IBM QRadar SOAR

Security Incident and Event Management (SIEM) has been widely adopted and used to manage cybersecurity events as the benefits of SIEM are apparent. SIEM can be combined with Security Orchestration Automation and Response (SOAR) for additional benefits As a result you will get Faster Response Time with Optimized Threat Intelligence, you will be able to reduce Manual Operations & build Standardized Processes, and your SOC operations will be more Streamlined.

A SOAR platform should be able to integrate with products across various security technologies like Cloud Security, Data Enrichment, Email Security, Endpoint Security, Forensics & Malware Analysis, Identity and Access Management, IT and Infrastructure, Network Security Products, SIEM & Log Management, Threat Intelligence, Vulnerability & Risk Management.

But it’s a very sophisticated & complex as well as time taking process and it requires planning and strategic execution to bring your SOC to this maturity level, and if you do not have a plan then you can find yourself in the below 4 Categories:

1. You are related to a SOC where neither a SOAR nor a SIEM is introduced.
2. You have SOC which is equipped with SIEM but SOAR or any other type of automation is missing, and you find yourself in the pile of alerts on daily basis & even miss critical indicators of compromise (IoC) often.
3. You have a SIEM in a mature SOC. However, the incident response is a manual process you still coordinate between multiple Windows/Linux or product admins, Network security teams to do remediation tasks whenever you are hit with an attack.
4. You have all the resources to transform your SOC but are still unable to achieve a competent SOC and are lacking in making your first fully automated incident response playbook which could have pre-approved computerised(automated) actions to reduce your remediation time by sending instructions to devices using API or any other integration method.

Now as you know your category you know what is next for you to achieve all this and take one step ahead with your first fully automated playbook which would require a plan for your SOC which covers all your pain points.

If you consider a SOC where People, processes & technology all are working as a Body then you have to consider SOAR as the HEART of this Body (SOC) pumping instructions as blood using automation to keep it running and moving faster than Attackers. is the key to turning the table during attacks you can Build Your SOC's Security Strategy with SOAR which transforms Your Incident Response here is how:

Checklist Phase - Putting Your imagination on Paper (What to Automate)

The checklist will give you direction, it's a proven psychological method to work effectively without losing focus. here are some recommendations:

1. 1.  Understand the threats that affect your organization, List out all use cases & prioritize them,
   2. What kinds of attacks or adverse incidents has our organization experienced in the past?
   3. Preparing for privacy breaches
      1. What data are you collecting and why?
      2. What are your privacy obligations — including industry regulations, state/federal data breach laws, and contractual agreements?
      3. When do you need to provide notification of privacy breaches (factors often include breach size and whether the data was encrypted — but vary across geographies and industries)?
      4. Who needs to be notified (customers, attorney general’s office, others) and how?
   4. List out what you want to achieve in your 1st irritation as your first short goal,
   5. list what use cases you are already tackling using your SIEM or manual Processes.
   6. what skills you would require (Specific Product knowledgebase, Programming, Scripting, integrations)
   7. in this phase, you write up What you want to automate using SOAR (What to Automate)

Planning Phase - (How to Automate) Gear up resources:

1. Write up all use cases in Dry/Static Playbook format, here you only write steps in an excel or word document,
2. Divide your static playbook into phases like initial triage, detect & analyse, response, and post-incident.
3. Map out specific steps that need to be taken to resolve an incident throughout its lifecycle
4. Determine roles and responsibilities
5. Identify the key technologies and channels of communications to be leveraged during a response
6. Build processes around permissions and escalations
7. identify if prebuild app or automation script is readily available, BCS what you are trying to start from scratch probably available in a form of a .yaml playbook in ansible-galaxy, or someone from the community has published the app for that already.
8. identify automation points that you want to trigger with only human intervention (we call them MenuItems)
9. prepare the tech flow of each phase of each playbook, and identify how a collection of steps in each phase would function in a technical manner e.g.( in Detect & analyze phase of your ransomware Playbook you want to first scan all Hash values from your threat intel(Virustotal, XForce) and in next step you want to scan all malicious IP addresses, at the third step of the phase you want to pull all vulnerabilities and asset information from your Nessus or Qualys to determine how vulnerable the targeted asset is, does it convince you to high severity. Enough writing, now put the tech aspect of it will you use the virus total app to integrate with your soar or a script to scan IP & Hashs, will you use office 365 API integration to send notifications, or you will initiate a slack msg or a Microsoft team group message to serve or update information as feed to relative terms those are currently engaged and need to be synced.

