Ransomware, data leaks, phishing, denial of service… these are some of the terms that everyone, even those who aren’t in the IT industry, will have repeatedly heard in the last few years. Everyone has received an email from a Nigerian prince or some long-lost rich, relative from Africa at least once. These are basic examples of cyberattacks called phishing attacks, which still have an acceptable success rate. If we were to talk about more tailored phishing attacks (common ones being a request to change your password or a notification that your account will be deleted if you don’t click on a link), those have an even better success rate – why is that so? Because bad actors are smart.

The first aspect to consider is that they will use many techniques to make their email seem as legitimate as possible, and the second, which is not connected to IT, is the psychological part. The psychological part manifests itself in a few different ways. It can be someone pretending to be your boss (using spoofing methods), an email containing a sense of urgency, or an email sent at the end of working hours when employee concentration is at its lowest. Because of this, organizations are on the lookout for more advanced systems to help them respond to these in a matter of minutes. That is where Security Orchestration, Automation, and Response (SOAR) comes in to save the day.

In this chapter, we will cover the main aspects of changes within cybersecurity and how those changes impact our everyday lives. A few years back, cyberattacks mainly impacted organizations, but today, their impact is felt by ordinary people as well. And this is something that will not change overnight. As one way of fighting back and improving their security posture, organizations can use many security tools. One of them is SOAR, and we will explain why SOAR is a must in every organization today.

In a nutshell, this chapter will cover the following main topics:

• Traditional versus modern security
• The state of cybersecurity
• What is SOAR?

Security plays a significant role in our everyday lives. Even from the start of civilization, security played a role in that people built their fortifications. If we go back through history, we can see how people built their fortifications on the top of a hill or on a river fork, or if something of this kind was not applicable, people dug canals around fortifications, built big walls, and so on. All this had one thing in common – the aim of securing the people and their properties against attacks from other tribes or countries.

As those fortifications were built, attackers always sought a way to penetrate those defenses. Some of them were massive attacks directly made on fortifications, sending a single person to breach the front or back entrance or create a diversion.

Probably the most famous of these, with the equivalent in IT appearing every day, is when ancient Greece attacked Troy. Because of Troy’s fortifications, Greece couldn’t penetrate the city, even though they had a massive army and the numbers were on their side. That all changed when Odysseus came upon the idea of a diversion. Greek forces pretended to retreat and left a giant wooden horse as a present from the gods to the people of Troy. And what did they do? The people of Troy took that wooden horse into the city. They didn’t know that Odysseus and his best fighters were hiding inside that wooden horse. In the early morning, while everyone was sleeping, Odysseus and his selected army exited the wooden horse and opened the door for the rest of the army to enter Troy. After that, all the defense mechanisms in place fell apart, and Troy was defeated.

If you are in cybersecurity, even if you don’t know this story about Troy, you will be aware of what a Trojan horse is: a term for malware that misleads users about its true purpose. While it appears to be secure software, it can contain malicious code. It works in much the same way as it did 3,000 years ago.

We can see that many types of historical attacks and defenses are similar throughout history; the only part that changes is how they are performed. We can look at a full army attack on a fortress as a Distributed Denial-of-Service (DDoS) attack, a Trojan horse as a payload being delivered, a ransomware attack as Vikings asking for gold and valuables to halt their attack on Britain, a spyware intrusion as sending a spy to gather information on fortress defenses from the inside, and so on. From a defense perspective, we can see how everyone started with a perimeter defense by building walls or creating a fortress at the top of a hill. Then, they moved to layered defense by adding water canals in front of walls. The best example of a historic, layered defense was Constantinople. It started with a single wall, and in the end, it contained a moat, a low wall, an outer wall, and an inner wall. If we look at cybersecurity, we can see that there was a similar approach with a single barrier to protect the perimeter – a firewall. This was followed by adding additional layers such as DDoS protection, a Web Application Firewall (WAF), antivirus solutions, and so on.

Looking at this parallel, we all can agree that these defense strategies weren’t enough and that even the most robust defenses fell under heavy attack. Even the great Constantinople, probably the city with the best defenses of all time, fell under heavy Ottoman attacks.

