do any work. The beauty of SOAR solutions is that you don’t have to know exactly what your security processes need to be before using a SOAR. Fortunately, thousands of your peer organizations have been working on hundreds of these security processes for many years.

Why create from scratch when you can just borrow what has already been crowdsourced? Many SOAR users freely publish what they consider to be the best practice security process automations for the various security incidents and vulnerabilities that you will likely encounter. SOAR vendors, such as Rapid7, curate and host hundreds of pre-built automations that you can study and grab for free to apply (and customize as appropriate) to your organization. These crowdsourced libraries mean that you do not need to start your security automation projects with a blank sheet of paper.

Myth #5: SOAR tools are not needed if you use managed security service providers

There is no question that managed security service providers in general and managed detection and response (MDR) providers – such as Rapid7 – in particular can deliver critical security value to organizations. In fact, in the same ESG research, 88% of organizations reported that they would increase their use of managed services for security operations moving forward. The economic value of an MDR service like Rapid7’s was demonstrated in a newly published Forrester TEI report. But what happens to SOAR when you leverage an MDR provider?

The reality is that managed providers complement and extend your security teams and thus don’t fully replace them. While managed providers can and do automate aspects of your security operations – most typically detections and investigations – rarely are they given full reign to make changes in your IT and security systems or to drive responses directly into your organization. They provide well-vetted recommendations, and you, the staff security professionals, decide how and when best to implement those recommendations. This is where SOAR comes in, doing what it does best: helping you manage and automate the execution of those recommendations. In fact, debunking the myth, SOAR tools can directly complement and extend the value of managed security service providers.

Clearly, there is no shortage of things to do and improve in most organizations to bend the security curve in favor of the good guys. My hope is that this latest research from ESG and the SOAR myth-busting in this blog will help you and your organization bend the security curve in your favor.

Download the e-book today for more insights from ESG’s research.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Deploying a SOAR Tool Doesn’t Have to Be Hard: I’ve Done It Twice

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/07/21/deploying-a-soar-tool-doesnt-have-to-be-hard-ive-done-it-twice/

Deploying a SOAR Tool Doesn’t Have to Be Hard: I’ve Done It Twice

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the  challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time. I’ve done it at two different companies, so I’ll share some lessons learned and examples of how we got over some speed bumps and past friction points. I’ll also describe the key steps that helped us create a solid SOAR program.

At Brooks we selected Rapid7’s InsightConnect (ICON) as our security automation tool after a thorough product review. I was familiar with ICON because I had used it at a previous company. There are other SOAR tools out there, but InsightConnect is my preferred option based on my experience, its integrations, support, and Rapid7’s track record of innovation in SOAR. InsightConnect is embedded in everything we do now. We use it to slash analyst time spent on manual, repetitive tasks and to streamline our incident response and vulnerability management processes.

When you’re starting out with SOAR, there are two important things you need to put in place.

  • One is getting buy-in from your active directory (AD) team on the automation process and the role they need to play. At Brooks, we have yearly goals that are broken down into quarters, so getting it on their quarterly goals as part of our overall SOAR goal was really important.  This also applies to other areas of the IT and security organizations
  • The second is getting all the integrations set up within the first 30 to 60 days. It’s critical because your automation tool is only as good as the integrations you have deployed. Maybe 50% to 60% of them fall under IT security, but the other 30% or 40% are still pretty important, given how dependent security teams are on other organizations and their systems. So, getting buy-in from the teams that own those systems and setting up all the integrations are key.

Start with collaboration and build trust

A successful SOAR program requires trust and collaboration with your internal partners – essentially, engineering and operations and the team that sets up your active directory domain – because they help set up the integrations that the security automations depend on. You need to develop that trust because IT teams often hesitate when it comes to automation.

In conversations with these teams, let them know you won’t be completely automating things like blocking websites or deleting users. In addition, stress that almost everything being done will require human interaction and oversight. We’re just enriching and accelerating the many of the processes we already have in place. Therefore, it will free up their time in addition to ours because it’s accomplishing things that they do for us already. And remember we have the ability to see if something happened that may have been caused by the SOAR tool, so it’s automation combined with human decision-making.

For example, say something starts not working. The team asks you: “Hey, what’s changed?” With ICON up and running, you can search within seconds to see, for example, what firewall changes have happened within the last 24 hours. What logins have occurred? Are there any user account lockouts? I can search that in seconds. Before, it used to take me 15 to 30 minutes to get back to them with a response. Not any more. That’s what I call fast troubleshooting.