basically, you will write the method of automation which will automatically run without human intervention and would require Pre-approval (more discussed in the approval phase) from your hire management to perform the task as it will dramatically reduce the response time, it can be very complex configuration change which does not has room for human errors.
It can be a repeatable task which is occurring again and again in your  L1 or service desk ticket bucket  so (How to Automate)

Implementation Phase

1. This the most interesting Phase for Geeks, so gather all your geeks/experts/Experience on a table and ask them to use IBM QRadar SOAR as a tool to integrate and build all your playbooks using a dynamic workflow-based approach, here you will put all your imagination into action. as the first two phases are given you a clear picture of what & how to automate its time that you put all your effort to bring it all into action, this phase will never end even after you get a fully automated environment new implementations will keep on occurring as you go mature. 
2. Define your incident categories, create phases and their tasks,
3. Install all apps and integrate the devices with your SOAR.
4. create your Automatic rule or Trigger Points those need to be executed using a Button(Manual Rules/Menu-Items.
5. divide a big task into small workflows, so that you don't mess up a fully functional cycle of automation when you need to do updations & modifications, workflow having more than 20 steps usually troubles when you have to do a critical modification & you don't know which step you need to target, this can lead to a serious mess up, so be minimalist.

Testing Phase (Proactively test and improve incident response processes.) 

1. One of the most effective ways to keep incident response capabilities driving forward is running simulations — and doing them in a dedicated, results-driven manner.
2. simulation can give you a real picture of what is going to work, what will fail, what is misconfigured & what is left behind.
3. Additionally, make the simulations measurable. Set goals and track key metrics such as mean-time-to-resolve and level of completeness. Replay simulations to measure improvements (or regressions).
4. Test each phase whenever you complete a workflow of a task,
5. Try realistic Indicators of compromise (IOCs) and prepare real infographics in this stage which you want to see in havoc.

6. Establish Orchestration & automation across people, processes, and technology is the key result of this phase.
   People: Have you ensured your incident response team is well-coordinated and well-trained? Do they have the right skills to address all aspects of an incident’s lifecycle? Do they have means for consistent collaboration and analysis?

   Process: Do you have well-defined, repeatable, and consistent incident response plans in place? Are they easy to update and refine? Are you regularly testing and measuring them?

   Technology: Does your technology provide valuable insight and intelligence in a directed fashion? Does it enable your team to make smart decisions and quickly act on those decisions?

Policy and compliance Approvals Phase -This will save you on your Rainy days like "WannaCry Ransomware Attack"

1. You are coming closer to execution, you already have reports with real infographics, and you have functional playbooks running in the test phase to mock or drill & this is the correct time to convince & prepare your management for SOC modernization.
2. Invite your GRC or Approval team for moc drills and note what is required to be approved as a change. so that you get all your Automation SOP/Playbooks approved in advance.  this is the kind of homework you are doing before presenting it to your Hire-Management for change Policy approvals.
3. show what strategy you have followed, and get the approvals for all automation that require an ITIL process to be followed, eg. you would be seeking a pre-approval for file deletion on a server which is having malware & file is not detected from AV or EDR, or a targeted email phishing campaign is going on and you don't want to wait for getting approval just to delete email from user email boxes even the email is Technically proven malicious by various TIP's if you have a pre-approved policy to take these actions you can save a lot of time in Remediation.

Execution Phase 

1. Release the first and most stable piece you got during the testing phase.
2. Production deployment should start from a small and less complex automated playbook, as one workflow can be used in different conditions like a virus scan automation workflow can be used with phishing as well as a ransomware use case, start putting small automation on Production where you have confidence.
3. Let the Testing phase run in parallel.

Go Mature Phase - Building a resilient, response-ready organization

1. here you know what and how to move forward, and now you have a strategy to accomplish the next target which is being one step ahead then the attackers who are continuously scanning your network & looking for loopholes. start automating as much as you can because this is going to give you sufficient time and confidence when you would be responding to an advanced attack.
2. After implementing it, as a satisfaction check, you can consider a drill or mock attack by hiring some pen testers on your use case and see if your strategy is now capable enough or not and empower your SOC team. 

Conclusion

Cyber incidents last undetected for weeks or months, malicious actors have the opportunity to establish a beachhead on compromised networks that can be difficult to remove. Automation is a useful method of streaming menial, repetitive tasks and making your team faster and smarter. When used in a broader incident response orchestration strategy, automation can empower your team to be strategic decision-makers.

It should give you the confidence that whether you are present at your SOC or not a super advance skilled up analyst(SOAR) is always working behind your back & responding to all advance attacks even if it is a 3 AM Shift.

Anuj Shrivastava : @Anuj Shrivastava - ashrivastava@in.ibm.com