Manoharan Mudaliar

Cyber Security Consultant

Understanding SOAR and Its Impact on Threat Detection and Mitigation

Working on a network security solution

Keeping your remote systems protected is no more a matter of just deploying a firewall and an antivirus system. Defending your systems from modern, sophisticated cyber threats requires you to put up a unified security strategy. Your strategy should detect, manage and mitigate all security lapses and attacks whenever they emerge.

Almost all cyber security experts have heard of SOAR, better known as Security Orchestration, Automation and Response. SOAR is considered to be one of the most capable tools for managing security threats and creating an actionable mitigation strategy to tackle them.

Originally coined by Gartner in 2017, it is used to refer to the presence of tools combining Threat Intelligence Platforms, Security Orchestration and Automation and Incident Response Platforms together. A SOAR solution essentially enables users to gather data from multiple sources and view it together in one location.

Understanding How SOAR Works

SOAR tools and solutions can basically be defined as monitoring platforms that give users access to a dashboard compiled with metrics and security data from different systems across the organization. Combining data from different sources across the organization helps give a comprehensive understanding of threats, with an immediate incident response.

Tools coming under the SOAR solution use AI and threat intelligence to help users respond to threats and improve their decision making skills. The automated response generated through SOAR tools helps reduce the time it takes to detect problems and the system, and to resolve them.

A typical SOAR platform is made of three integral components:

  • Orchestration
  • Automation
  • Response

Orchestration

Orchestration is the process of gathering data from multiple sources and compiling it together on one platform. Orchestration is considered highly useful in the cyber security domain as it gathers data from different disparate technologies and tools to provide a single top-down perspective into security attacks and threats.

For instance, a typical SOAR tool would use the feature of orchestration to gather alerts from multiple data sources and compile them in one place where users can easily manage these threats. Compiling security event data and real-time results in one place can make vulnerability management and threat detection easier than before. Without a proper tool for security orchestration in place, security analysts would have to sift between different tabs and systems to maintain a professional network. This leaves greater room for human error.

Automation

Automation is another forte of SOAR tools for reducing administrative burdens. Most network administrations and security analysts face a wide range of administrative burdens when managing security threats. Manually monitoring, detecting and responding to cyber events and attacks has proven ineffective and useless for many professional organizations. One network analyst cannot possibly monitor over a dozen systems together. These systems generate over a thousand alerts and alarms during a typical day.

SOAR solutions offer automation in not just alert detection, but also in how network managers respond to the security threat. Automated solutions automatically shut down systems or devices where cyber threats have been detected.

Response

A typical SOAR tool is also concerned with enabling users to respond to a given situation, also known as incident management. The dashboard compiles and gathers data from across the board, which is why response and incident management activities take place here. Network analysts can monitor the dashboard to view threat intelligence alerts in real-time.

SOAR tools offer root-cause intelligence and diagnostics to help users find security events that have infiltrated the system faster. In simpler words, SOAR tools come designed with the intention of performing a thorough diagnostic operation during the remediation process.

Ways SOAR Is Helping Businesses Combat and Overcome Security Challenges

The cyber security domain has never been as complicated as it is right now. In the face of complications and ever-evolving threats, SOAR offers businesses of all sizes an opportunity to improve their chances of swiftly detecting and responding to attacks.

Some of the complications facing businesses on the cyber security domain include:

  • A rise in ever-evolving and disruptive cyber security threats
  • Shortage of qualified security analysts for managing threats on a routine basis
  • And, the growing structure and reliance on IT estates. Businesses now have more to lose from a cyber attack than ever before.

SOAR helps support cyber security systems by:

Providing Intelligence of the Highest Order

Cyber security threats have become complicated and more disruptive over time, which is why tackling these threats now requires an ability to not only recognize all indicators of compromise, but to also understand the techniques and procedures followed by attackers, along with their line of attack.

SOAR systems compile and validate data from disparate sources, including security and exchange technologies such as intrusion detection systems, firewalls SIEM and UBA technologies and threat intelligence platforms. Eventually, SOAR helps SOCs become even more intelligence driven.

The changes brought through better quality intelligence allow security personnel to contextualize incidents in a better manner. Security analysts can also make better decisions, while accelerating the process of threat response and detection.

Improving the Efficacy of Operations Without Downtime

The need to oversee multiple security technologies with different metrics of their own can put a significant strain on your security personnel. Not only do systems require constant monitoring to ensure their ongoing health, but the thousands of alerts generated by disparate security systems can lead to alert fatigue, eventually creating gaps for actual cyber attack alerts to go through unnoticed.