Meet with your security analysts and explain the workflows

Right from the beginning, it’s important to meet with your security analysts and explain the initial workflows you’ve created. Then, get them thinking about the top five alerts that happen most often and consume a lot of their time, and what information they need from those alerts. For instance, with two-factor authentication logs, the questions might be, “What’s the device name? Who’s the user’s manager? What’s their location?” Then, you can work in the SOAR tool to get that information for them. This will help them see the benefit firsthand.

This approach helps with analyst retention because the automation becomes the platform glue for all of your other tools. It also reduces the time your analysts have to spend on repetitive drudge work. Now, they’re able to give more confident answers if something shows up in the environment, and they can focus on more creative work.

Dedicate a resource to SOAR

I believe it’s important to have one person dedicated to the SOAR project at least half-time for the first six months. This is where teams can come up short. When the staff and time commitment is there, the process quickly expands beyond simple tasks. Then you’re thinking, “What else can I automate? What additional workflows can I pick up from the Rapid7 workflow marketplace and customize for our own use?”

Take advantage of the Rapid7 Extensions Library

The good news is you don’t need to build workflows (playbooks) from scratch. The Rapid7 Extensions Library contains hundreds of workflows which you can use as a core foundation for your needs. Then you can tweak the last 15% to 20% to make the workflow fit even better. These pre-built workflows get you off the ground running. Think of them not as ready-to-go tools, but more as workflow ideas and curated best practices. The first time I used InsightConnect, I used the phishing workflow and started seeing value in less than two weeks.

Implementing a security automation tool within a company’s network environment can be a challenge if you don’t come at it the right way. I know because I’ve been there. But Rapid7’s InsightConnect makes it easier by enabling almost anything you can imagine. With a SOAR solution, your analysts will spend less time on drudge work and more time optimizing your security environment. These are real benefits I’ve seen firsthand at Brooks. You can have them as well by following this simple approach. Best of luck.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2021/11/15/better-together-xdr-soar-vulnerability-management-and-external-threat-intelligence/

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

One of the biggest challenges with both incident response and vulnerability management is not just the raw number of incidents and vulnerabilities organizations need to triage and manage, but the fact that it’s often difficult to separate the critical incidents and vulnerabilities from the minor ones. If all incidents and vulnerabilities are treated as equal, teams will tend to underprioritize the critical ones and overprioritize those that are less significant. In fact, ZDNet reports that only 5.5% of all vulnerabilities are ever exploited in the wild. Meaning that fixing all vulnerabilities with equal priority is a significant misallocation of resources, as 95% of them will likely never be exploited.

Unjamming incident response and vulnerability management

My experience with organizations over the years shows a similar issue with security incidents. Clearly not all incidents are created equal in terms of risk and potential impact, so if your organization is treating them equally, this also is a sign of misprioritization. And what organization has a surplus of incident response cycles to waste? Without some informed triaging and prioritization, the remediation of both incidents and vulnerabilities can get jammed up, and the security team can be blamed for “crying wolf” by raising the security alarm too often without strong evidence.

How to better prioritize security incidents and vulnerabilities? Fundamentally, it comes down to simultaneously having the right data and intelligence from both inside your IT environment and the world outside. What if you could know with high certainty what you have, what is currently going on inside your IT environment, and how and whether the threat actors’ current tools, tactics, techniques, and procedures are currently active and relevant to you? If this information and analysis was available at the right time, it would go a long way to helping prioritize responses to both detected incidents and discovered vulnerabilities.

Integrating XDR, SOAR, vulnerability management, and external threat intelligence

The key building blocks of this approach require the combination of extended detection and response (XDR) for continuous visibility and threat detection; vulnerability management for vulnerability detection and management; SOAR for security management, integration, and automation; and external threat intelligence to inject information about what threat actors are actually doing and how this relates back to the organization. The intersection of these four security systems and sources of intelligence is where the magic happens.

Separately, XDR, SOAR, vulnerability management, and external threat intelligence are valuable in their own right. But when used closely together, they deliver greater security insights that help guide incident response and vulnerability management. Together, they help security teams focus their limited resources on the risks that matter most.

What Rapid7 is doing about it

Rapid7 is on the forefront of bringing this integrated approach to market. It starts — but does not end — with possessing all the underlying technology and expertise necessary to bring this approach to life through our products in XDR, SOAR, vulnerability management, and external threat intelligence. New and particularly important to this story is how Rapid7’s external threat intelligence offering, brought forward by the recent acquisition of IntSights, is integrated and directly available to assist with incident and vulnerability management prioritization and automation.