Why? As methods of attack evolved faster than methods of defense, it was harder to cover this gap.

The same is true for cybersecurity. As mentioned, we start with perimeter defense and then add layered defense, but even that isn’t sufficient. Methods of attack evolve, and bad actors always find a way to surpass existing systems. One thing is certain: traditional systems are outdated, and many organizations are in the process of updating their cybersecurity as a result.

There are a few reasons why this is happening:

• An important aspect is that people are more aware of how they use their personal information, how it is handled, and how it can be misused. People used to trust websites to use their info internally, but those websites sold that info to advertisement companies. People now expect more rigorous privacy and security for the data they share on websites.
• Second up on the list is reputation. Many organizations that suffer an attack experience a loss of reputation, and in the end, smaller organizations often don’t survive these kinds of attacks. The loss of existing clients and the absence of new ones to replace them affect many small and medium organizations after a cyberattack. Big organizations survive more quickly because of their size, but they suffer heavy losses.
• The third is bankruptcy, which is directly connected to ransomware in most cases. First, you need to pay to decrypt your data, and on top of that, you have the cost of not running your business. Coupled with a loss of clients, this will all bring small and medium organizations to their knees very quickly. In addition, these companies that have suffered a successful cyberattack end up having their information shared on the dark web. Consequently, they are often targeted by even more bad actors with financial gain as their motive.

Today, organizations either need to update their defense strategies to stay ahead of bad actors or risk a significant cybersecurity incident resulting in considerable financial losses – initially or in the long run.

The last few years have changed how businesses operate, and standard working will never be the same. Digital transformation and the COVID-19 pandemic have foundationally changed the way that we work. Modern tools for collaboration, such as Microsoft Teams, Slack, Zoom, and so on, make it possible for people to work from any location and still relate to their peers. When the COVID-19 pandemic started, everyone had to work from home. And something that started as a temporary solution has changed how people work permanently. However, it hasn’t just changed the way people are working. It has also changed how people connect and what network they use – it has changed cybersecurity. A traditional perimeter does not help anymore; people are expected to be outside their bubbles, and we must find new ways to protect them. The second thing to consider is that people don’t just use corporate devices to connect to corporate resources: they use personal devices as well.

Creating boundaries is becoming harder and harder, and organizations must find a new way to protect their resources. Traditional systems aren’t enough anymore. The first tools that people are turning to have been available for years in the market, such as Mobile Device Management/Mobile Application Management (MDM/MAM), Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR) platforms, Data Loss Prevention (DLP), and so on.

Introducing more security tools and hardening the working environment has a direct impact on productivity. Employees are expected to enroll devices to MDM, set up and pass MFA, avoid copying data to USBs, refrain from continuing their work on other devices, and avoid sharing any links with anyone. This significantly hampers the ability of employees to collaborate efficiently. Cybersecurity experts need to find a golden middle ground between productivity and security; often, this equates to sacrificing security under this pressure until a cybersecurity incident occurs.

To be able to detect security incidents as they happen, more advanced solutions are required: traditional ones such as Security Information and Event Management (SIEM), more modern ones such as Extended Detection and Response (XDR), and the Zero Trust methodology. SIEM allows us to collect logs from various solutions and correlate these events to detect threats more easily. However, on its own, it is ineffective. SIEM tools are only as good as the events they have as logs. We also need to have excellent Security Operations Center (SOC) analysts who can define detection rules, do cyber threat hunting, and react to security incidents in these SIEM solutions. This is why most new SIEM solutions add Artificial Intelligence (AI), Machine Learning (ML), User and Entity Behavior Analytics (UEBA), Threat Intelligence (TI), and so on, into the mix to help with detection – but what about the response? How do we acknowledge and resolve security incidents?

