Why fly when you can SOAR? 5 things you’re getting wrong about security orchestration, automation and response

Security orchestration, automation, and response (SOAR) solutions are often billed as a panacea that will solve all of a security operations center’s (SOC) problems, reduce mean time to repair (MTTR), improve efficiency, act as a single pane of glass, and even make a really good cup of coffee. You name it and someone somewhere has claimed that a SOAR platform can do it. The truth, however, is a little more complicated.

Yes, a SOAR solution can automate a great number of tasks—if properly implemented. If a task can be broken down into steps that are repeatable, reusable, and consistent, then it has the potential to be automated. But if an organization tries to take on too much at once or is unfocused in its approach, the implementation can rapidly get out of hand and lead to failure and ultimately shelfware. Here are a few examples of common mistakes and misconceptions about SOARs.

Boiling the ocean

A SOAR solution can be incredibly powerful; the initial desire to automate everything in sight is akin to the first time you get a label maker. You want to apply it to everything, all at once. Some of the worst experiences I’ve seen have come from an environment where they tried to build a complex interweave of use cases and became bogged down in the details and frustrations. The key to a successful implementation is to start small. Find one or two simple use cases that allow the SOC team to get a handle on what can be done and the thought process to build the use case. Initial simple automations and response actions such as threat enrichment of an IOC (indicator of compromise), hash, or URL are particularly effective as they can be easily reused as part of more complex actions later.

Training? I don’t need any stinkin’ training!

Yes, you do. While this is often the first thing on the cutting room floor when budgeting for a new solution, training usually makes the difference between a successful implementation and a package becoming shelfware. This is the opportunity for your team to ask questions of the people who implement and use the technology daily. Take advantage of it. A SOAR platform, like most integration-focused solutions, has many hidden features and nuances to how complex actions like a workflow are created. These are going to be automated actions that are hopefully going to run your business and you’ll need to understand how they are constructed.

I have scripts, isn’t that the same thing?

Most engineers, analysts, or administrators who have worked in IT for more than a few years have ended up running into tasks that they find themselves doing repeatedly. Inevitably, someone on the team will write a script, whether it is Visual Basic, a batch file, or a snippet of Java for each of those routine tasks. Those scripts are running continually in SOC near you right now. So, the question becomes: If I’ve already got scripts running, why do I need a SOAR? Remember, SOAR stands for security orchestration, automation, and response. Automation refers to performing singular tasks repeatedly, orchestration is putting multiple singular tasks together, and response is really the key because it’s the ability to evaluate, make a choice, and then perform additional actions. The ability to build-in complex response actions, either in an automated fashion or via human interaction, is one of the primary differentiators of a good SOAR platform. This doesn’t mean throwing the scripts out, it means taking them and converting them into SOAR workflows that can provide response choices, in-depth auditing and error tracking, and consistent integration across multiple platforms. This is where SOAR sets itself apart.

It will be done tomorrow right?

Not likely. While an initial set of use cases or workflows can usually be imported from the SOAR vendor, they still need to be customized to your environment. For instance, it may have been written for a different firewall or threat feed vendor. Each of these steps will need to be verified and tested with the current version of the existing platforms deployed in the environment. A simple version difference in the target platform can make a huge difference. Which brings us to…

Integrations are simple

Umm, no. To be successful, a SOAR platform will need to communicate with many different platforms that already exist in your environment. Let’s face it, the IT space is full of companies that are often competing with one another in multiple verticals and one vendor is rarely sole-sourced throughout the organization. It’s not uncommon to see vendors significantly change APIs, database structure, architecture, and platforms in between versions with either missing or incorrect documentation to go with it. These changes are not made to purposefully break outside integrations but are instead made with their own interests in mind. Simply put, IT infrastructures are complex environments with lots of moving parts that need to be carefully integrated to get the best value from the solutions. Often the response from vendors’ support teams will boil down to “not my problem.” Ultimately, a good SOAR vendor will try and keep up with the integrations as new versions are released, but some of this will also come back to a good relationship between you and your vendor. Simply letting them know that a new version released and that you intend to upgrade soon can change the integration team’s process to better support you.

