ity Automation and Orchestration
Security Automation and Orchestration (SAO) Platform
Automation and Orchestration of security operations is a necessity for all enterprises, especially when the attacks are ever increasing in volume and sophistication. Attackers will evolve and breach enterprises, there is no solution that can guarantee 100% safety. Security automation and orchestration platform can help maximise the benefits from existing and new IT security investments and human resources. The solution can ensure expedient actions are taken for every instance of potential compromise thereby either thwarting the attack completely or limiting the potential damage. IT infrastructure has to evolve to innovate, meet the needs of business growth and take advantage of new technologies for business efficiency. Security automation and Orchestration platforms can significantly elevate the security posture of today’s IT defence apparatus to be active and potentially even proactive in limiting damage and thwarting attacks.
ALTEN Calsoft Labs First of its kind Programmable Security Controller, intended to allow organisations to automate and orchestrate their internal security operations.
Automating various manual security workflows, SAO solutions make it possible to handle more alerts and adapt workflows to defend against evolving threats – delivering better security to more customers with fewer staff resources. SAO solutions speed up incident response management while reducing the repetitive, manual tasks that can wear out security staff. 80- 90 % of most SOC operation tasks can be automated to some extent and data that disparate tools create can be distilled into a single pane of information. The resulting efficiency gains allow SOC operations to handle vastly more tasks while significantly decreasing mean times to resolution (MTTRs).
Focus your incident response team on business-critical alerts with automated prioritization by business impact, ensuring that high-priority threats are managed first – always.
ALTEN Calsoft Labs Programmable Security controller Architecture are depicted below:-
Reduce MTTR (Mean Time To Respond) by up to 90%, and free your SOC analysts to recapture high-priority incidents by automating manual tasks like collecting threat intelligence, sending emails, and more. Empower tier-1 SOC analysts by centralizing Incident Response management, automating manual tasks and simplifying investigations.
Data can be imported from any source as a container. These containers have associated artefacts. The data is consumed, processed and normalised for facilitating automated decision making and automated actions.
Playbooks are python based open automation scripts that are executed on demand or automatically when new information becomes available. Playbooks encode complex decision making to execute many actions either in sequential order or in parallel.
Actions are expressed as high level nouns and verbs like “block IP” that can be executed via playbook in a generic way. Controller manages the complex tasks of identifying which action is applicable to which asset and how it is to be executed, allowing the analyst to focus on incident response methodology rather than syntax.
APPS are python based open source modules that facilitate connectivity and implement actions for specific products (i.e. application and devices). Controller includes APPS for most common applications and users can develop and share APPS for lesser known or proprietary applications or devices they may want to connect to an automate tasks.
Assets are infrastructure entities that are defined by administrator on which actions can be executed or which can mediate an action execution .Examples of assets are firewalls ,directory services reputation services ,endpoint applications VPN gateways, SIEMs etc. The configuration and access parameters are securely managed and used by controller to allow actions from respective apps
Owners are usually administrators or groups or users managing the assets. When an action has to be executed on an asset, its owners are engaged and notified about the details of the action and complete context. They are informed about why an action is being executed or why a change is being requested. Assets can be configured with owners .Owners are engaged when an action has to be executed on the asset. They can review,change, approve or deny the action. Without their approval actions are not executed.
ALTEN Calsoft labs Programmable Security controller can be customised according to customer requirements. Real world uses of the platform are mentioned below.
Less than 1% of critical security alarms are ever investigated. In many organizations, the majority are now generated by their SIEM. SOC Professionals need a way to review and validate all alarms and potential threats—not just the highest rated.
Limitation of current system:- Manually reviewing and investigating all SIEM alarms is logistically impossible. SIEM alarms often lack necessary event context, requiring additional, time-consuming research.SOC analyst are only able to investigate a small percentage of alarms, increasing the likelihood of missed attacks and many of these alerts can cause Security breach in the system.
SAO platform Solution: -Automate as much of the process as possible while providing context to investigations
SAO Platform Benefits:- The overwhelming number of SIEM alerts means that many alerts aren’t investigated promptly, if at all. By automating as much as 80-90% of the incident response process, SAO platform enables SOC Analyst to address the high volume of alerts faster, without requiring additional resources. The remaining tasks that need human intervention benefit from enhanced contextual information and improved workflow consistency.SAO platform radically improves security operations efficiency, while reducing risk and increasing threat protection. Quickly respond to all of your SIEM alerts with a better workflow.
The smooth and rapid verification of privileged credentials is critical to maintaining good security hygiene. SOC analyst challenged to ensure easy access by legitimate users while also protecting against stolen or improper use of credentials.