One of the more modern tools is XDR – this is not a single tool but a group of tools that work together to correlate cyber threat detections. In most cases, XDR will cover identities, emails, endpoints, servers, and cloud workloads. It will use AI and ML in the background to connect security incidents from these layers, which are often handled separately by different solutions, into a single incident that outlines the kill chain of an attack as it happens throughout an organization. While XDR is a must-have solution for most organizations, it still doesn’t cover the whole stack of security. You cannot ingest TI data, firewall logs, third-party solution detections, and so on. Typically, XDR will be connected to SIEM for correlation with other sources.

One thing we have seen with XDR is a change in the complexity of organizations’ cybersecurity. 10 years ago, organizations did not use the same vendor for different layers of protection. The idea was that if one failed, you would still have another vendor in line for protection – but how wrong was that?

First, our security experts had to learn to work with and manage multiple solutions and vendors. Multiple portals would therefore need to be logged in to daily. For big organizations, the number of security solutions and vendors used could exceed 40! And second, those solutions did not speak to each other. That means that they did not share intelligence; they did not correlate their shared data. Without SIEM collecting events from all devices, it was almost impossible to make connections between different security incidents. XDR changed this, as the idea behind it has been for solutions to speak with each other, share intelligence, and correlate events for better detection. Another significant benefit is that it is all in one portal, which is essential for security experts to focus on one unified product and not on five different ones.

Why is it essential to find new ways to protect organizations? Because bad actors are improving their game daily. Just in the last few years, we have had significant cyberattacks, including the Colonial Pipeline ransomware attack, the Maersk ransomware attack, the SolarWinds breach, and the Log4j vulnerability, plus many data breaches in which bad actors have stolen terabytes of personal data. These are only some of the attacks that have been top news worldwide. Even people who don’t know what a cyberattack is have started asking questions about what is happening. The reason for this is the significant impact of each attack. The Colonial Pipeline attack raised a lot of concern and panic among people in the United States. Because of this attack, a few states even reported shortages of fuel. Even though Colonial Pipeline paid the ransom (in total, around 5 million US dollars), restoring operations took them a few days. As a direct connection to the attack, fuel prices in most of the United States went up.

This is only one of the examples of how a cyberattack on critical infrastructure can impact an organization and a whole country. Let’s consider that most of the critical infrastructure in countries (electricity, water, fuel, gas, etc.) is controlled using computers. We can see why staying at least one step ahead of bad actors is crucial.

There are many different figures for the average cost of a cyberattack, and in most cases, the average cost is around $4 million. This cost is not only connected to paying a ransom but also returning to an operational state, plus the cost of losing customers. If we take a look at the Marriott hotel data breach, the total cost at the end could be in the billions, as we include the GDPR and user lawsuits. We can say that, on average, we have millions of reasons to think about cybersecurity at a time.

However, cyberattacks don’t just impact organizations; they are methods of modern warfare. We have had a few examples throughout history, but the latest one is probably the best example. As the Ukrainian-Russian war started, it didn’t start solely with typical military conflicts – guns, tanks, planes, and so on. Cyber warfare was a big part of it, and numerous attacks on Ukrainian infrastructure were reported.

Considering that we have more and more drones in the sky that are remotely managed, it shows us how serious it can be in the future if technological infrastructure is not protected.

While we can invest a lot of money into security equipment, we still have two significant issues at the top of the list regarding how a cyberattack starts. The first will be misconfiguration, and the second will be the user.

As mentioned, many organizations invest a lot in security equipment, but not in security experts or their personnel so that they can learn how to configure solutions correctly. Even a minor misconfiguration can affect the system in a manner that will leave a backdoor that a bad actor can use. Hiring security experts and continuous investment in cybersecurity personnel is more important than security solutions. Cybersecurity personnel must stay ahead of bad actors to protect critical infrastructure. While AI and ML play a significant role in cybersecurity, they will (maybe) never be able to replace security experts. Most sophisticated attacks are not initially detected by cybersecurity tools but rather by experts hunting for anomalies in raw system logs.

Users are probably the most considerable cybersecurity risk each organization faces. It is a common saying in cybersecurity that in each organization, there is at least one user who will click on every link. That is why phishing attacks are still the most common attacks on organizations. Every organization must invest in user education to reduce the risk of users clicking on a link in an obvious phishing email or downloading attachments from unknown sources. It is a long process to educate users and still, the risk will exist. As mentioned earlier, bad actors are smart and target users strategically – for example, when they know their focus will be at the lowest at the end of working hours.

