Even as many SOC teams have shifted to remote operations in recent weeks, the basics of their mission are unwavering: Monitor for and analyze threats, and ensure security incidents are handled swiftly and incisively, ideally with the help of a security automation, orchestration and response (SOAR) platform.
Yet while nothing has changed, everything has, least of which the environment from which analysts are now doing their work. SecOps professionals are facing new risks amid a culture that is emphasizing speed over security as workplaces rapidly try to get their teleworking force up and running and prepare for a potential long-term remote situation.
Creativity is critical here as security staff is forced to quickly adapt and react to new challenges, but many of the most maddening threats analysts are encountering are just new takes on old problems. Each, however, is best addressed with automated workflows via playbooks, especially as historic skills and staffing challenges become even more pronounced as some infosec personnel reportedly serve double duty to assist with IT-related tasks.
Here are brief summaries of three use cases our customers are experiencing and responding to creatively with SOAR playbooks:
1) Remote Access
Organizations nowadays are leaning hard on VPNs for secure connectivity, but these services are no silver bullet. Because they are so integral to the protection of an enormous influx of remote workers, VPNs will continue to enter the crosshairs of attackers, who are actively hunting for VPN vulnerabilities (of which there are aplenty). Playbooks can be formulated that not only address patching flaws, but also the monitoring of VPN logs to shed light on volume of data transfers happening and the geolocation/IP address of connections, ensuring they do not have a history of malicious activity.
Not surprisingly, as cybercriminals themselves adjust to the fallout of a global pandemic, they are turning to phishing attacks to exploit panicky human emotions. While email-based scams are the most common phishing ploy, malicious senders are tweaking their delivery vehicle to account for a rapid shift in at-home work and a rise in mobile device usage for corporate activities. As a result, some organizations are newly equipping smartphones and tablets with anti-phishing capabilities, and playbooks can allow for the funneling of those alerts into a SOAR platform for analysis and triage.
3) Vendor Risk Monitoring
Over the past several years, forward-thinking security teams have kept a keen watch over their organization’s third-party vendors, with partners, contractors and suppliers becoming a primary source for data breaches. (In fact, Nearly six out of 10 companies experienced a breach due to third parties in 2018.) And with the major spike in teleworking, the third-party’s already risky reputation may become even more perilous when you consider that employees for that provider are also likely working from home, thus exposing themselves to an even higher number of data-loss dangers than normal. Playbooks that allow you take immediate action when a third-party vendor breaks policy will come in especially handy during these times.
The Benefit of Automated Workflows
Playbooks permit SOC teams to take steps toward more consistent, repeatable processes for a given investigation type, no matter the analyst working the case.
They allow SOC analysts, architects and managers to work together to define the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned the case.
In general, when drawing up playbooks, you should consider:
- Defining which playbooks you need based on your threat assessment.
- Prioritizing the most important use cases for your security posture.
- Understanding the security processes that need to be part of each playbook.
- Applying rigorous development methods for building each playbook that includes testing, staging and formally introducing into your environment.
- Measuring what constitutes a successful playbook.
One big challenge SOC teams often face when building playbooks in that most SOAR products require some level of coding expertise to make them work. Siemplify took a different approach to build our playbook framework. Understanding that many SOCs do not have programmers on staff, our playbook architecture was built in a way that anyone can create and edit the steps in the playbooks without coding experience.
You can experience the benefits of the Siemplify Security Operations Platform by downloading our free Community Edition.
Dan Kaplan is director of content at Siemplify.