Things to keep in mind

So, what are the main takeaways? SOAR solutions can be incredibly powerful enablers of the cyber and operations teams if some simple rules are followed:

  • Stay focused. Choose a singular task to learn what works in your organization. Use this as your inhouse training scenario to learn the process.
  • Take your time. Diagram the workflow on a whiteboard and take your time finding the lowest common denominator to help pick one or two use cases to leverage as your showcase.
  • Identify simple integrations. Choose the deployed solutions that can be easily integrated to start with. Typically, they will be API driven and allow you to combine with threat enrichment to see immediate benefits.
  • Re-use. Ideally, your SOAR platform allows you to reuse the work you’ve already done. You’ve created the first piece of the puzzle for the future and you can leverage that same structure and concept again to reduce the amount of effort on your next workflow.

Merlin Cyber has partnered with Swimlane to help our public-sector customers avoid these and many other challenges that they encounter. Swimlane provides a comprehensive SOAR platform leveraging a drag-and-drop workflow builder that enables organizations to rapidly build and deploy workflows to the field. With built-in case management, auditing, reporting, and a robust integration library, Swimlane provides environments with the tools they need to be successful.


If your organization wants to rapidly improve staff efficiency and drastically decrease MTTR by leveraging a powerful SOAR platform, we can demo Swimlane and help customize a solution that meets your objectives. 

Cyber hygiene starts with good tools configuration

Last month, the Government Accountability Office released a new report titled DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. The GAO report found that the Defense Department is behind on three major cyber hygiene initiatives and lacks cybersecurity accountability among its leadership. If a critical government agency like the DOD struggles with cyber hygiene, what about a regular company?

An average-sized company usually has 25-plus security vendors. Organizations have implemented tool after tool in efforts to secure their data, systems, and users. This has left them with misconfigured, repetitive, or siloed tools and an uphill climb toward proper cyber hygiene.

RELATED: 5 of the biggest cyber hygiene myths

While proper cyber hygiene involves tools, training, and policies, having a fragmented toolset makes the concept a non-starter. Tool fragmentation and overlapping tool capabilities put additional burden on IT staff, making it difficult to respond to threats, quantify risks, or effectively manage an organization’s most critical security controls. As a result, the organization’s cyber hygiene suffers.

Poor cyber hygiene creates security vulnerabilities that require decisive action. It’s vitally important to correctly configure, maintain, and ensure that your security tools are effective. In other words, cybersecurity leaders should consider maximizing the ROI on already-purchased tools before adding new ones to their crowded ecosystem.

Tool-proof your cyber hygiene

Practicing proper cyber hygiene goes beyond just purchasing and implementing security tools. Using the tools correctly is what helps solidify overall cybersecurity posture. And it all starts with proper configuration of the tools you have.

Establishing configuration baselines is a fundamental but often overlooked cyber hygiene task. Why else is tool misconfiguration a frequent cause of breaches? While we rely on security tools to maintain proper hygiene, their effectiveness is entirely in our hands.

Here’s how to weigh the performance and usage of existing security tools:

  1. Analyze if the tools you’re using are engineered properly and behaving correctly. For example, if it’s a vulnerability scanner, is it updated and scanning your entire IT landscape? If it’s a next-generation firewall, are you using all the features appropriately?
  2. Review and score every tool with a critical eye. Try to rationalize each tool against your organization’s current and future needs. Move past qualitative descriptions and into quantitative analysis by ranking and scoring them with questions like:
    • Does this tool have a niche or special purpose?
    • Is it more or less secure than other options?
  3. Examine each tool’s actual configuration. Is it configured securely? Does it have default passwords or other weak controls? How easy is it to harden?

The complexity of today’s IT infrastructures coupled with security tool fragmentation and misconfiguration makes cyber hygiene challenging for companies of all sizes. Security tools are only as strong as an organization’s internal process for maintaining them. Luckily, there are solutions that automate much of the work and provide organizations with a comprehensive way to implement and maintain proper cyber hygiene.