On top of that, think about every conversation had with users – passwords. It is common for users to pick the same password for business and personal use and reuse it across all platforms. Some people use two different passwords, but rarely three or more. This directly impacts an organization’s security because many platforms don’t have advanced password protection – but that is not the only problem! Users incorporate personal information when creating these passwords (such as a place of birth or residence, names of pets or children, important dates, and so on) and then have all of that information publicly available on social media (pictures, About Me, favorite movies, quotes, and more). Because of all this, it is easy for bad actors to strategize their attacks. First, they have all the necessary info to create a dictionary for brute-force attacks on social media. Second, they can use a less secure platform to perform that attack and reuse the password on corporate logins. This is essentially why many organizations implement MFA.

The biggest challenge for modern SOCs is the high number of raw data and security incidents. This affects the time needed to acknowledge and respond to security incidents. The initial triage of an incident can take some time, even an hour, if a SOC is inefficient or there are not enough SOC analysts (which is more common). This can lead to detecting the cyberattack too late, and the attack can spread through the system.

Would it help if we could automate everyday tasks that our SOC analyst performed as part of the initial triage so that the SOC analyst took over once the initial triage had automatically been done? This is where SOAR comes into play!

SOAR is a set of security features that helps organizations collaborate on incident investigation and automate certain actions that SOC analysts perform. As the end goal with SOAR, we want to achieve a faster mean time to acknowledge (MTTA) and mean time to respond (MTTR). The MTTA and MTTR are the two most important measurements for a SOC.

The main elements of SOAR are as follows:

• Incident management
• Investigation
• Automation
• Reporting
• TI and Threat and Vulnerability Management (TVM)

Important note

We will touch on reporting as a separate topic in Chapter 3. We will also discuss TI and TVM through automation in Chapter 6.

SOAR is so important due to the increasing number of events to analyze and security incidents to investigate, and the deficit of security experts to perform the job. If you look at SOAR as a complete replacement for SOC analysts, you couldn’t be more wrong. SOAR is probably a SOC analyst’s best friend and provides the SOC team with the ability to analyze threats faster. SOAR as a tool and SOC teams can reduce the MTTA to a few minutes and the MTTR from hours to minutes!

How? The main aspect of SOAR is action automatization. That means that any task that the SOC team repeatedly performs during an incident should be automated. First, this will save time for SOC analysts – plus, we don’t need to worry about whether SOC analysts may forget to perform any tasks. Second, we can carry out the initial triage, and based on the input, we can auto-close false positives so that the SOC team doesn’t even need to work on them. Third, once the incident is assigned to SOC analysts, they can automatically see the enrichments made by automation to that incident. This will empower them to analyze and react to incidents much faster.

Incident management is an essential aspect of SOAR as well. If we want our SOC analysts to respond to incidents effectively, they need to have the space in which to do so. Not only space but also features will empower SOC analysts. These features include an incident overview, the possibility to increase or decrease the severity rating, close an incident, assign an incident owner, see more details, quickly navigate an investigation, comment on incidents, and so much more.

The reason why an investigation is essential is that the SOC team needs to gather as much information as early on as possible for an effective response. That can be through looking at similar incidents; checking what accounts, hosts, and IPs were included; whether those IPs, hosts, and accounts are known or not; how they connect with other data in the solution; and the ability to perform threat hunting. In addition, reporting, TI, and TVM provide even more insights to the SOC team to help perform an incident triage quickly and correctly.

So… do I need solutions such as XDR, SIEM, and so on? Or is SOAR enough?!

The quick answer is yes! These technologies differ in how they handle one common task – quickly and efficiently protecting your organization against threats.

