In a perfect world, security operations center (SOC) teams would always be one or two steps ahead of attackers, identifying their tools, tactics and procedures before they are put to use and essentially rendering the bad guys impotent.
In the real world, however, we all know this is not the case. For most SOCs, keeping up with known previous and active security issues consumes all their available investigation resources, making the idea of uncovering hidden threats just that: an idea.
The good news is there are new options for SOCs to expose unknown threats, such as fileless attacks and other hidden malware, before they can cause harm to the organization, namely by integrating their endpoint protection platform with security orchestration, automation and response (SOAR) from Siemplify.
In the short video above, you can walk through how to design a malware investigation playbook using Endgame, a leading endpoint protection platform, that includes automated threat hunting aimed at rooting out those unidentified threats.
While the video shows how easy it is to extend a seemingly straightforward investigation into a high-value, multi-faceted playbook in Siemplify, you should keep a few things in mind as you continue your investigation into SOAR technology:
1) Playbooks are only as good as the play they are executing
When creating a playbook in any SOAR solution, make sure you have your desired outcome in mind. SOAR technology can be a game changer in regard to increasing your team’s ability to close investigations faster, but they are not magic. If you are not clear on the objective of a playbook, seek out advice from your network of security practitioners or the SOAR vendor with whom you partner to avoid automating a broken process
2) Integrations are key
All SOAR vendors provide some playbook capability. However, if the product has limited integrations out of the box or requires significant programming to integrate, you’ll run into trouble automating tasks when trying to connect your SOAR with various security, IT or productivity solutions.
3) Build, run and monitor
A significant value of SOAR technology is its ability to provide real-time feedback. You must monitor the performance of any playbook you deploy to ensure it delivers the desired outcomes. Resequencing actions, removing unnecessary items and extending other activities improves your odds of better-than-expected outcomes.
To learn more about how you can use Siemplify with Endgame and all of the other 200+ out of the box integrations, you can request a meeting with a Siemplify security expert here.
Steve Salinas is director of product marketing at Siemplify.