Assessing the Successes (and Failures) of Organizations’ Implementations of Security Orchestration and Automation Response Solutions
As 2018 comes to a close, we must look at the information security and managed services trends already established this year, and those on deck for 2019.
To get things going ahead of the new year, we thought we would share some of the trends we’re seeing in both successful and failed attempts at organizations looking to implement Security Orchestration and Automation Response (SOAR) solutions.
In 2018, we saw a lot of interest in the marketspace for folks looking into SOAR solutions, and we firmly believe this trend will continue in the years to come for numerous reasons.
Be it having improved reaction times to threats, better visibility into attacks, or just a way to deal with the shortcomings of not enough staff to handle your existing investments into enterprise security solutions, SOAR solutions just make good sense from an investment standpoint. With that said, we’ve already seen some common mistakes being made from both a reasoning standpoint and an implementation standpoint.
1. Mistakes in Reasoning
The most common reason we hear a client is interested in a SOAR solution is simply to handle the 1,000s of alarms they are currently receiving daily. When you look under the hood as to why they are getting this many alarms, it becomes quickly apparent that no one ever tuned their SIEM in the first place, especially from the security operator’s point of view.
As an managed services provider offering co-managed solutions, we see this a lot. During the onboarding phase, we get the challenge of trying to work with our clients to determine the most impactful alarms to generate for their environment and turn down the noise.
At the end of the day, from a security operations perspective, it is all about visibility and the quality of the data in the alarm.
How do we get to this desired state? The best approach is, candidly, to turn off a lot of those automated alarms that come stock with most SIEMs and find subject matter solutions to provide the best visibility for your specific issue. Some quick examples include:
- Anti-Malware – Everyone who knows DirectDefense knows we recommend Nextgen solutions all day. Besides the significant increase in quality of protection they provide, they also provide really detailed data in the logs they generate. So, why not just forward an alarm on the logs coming straight from your solution? One of the most annoying byproducts of alarms out of the box from most SIEM solutions today is that they duplicate/triplicate a single alarm into multiple alarms for the same event. Turn that noise off and listen to your subject matter solution instead.
- Authentication Abuse Monitoring – There is candidly nothing more annoying today than the current state of SIEM out-of-the-box alarming for account abuse (bruteforcing, escalation, lateral movement). With the advent of 2008 native Windows Domains and Kerberos token session expire settings, nothing generates more false-positive alarms in an organization than a user who leaves Outlook open on their desktop, locks their screen and goes to a two-hour meeting. After about two hours, you’ll start to see your SIEM start to light up the dashboard with “Brute Force Alarms”, all because the Kerberos session token has expired for the user and Outlook is still pinging away; specifically, Windows Event IDs 4771/4776. While you can tune this alarm to get the better visibility, the resulting tweaks to the default alarm typically start blinding you to legitimate attacks. What’s the best approach then? Again, finding a subject matter solution. Microsoft’s ATA solution does well, and there are some very good user behavior analytic solutions out there that just give way more insightful visibility into account usage and abuse and give higher-quality alarms than the default alarms in the older SIEM solutions.
So, once again, defer to the subject matter expert to get quality alarms and turn off the noise of false-positive alarms.
2. Mistakes in Implementation
Another critical area to get right with your SOAR implementation is to understand the placement of your technologies and the visibility they are–or are not–providing. Thankfully, over the past couple of years there’s been a great increase in awareness of what to look for, and the Mitre Att&ck framework (https://attack.mitre.org/)is a great resource to use to identify areas in your security visibility for improved visibility and knowledge of where to implement impactful automation.
With this in mind, one of the most common mistakes we’ve seen in “not so successful” implementations of SOAR solutions is allowing the alarms/events from an externally-placed device to drown out higher-quality alarms. This old-school approach of having an IDS/IPS/Monitor out on the edge of your Internet access was great back in the day when you wanted to see who was attacking you, but in today’s Internet landscape where every IP address gets scanned 40+ times an hour, you’re going to flood yourself with noise alarms.
Think about it–your security stack is hopefully going to make decisions after you’ve seen this attack traffic from your edge sensor. So, why would you prioritize alarms based on that sensor’s point of view? At the very least, you can log those alarms just to send any alerts to your SIEM or SOAR that would skew the prioritization of future events in your environment. I.e., if the alarm came from an internally-sourced device, its priority is more important than that external sensor.
We have seen several SOAR implementations that got so skewed due to external events that more legitimate internal alarms got lost in the noise or the analytics of the SOAR solution.
So, how do you make sure you don’t make these mistakes during your POC or implementation?
Create test cases for yourself and test your visibility before, during, and after the implementation. If you need help, talk with your trusted advisor or engage a service company that can provide repeatable penetration testing methodologies, as well as make recommendations on what catches them or slows them down. From there, you can tweak your security solutions to catch root-cause issues and tie that information back into your SOAR solution to speed up your response time.
At DirectDefense, we pride ourselves in providing practical and realistic security strategies that assist our clients in meeting their security goals for the year. If you’d like to hear more about how we can assist you, please contact firstname.lastname@example.org.