Constantly switching between different networks can also make situations worse than they actually are. Constant switching can cost time and effort and can also elevate the risk of mistakes.

SOAR solutions and tools can help CSOCs semi or fully automate some of the mundane tasks performed by security personnel on a day to day basis. SOAR tools provide solutions through a single glass window, utilizing both, machine learning and AI, to give automated real time alerts and responses. Security analysts often waste a lot of their time during the day on context switching and SOAR solutions can stop this wastage of time through unified results on a single dashboard.

The solution also helps ensure that security threats are managed in a more efficient and timely manner, improving the organization’s productivity and capacity to operate without any major cyber attacks. Additionally, the system ensures that more incidents are managed without the need to hire more staff members on your security team. SOAR helps security staff perform smarter rather than harder, by giving them the means to streamline their efforts.

Enhancing Incident Response

Data breaches and cyber attacks have become extremely common in today’s world. Rapid response is extremely vital for minimizing the damage caused through these breaches and cyber attacks. Two key vectors used to gauge performance here include mean time to detect or MTTD and mean time to respond (MTTR). SOAR helps organizations reduce the mean time to detect and respond by qualifying and remediating security alerts in a matter of minutes, rather than weeks or even months.

SOAR also enables and helps security teams automate the procedures for incident response. Automated responses include the immediate blocking of an IP address on the IDS system or firewall. This helps suspend infected user accounts and other endpoints on a given network.

Streamlining the Reporting Process

In most cyber security operation centers or CSOCs, frontline workers waste a significant amount of their time trying to manage impending cases, creating reports, journaling and preparing documents for the incident response procedure. Manually reporting processes and cyber attacks can waste time and requires attention to detail, taking focus away from the mitigation of other follow up attacks.

SOAR can come in handy in the reporting process as it aggregates and compiles intelligence from a wide range of sources before presenting it in a visually appeasing format. SOAR helps organizations reduce the paperwork and hassle that goes into the reporting process, while simultaneously improving contact between the corporate heads and frontline workers.

Through the use of automation, SOAR can also help codify knowledge and prevent the loss of institutional memory from cyber attacks. Since organizations face difficulty in otherwise retaining security talent, institutional memory from within the system can come in useful in the future.

SOAR allows you to perform tasks faster and reduce time to resolution. The longer your threats go unaddressed, the greater the chances of disruption and damage.

A cyber security consultant can help improve your transition towards SOAR. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

How to Create an Effective Business Continuity Plan

Creating an effective business continuity plan

The COVID-19 pandemic has led to a complicated period of acceleration and innovation for businesses across the globe. Industries have come up with better technologies, while adapting to new channels of communication and work from home practices. All of this has been achieved in an astoundingly limited period of time.

However, with the troublesome work from home scenario, businesses have also had to grapple with the fear of cyber security exposure. Remote work is the new norm today, and employees are accessing and checking in to company portals from unmonitored network protocols and computer systems.

The need of the hour for businesses today is to come up with a business continuity plan. A business continuity plan can be defined as a well drafted plan of action that dictates the modus operandi businesses follow when they are faced with a major disruption. The plan outlines all instructions and procedures that should be followed by businesses during such disasters. It not only covers business continuity, but it also oversees business processes, human resources, assets and partners.

With the current COVID-19 pandemic in perspective, it is only necessary that businesses draft a plan that safeguards them from the risk of a cyber attack. Cyber attacks, including malwares, can put your internal data at risk. Additionally, the confidential consumer data you have can also be breached during such an attack.

A Look Into Cyber Attacks Today

Almost 96 percent of all businesses in the United Kingdom suffered a cyber attack during the last year. While cyber attacks previously targeted important financial data, hackers have realized the potential in the market for consumer data, including date of birth, password hashes, email addresses and usernames.

A recent scam involving Dubsmash, My Fitness Pal, My Heritage and ShareThis saw important consumer data from over 200 million user accounts stolen and put up for sale on the Dream Market dark web marketplace. This new revenue stream has brought in a group of eagle eyed hackers looking to attack and breach sensitive consumer data.

The average cost of a single data breach caused by a cyber attack hovers around $3.62 million on average. This is a staggering amount that most businesses today aren’t able to meet. This is exactly why almost 60 percent of small and budding companies run out of business within six months of falling into a cyber attack that leads to a data breach.

A business continuity plan does not take a lot to build, but it sure can be the difference between shutting down after a cyber attack and continuing to function properly.