Let’s look at the current situation in the market. We will see that many SIEM vendors either developed their own SOAR solution or bought a SOAR solution and integrated it into their environment. Microsoft Sentinel uses the power of Azure and Logic Apps for automation. Palo Alto bought Demisto (now called Cortex XSOAR) and integrated it into their XDR offering. Splunk bought Phantom and integrated it into their SIEM offering (now called Splunk SOAR). IBM bought Resilient and merged it into their SIEM offering (now called IBM Security QRadar SOAR). And the latest example is Google’s acquisition of Simplify and how they have merged it into their offering.

In all these examples, we can see a few trends. The most important one is that the future is to merge security tools into one so that you can manage your security completely in one place. The boundaries between security tools are receding constantly, and tools such as XDR, SIEM, SOAR, and so on are integrated more and more to provide a native, one-portal experience to organizations. The well-known line from Lord of the Rings is “one ring to rule them all,” and in security, it will be “one tool to rule them all.”

OK, so SOAR is here to stay – but what are the typical use cases?

• Incident enrichment: Here, we will use the information found using TI and TVM solutions to enrich incidents with more data:
  1. Is that hash or IP malicious? Check using TI and, based on this, you can escalate the incident or even close it if all the data is well-known to your organization.
  2. Does that host have any vulnerabilities? Check using TVM whether any Common Vulnerability and Exploit (CVE) is connected to the host and decide how to proceed.

Here, we can see how we can use automation to quickly grab that info on incident creation, and when the SOC analyst picks up that ticket, the data will be there. As a result, the SOC analyst doesn’t need to perform an initial triage, thus saving time. Based on this info from automation, we can make faster decisions on how to proceed with an incident.

• Incident remediation: Let’s say that, from the first step, we find out that an IP is malicious or that a host has a critical CVE. As a response, we can run automation that will block that IP in our firewall or EDR solution, or we can isolate that host so that it cannot cause any damage. This is done from the same portal; there is no need to go to different solutions, copy the IP, and then block it. With a click of the playbook, all will be done.
• Reduce fatigue by reducing the number of false positives: SOC teams have significant issues when solving false positives. It takes time to open each incident, check whether it is connected to our known data, and close it. What if the SOC analyst didn’t even need to look at it? Automation can be run to check for well-known data. If it is connected to well-known data, we can auto-close an incident: this means zero engagement from the SOC analyst.

The examples mentioned are clear examples of how tools such as SOAR can help improve the MTTA and MTTR. Instead of repeating tasks, the SOC can focus on high-severity and true-positive incidents. It’s a well-known fact that good SOC analysts will burn out after a few years, and organizations will need to bring in new analysts who need to be onboarded and taught the SOC’s tricks. SOAR will help to decrease pressure on the SOC by reducing fatigue. With it, mental health improves, and SOC analysts don’t burn out. That also means they can perform their job longer, be more satisfied, and focus on the tasks ahead. By reducing the number of events and incidents that a SOC analyst needs to resolve, they can also invest more time into learning about new defense methods. Overall, the losers in this picture are the ones who should be losing out – the bad actors.

This chapter covered the importance of improving your security strategy and keeping your organization’s security one step ahead of bad actors. We saw how the traditional method of protection is outdated, a perfect scenario for bad actors, and how they can utilize even the most direct attacks to take down organizations.

Throughout the chapter, we also touched base on the state of cybersecurity, how organizations are changing their strategies, and how new tools such as XDR are emerging. Equally, these new tools directly influence SOC teams being overloaded because more tools equal more events, which equals more security incidents. Since there is a significant gap in the market for security experts – and it takes a long time to investigate the share volume of events and incidents manually – there is a need for help.

This is where SOAR jumps in and helps organizations automate everyday tasks. This directly impacts the efficiency of SOC teams, reducing the MTTA and MTTR and overall SOC fatigue. We then introduced simple use cases for SOAR, such as incident enrichment, remediation, or auto-closure. Later in the book, we will use similar cases to go through how to set up automation step by step.

The next chapter will go through some of the most well-known SOAR tools. These solutions are often part of more comprehensive SIEM tools, and we will explain how those SIEM tools were nudged forward as the ruling security solutions. We will go through the main aspects of SOAR, such as incident management, investigation, and automation, and how these features are utilized in the day-to-day activities of SOC teams.