The newly released InsightConnect for IntSights Plugin enables, among other capabilities, the enrichment of indicators — IP addresses, domains, URLs, file hashes — with what is known about them in the outside world, such as whether they are part of attackers’ infrastructure, their registration details, when they were first seen, any associations with threat actor groups, severity, and other key aspects. This information, when linked to alerts and vulnerabilities, can help drive the response prioritizations that are incredibly important to improving incident response and vulnerability management effectiveness and efficiency.

This is just the start of integrating IntSights threat intelligence into Rapid7’s broader set of security offerings. Stay tuned for additional integration news as Rapid7 brings best-of-breed solutions further, combining our vulnerability management, detection and response, and threat intelligence products and services to solve more real-world security challenges.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Energize Your Incident Response and Vulnerability Management With Crowdsourced Automation Workflows

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2021/08/13/energize-your-incident-response-and-vulnerability-management-with-crowdsourced-automation-workflows/

Energize Your Incident Response and Vulnerability Management With Crowdsourced Automation Workflows

It’s no secret that most organizations need to dramatically improve their incident detection and response and vulnerability management (VM) programs. How many major security breaches could organizations avert if they could detect and address them at the start, when they’re still just minor incidents?

Industry statistics show that actual mean-time-to-responses (MTTRs) for security incidents are very slow — measured in days, weeks, or more, not the minutes or hours necessary to dramatically reduce the risk of a significant breach. In fact, IBM’s Cost of a Data Breach report found that it took organizations an average of 207 days to detect, let alone address, cybersecurity incidents in 2020. Not surprisingly, in countless security breach retrospectives, the excessive exposure windows leading up to breaches are often found to be key contributors to the ultimate blast radii of these events.

SOAR to a better response

But what causes this excessive exposure? This depends on the organization and certainly can’t be attributed to any one thing, but practically every organization has too many security alerts and software vulnerabilities and not enough people or time to investigate or appropriately respond to them all.

So, what is the answer? More people? This is typically unrealistic, as candidates are hard to find and expensive once you do find them. Reduce the number of alerts? Sure, but which ones? If they require an investigation to differentiate false positives from true breaches, which alerts should you turn off?

Clearly a key part of the answer is to automate as much of the incident response and VM processes as possible. If you can respond to some of the alerts and vulnerabilities completely (or mostly) automatically, all the better!

This is what security orchestration, automation, and response (SOAR) systems, such as Rapid7’s InsightConnect, were created to do. But a SOAR platform on its own doesn’t solve the automation problem — it is just a platform, after all. Organizations also need the applications that run in and bring the SOAR platform to life. Sometimes called playbooks or workflows, these applications deliver the data, decisioning, integration, and communication necessary to automate incident response, as well as the processes necessary to prioritize and patch vulnerabilities.

But like the problem of rebuilding a plane while simultaneously flying it, how does a slammed IR, SOC, or VM team find the time to create these automation applications while continuing to address the issues that are continuously rolling in?

Strength in numbers: The power of crowdsourcing workflows

Increasingly, we believe the answer lies in crowdsourcing workflows from their SOAR product community.

One of the key values of SOAR platforms is that they’re in effect specialized security communities with which users can share, customize, and run incident response, VM, and other types of workflows. With InsightConnect, users can pull integrations and incident response and VM workflows from the Extension Library and apply them quickly and easily to the specific needs of the organization. But what really makes this library great is the current and future applications — workflows — that you can find and check out.

Building on the hundreds of existing workflows contributed by Rapid7’s security experts, SOC analysts, and incident responders, we’ve recently taken the Extension Library to the next level by opening it up to submissions from customers and partners. Recently, we released our Contribute an Extension online process. This highly curated workflow submission system enables Rapid7 customers and partners to safely share their favorite workflows with the community.

In the spirit of open source software, Rapid7 acts as the curator of these submissions and vets them for privacy, security, and basic utility. We believe this expanded Extension Library experience will help organizations energize their incident response and VM programs and, by applying best practices and automation, reduce the likelihood of experiencing a major security incident.

The variety of potential automation applications are only limited by the community’s imagination — they aren’t even limited to pure incident response or VM automations. Any processes that security teams do repetitively and largely manually are excellent candidates for automation. Most security teams could certainly do with some help energizing — and some fresh insights from fellow practitioners might just be the spark they need.