Anatomy of a Business Continuity Plan

If your organization doesn’t have a business continuity plan in place already, then you have to start by assessing your core business processes, the areas inside your organization that are most vulnerable and the potential losses you will incur daily if these processes go down.

Once identified, you can proceed with developing your business continuity plan. This would entail the following general steps:

  1. Identify the scope of your plan
  2. Identify all key business areas that would shut down as a result of a cyber attack
  3. Identify all critical functions in your organization
  4. Identify how output and productivity are focused or dependent on certain functions and areas
  5. Determine the downtime that it will take for you to perform each critical function
  6. Create an actionable plan for maintaining operations in the face of disaster

You can maintain a checklist as a potential tip for covering everything you should. The checklist should include the location of your data backups, along with where the plan is available and who you can trust with overseeing key business processes when disaster strikes.

Once you are creating your business continuity plan, you would like to interview and talk to people and employees who have previously gone through similar experiences of data breaches and cyber attacks. Hear their ‘war stories’ and understand the mentality that helped them pull out of that mess. People usually like sharing tips and tricks on how they saved the day, so you won’t face much resistance here. The insights you get from experienced people will actually help you craft a plan.

Test Your Business Continuity Plan

Hope for the best, but be prepared for the worst. Once you have a business continuity plan on paper, it is necessary that you test and approve it, before relying on it to get you through cyber attacks. Testing a plan is the only way for you to know whether it will work or bust.

To make the testing process difficult and almost life-like, you have to create an artificial cyber attack with the sole purpose of breaking your business continuity plan. Do not go for an easy scenario where you come out high fiving each other when the plan actually isn’t ready for real life situations. Create a complicated attack that actually tests and strains every part of your plan.

Test how your task teams perform, and if you are in sync with the targets you have set in the actual plan. To make the situation even more life-like, you can promise recovery teams a bonus if they get through the situation in the desired time.

There are three basic ways for you to test and explicate your business continuity plan on an annual basis.

  1. Start with table top exercises that take place inside a conference room and involve team members poring over the plan and its possible limitations. Have the best talent in your firm come together on a quarterly basis to check for chinks in the armor.
  2. Secondly, you have the option of a structured walk-through, where every team member walks through their components of the plan. Identify different disasters or types of cyber crimes in mind and rehearse what each member would do in the face of the actual disaster. This will help you locate whatever weaknesses there are in the plan.
  3. Lastly, you can go through disaster simulation testing to design an environment that simulates an actual cyber attack. The purpose of a simulation is to find out whether you can actually carry out core business functions during the attack.

Try including new employees into the team every once in a while, so that their fresh eyes can detect any lapses of information that other members might overlook.

Organizations with a website can go for web penetration testing to identify any gaps within their website. You can opt for the following well established methodologies to pen test your website.

  • OSSTMM (Open Source Security Testing Methodology Manual)
  • OWASP (Open Web Application Security Project)
  • ISSAF (Information Systems Security Assessment Framework)
  • PTF (Penetration Testing Framework)
  • PCI DSS (Payment Card Industry Data Security Standard)

These methodologies will help you run penetration tests on your website and check its response.

Tips to Create an Effective Business Continuity Plan

You can create an effective business continuity plan with the following tips:

Establish Communication Lines

Your business continuity plan should establish communication lines within the organization. An employee who detects a cyber security issue on their remote system while working at home should know who to contact in the moment. News of an attack or any update should immediately get to the team in action without delays.

Back-ups

A continuity plan should ensure that the business has good, regular and clean back-ups of the entire IT state available on a daily basis. Running back-ups every month doesn’t work anymore, which is why you need to have preferably daily or weekly back-ups at worst. Ensure that your back-up is secured in a remote network, as there have been instances of ransom-ware attacks running into the back-up and shutting that down as well.

Prepare a Plan for Each Essential Service

If you have identified multiple essential services in your business, then you need to come up with a plan for all essential services separately. You should follow all that we have mentioned above to come up with a separate plan for each service or silo. Identify individuals tasked with looking after each service, so that there aren’t any last minute hiccups.

Keep the Virus From Spreading

One of your first plans of action after a cyber attack is to stop the virus from spreading. Disconnect the internet, change settings for the firewall, update credentials for affected systems and remove remote access altogether. The virus shouldn’t be allowed to spread, as that will ameliorate the damage.

Regardless of how prepared you are, a cyber security consultant can do wonders for your business continuity plan. If you are looking for someone to ramp up your business continuity plan, then you have come knocking down the right door.

I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.Creating an effective business continuity plan