5 of the biggest cyber hygiene myths

Tackling common misconceptions about enterprise security

Proper cyber hygiene is a desirable but sometimes elusive practice for many organizations. And it can be hard to separate fact vs. fiction. Read on as Miguel Sian, Merlin’s Director of Solutions Architecture and Engineering, busts a handful of security posture myths.

Cyber muyths busted graphic

 

Most organizations would agree that proper cyber hygiene is essential for maintaining their cybersecurity posture. Each will also likely affirm that they practice good cyber hygiene; yet, we find that many have considerable blind spots. We’ll shine a light on these blind spots by exposing five of the biggest myths about cyber hygiene.

First, a primer. What is cyber hygiene? The CERT Resilience Management Model (CERT-RMM) defines cyber hygiene as a set of practices for effectively managing the most common and pervasive risks to the organization. The Center for Internet Security (CIS) defines cyber hygiene as a set of baseline cybersecurity protections that help to secure an organization. Fundamentally, cyber hygiene involves the strategies and activities that ensure your enterprise IT security is in tip-top shape (health) and protecting your organization from threats (prevention).

RELATED: Cyber hygiene starts with good tools configuration

Proper cyber hygiene spans people, process, and technology. It starts with having complete visibility of all your assets, followed by effective security tools and processes to identify, detect, and protect your assets against threats. Last but not least, you must implement effective access management. With this as the backdrop, let’s quash five common myths about cyber hygiene.

MYTH #1


“We have several management tools (i.e., NAC, SCCM) and a CMDB that ensure we know precisely what’s on our network.”

How many CISOs honestly believe that they have a truly accurate count of their hardware and software assets? Just one glance at two systems management tools (vulnerability management and Active Directory) would likely reveal a discrepancy of the total number of computer accounts in your enterprise. Furthermore, increasing cloud adoption and remote work can undermine what you believe might be on your network.

 


MYTH #2

 

“My users and endpoints are adequately protected with endpoint security tools such as anti-virus and EDR, along with policies we’ve implemented to protect our devices.”


Anti-virus and endpoint detection and response (EDR) solutions have long been good practices for endpoint hygiene, but they are no longer enough. New, emerging threats in the hardware layer – on mice, keyboards, webcams, switches – can go undetected by these endpoint security solutions. Furthermore, attacks on the supply chain compound the risks from these emerging threats.

 


MYTH #3

“We have security tools and processes established for configuration management, patch management, and vulnerability management that ensure our basic security hygiene.”

Organizations often overlook and fail to adequately monitor the tools themselves and processes that ensure these basic security hygiene tasks. This is likely a result of lacking a central place to monitor the configuration and effectiveness of all their enterprise tools. Furthermore, organizations typically can’t relate these security challenges to overall business impact. For a complete picture of cyber hygiene, it’s important to know the tools’ security posture and effectiveness in meeting the organization’s security controls, and how they protect the applications that deliver on the business outcomes.


MYTH #4

“Our annual compliance audits against industry security frameworks provide adequate security and communications for our stakeholders.”

Regular audits are essential and frameworks such as NIST CSF provide a comprehensive set of security guidance. Yet, we’ve found that organizations are unable to continuously monitor their most critical security controls. As a result, organizations are unable to prioritize what’s truly important nor effectively communicate the risks across the enterprise.

 


MYTH #5

“We have controls that ensure proper access management.”

If this is true, we should not be seeing an increase in data breaches since a majority start with privilege credential abuse. Organizations must take a comprehensive approach to access management. There are silos of identity sources and disparate identity management tools in the enterprise. This makes securing access across the enterprise challenging. It’s critical to establish visibility, then monitor the security controls for access to critical systems.

It’s time to take a strategic approach to cyber hygiene. With today’s rapidly shifting situation in IT and business, risks and uncertainties abound. A renewed focus on the basic fundamentals of cyber hygiene provides us with the key principles and foundation needed to establish a comprehensive cybersecurity posture for our enterprise.