First published by Dale Norris of ExtraHop
Cybersecurity teams tasked with defending ever-expanding attack surfaces are facing staffing shortages and daily barrages of alerts that can number in the thousands. Increasingly, those teams are turning to automation to help them do their jobs. Many times, they lean on security orchestration, automation, and response (SOAR) products. However, like every cybersecurity tool, SOAR is only as good as the data it uses—and not all data is created equal.
Before we dive into why network packets and network threat intelligence are key data sources for making SOAR solutions more effective tools, let's quickly cover the basics of SOAR.
What are SOAR Tools?
SOAR tools leverage external and internal data and threat intelligence for orchestration, automation, and response. By using SOAR, an organization's security operations center (SOC) can automate repetitive tasks, streamline complex workflows, and speed incident response. SOAR can also assist with device management, information gathering, secondary data analysis, communications, and general process handling.
SOAR tools can eliminate manual steps in investigation workflows to increase efficiency. They can also automatically close simple alerts and help determine the scope of a security incident by querying existing processes.
SOAR can also use playbooks for automated response to security incidents. Two common examples of this capability are quarantining devices infected in an attack and blocking suspicious or malicious IP addresses.
SOAR Use Cases
A SOAR customer is usually a large organization with a mature security operations center (SOC), but smaller organizations can take advantage of SOAR capabilities by using a managed security service provider (MSSP) or managed detection and response (MDR) provider.
3 Ways Network Analytics Improve SOAR Security
When a SOAR product ingests data from sources that don't provide complete context, there are limits to what SOAR can accomplish is limited. Incomplete data sources can also make it difficult to trust detections and alerts that are used for playbook response automation. Network data and threat intelligence from network detection and response (NDR) products help maximize SOAR capabilities in several ways, including reducing mean time to response (MTTR).
1. Enhanced Network Visibility Agentless NDR products discover every device that communicates across the network, including unmanaged assets without agents. Agents are commonly used on endpoints, but agents can't be added to every asset. It's simply not scalable. And while logs do a good job of providing broad visibility, they struggle to provide context. A log can tell you that two assets talked and for how long, but they don't provide deeper insights. By analyzing network data with machine learning, agentless NDR solutions are able to classify devices and map their dependencies to other devices. This complete inventory of assets, based on observed behaviors and backed by packet-level insights, eliminates visibility gaps.
2. Deeper Threat Context Savvy attackers can often avoid detection by log and agent-based tools, or they can sometimes modify or destroy data. However, it's nearly impossible for attackers to avoid leaving clues in network traffic. By continuously monitoring and analyzing network traffic, NDR products have the ability to detect post-compromise behaviors like lateral movement and alert on those activities in near real time. Some NDR products are also able to map threats to a high percentage of MITRE ATT&CK techniques, helping to provide an added layer of context to investigations.
3. Faster Investigation, More Confident Response Network packets are a high-fidelity data source for incident response, and NDR products with streamlined investigation workflows enable incident responders and investigators to drill down to ground truth in clicks. High-fidelity data also allows SOAR users to quickly clear alerts manually or to rely on response automations with confidence. Additionally, SOAR users can correlate their network intelligence with other data sources to better understand threats in their environments.
Here's a specific example of how network data enhances an investigation triggered by a SOAR playbook. Network data can be used to identify all the devices that communicated within a specific timeframe with an asset suspected of being compromised by an attacker. This highly contextual information makes it possible for a SOAR tools to automate the process of discovering potentially compromised devices and systems beyond the initial offender.
By providing context and packet-level insights, network data and threat intelligence represent trusted sources for detection, investigation, and response, whether via automation or human interaction. Adding network data to your SOAR will make your playbooks more accurate.