Limitation of current process:- Large organizations can’t feasibly validate all user activity at all times. Security teams need to quickly determine if new user behaviour is legitimate or malicious. Manually checking user permissions to identify aberrant behaviour is slow and time consuming
SAO platform Solution:- Automatically validate user permissions for specific resources
SAO platform Benefits:- It is important that enterprises can verify and control the access of confidential information to protect against data breaches. If verification shows a high likelihood of unauthorized behaviour, automatic actions can disable the user account and quarantine the host from the network to avoid further malicious activity. SOC analysts can also automate other protective actions like running AV scans and disabling AD accounts, so that the effects of the malicious activity can be mitigated as quickly as possible.
Insider Threat detection
Malicious and negligent acts from insiders, and attacks using stolen credentials, are a major source of successful breach attempts. But quickly identifying insider threats is a challenge for SOC Professionals.
Limitations of current system:- Researching and validating potential insider threats require extensive manual effort. A disparate set of security tools is necessary to verify potential insider threats, requiring analysts to investigate in each tool to get a complete picture of the incident. Insider threat activity frequently emulates normal behaviour and is spread out over multiple systems, making it hard to detect and understand the scope of an attack. Reducing MTTD and MTTR is critical for minimizing the damage tied to insider threats.
SAO Solution:- Integrate multiple tools for rapid insider threat detection and response
SAO platform Benefits:- By using security automation and orchestration you can easily reduce MTTR and further protect your organization by making it possible to identify and stop insider threats before they can cause major damage. Integrating your security toolset and orchestrating threat detection gives SOC analyst a complete understanding of all insider threat detection alerts. Automating significant components of the incident detection and response process makes your entire security infrastructure more effective without adding overhead.
In today’s threat environment, it’s no longer enough to be passively vigilant. True protection requires proactively identifying and hunting for threats.
SAO Solution:- Automatically search Indications of Compromise (IOC) against Threat Intelligence
Limitation of current Process:- Slow, manual processes limit hunting frequency. Collecting evidence requires manually drilling down into logs or packet captures. Threat research validation requires accessing multiple 3rd party systems
SAO Platform Benefits:- Integrating these technologies and taking advantage of a comprehensive and centralized view into all relevant threat data means that SOC analysts now have a clear picture of the complete landscape of an alert or incident without having to manually hunt for this information. By automating time-consuming and repetitive tasks, SOC analysts can spend more time hunting new threats and getting ahead of advisories. Continuous hunting using automated workflows to leverage a fully integrated security infrastructure empowers proactive protection by helping SOC professionals stay on top of threats and understanding all integrated threat information.
With millions of phishing emails sent out daily, it should be no surprise that there are new and increasingly-damaging attacks making headlines on a regular basis.
Limitations of current system:- Too many potential phishing emails are there every day to investigate by the SOC analyst. Investigations typically require the use of multiple security platforms. Manual processes can take between 10-45 minutes per threat. Most organizations lack the necessary SOC analyst to investigate the high volume of daily phishing attempts. Slow MTTRs increase risk and potential damages.
SAO Solution:- Automate the investigation and quarantine of suspected emails
SAO Platform Benefits:- SOC analyst can research and resolve high volume of phishing attacks with minimal effort. SOC Analysts automate 80-90% of the repetitive tasks immediately. MTTR is greatly reduced with responses initiated immediately upon an alert. Containment is performed at machine speeds. Incident response processes are clearly defined and consistently executed. All suspicious emails are investigated properly and human error is minimized at every step. Workflows can be easily adapted to incorporate new anti-phishing processes and technologies.
Collecting data from disparate tools and providing centralised repository of all collected evidence for Forensic investigation is a cumbersome manual task. Gathering forensic detail post-incident is a cumbersome manual task. Organisations to provide intuitive access to all Forensic details to rapidly conduct the investigation.
SAO Platform Benefits:- SAO platform can automatically query a SIEM tool to gather relevant forensic log data and automatically initiate actions in Forensic Software to gather endpoint data such as memory dumps and disk images. All of this data can be automatically centralized in SAO until the forensic investigator performs more detailed analysis. Analysts don’t have to waste time gathering information from a variety of sources; security orchestration centralizes this information. A forensics investigator doesn’t have to manually leverage different tools to gather the forensic detail required for an in-depth investigation, allowing them to spend more time analysing and less time performing administrative functions.
Limitations of current process:- Streamline investigations of forensic data collection from disparate tools and providing a centralized repository for all collected evidence would be a manual process and time consuming. Investigators are typically required to access evidence from multiple 3rd party systems. Evidence is often stored in multiple locations.
SAO Solution:- Automatically centralize relevant forensic data