HELP MAKE SECURITY KNOWLEDGE MORE ACCESSIBLE

Contribute an extension

SOAR Tools: What to Look for When Investing in Security Automation Tech

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/02/10/soar-tools-what-to-look-for-when-investing-in-security-automation-tech/

SOAR Tools: What to Look for When Investing in Security Automation Tech

Security orchestration and automation (SOAR) refers to a collection of software solutions and tools that organizations can leverage to streamline security operations in three key areas: threat and vulnerability management, incident response, and security-operations automation.

From a single platform, teams can use automation to create efficiencies and stay firmly in control of IT security functions. SOAR solutions, like Rapid7 InsightConnect, also enable process implementation, efficiency gap analysis and incorporate machine learning to help analysts accelerate operations intelligently.

3 core competencies of SOAR

According to Gartner, these are the most important technological features of SOAR:

  • Threat and vulnerability management support vulnerability remediation as well as formalized workflows, reporting, and collaboration.
  • Security-incident response supports how an organization plans, tracks, and coordinates incident responses.
  • Security-operations automation supports orchestration of workflows, processes, policy execution, and reporting.

Your SOAR: Essential elements

A solution tailored to your team will yield the greatest benefits to the organization. With regard to the features mentioned above, security teams typically are looking at some key benefits as must-haves when planning a SOAR solution.

Redistribute brainpower with orchestration and automation tools. Teams build real-time triggers into workflows, which kick-start automation. Triggers listen for certain behaviors, and then initiate workflows when the required input passes through the trigger. Without orchestration from a SOAR tool, the security team would coordinate these workflows manually. SOAR integrates across security tools via APIs, with workflows across these tools detecting and responding to incidents and threats.

Execute security tasks in seconds versus hours by automating a series of steps that make up a playbook. Teams can monitor these automated processes in a user-friendly dashboard or in their preferred chat tools. While orchestration enables integrations and coordination across security tools, playbooks automatically execute the interdependent actions in a particular sequence—without the need for human interaction.

Once implemented, a comprehensive SOAR solution should help streamline and simplify. With InsightConnect, teams can customize workflows as much or as little as they like. Connect teams and tools for clear communication, deploy no-code-connect-and-go workflows, and put automation to work for your business without sacrificing control.

Rapid solutions

SOAR platforms are designed to accelerate response times. A quality solution should be easy to deploy and use; it should also be reliable, nonintrusive, and safe. Teams should tailor it to be as efficient as possible so that it doesn’t end up costing time. This also means enabling mobile device access and control so teams can run playbooks, review security artifacts, and triage events—all on the go. How else can SOAR solve your need for speed?

  • Scalability: Your automation engine will scale with your organization and the number of incidents it eventually incurs. Think about optimizing performance by designing your solution to allow for vertical (CPU and RAM increases) and horizontal (server-instance increases) scaling.
  • Dual action: Security teams receive an average of 12,000 alerts a day. Your SOAR solution should be able to quickly compile relevant context about security events so your team can focus on analysis and response. False positives and threats are resolved faster, and experts can hone in on tasks requiring intervention. With a quality platform, teams can exercise as much human judgment as they deem necessary and automate menial tasks.
  • Extensibility: Designing your SOAR for openness and extensibility will help optimize results. It should incorporate new security scenarios with ease, and ideally, it will integrate with third-party tools like SIEM, IPS, and IDS solutions.
  • Broad ecosystem: Orchestrate any piece of your technology stack with InsightConnect. You’ll spend less time assembling: Pre-built workflows easily integrate across a wide stack so you can more quickly innovate on the things that matter. Plus, create threat-specific workflows so everyone is notified faster, sees the same critical data and is able to take action across multiple technologies with rapid efficiency.

The real return on investment

Pricing models will always vary by tailored solution. For example, costs might be based on the number of users or the number of processes you want to automate or by the size of your environment. Begin your quest for value by searching for:

  • SOAR products that aren’t hiding costs. Your vendor should give a clear picture of charges related to configuration, deployment, and maintenance of the product.
  • SOAR tools with flexible options that work best with your budget. Make sure to accurately evaluate which features you need and those you can do without.

Also, consider the possibility of bringing greater collaboration to your team with features like chat tool integrations and workflow-notes documentation. Playbook and information sharing become easier and resolutions arrive faster. A SOAR workflow should ultimately become a community-based solution, with the potential to bolster your organization’s bottom line and prove out greater investments in security practices.

Want to learn more about Rapid7 InsightConnect can help you with your automation goals? Request a demo today.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.