SOAR Into More Integrated Cybersecurity

By Josh Magady, Section Manager, Senior Cybersecurity Consultant, and Practice Technical Lead, 1898 & Co.

Why is being cybersecurity compliant not the same as preparedness for threats? Shouldn’t compliance mean full coverage against all current and future threats? Compliancy builds in a checklist mentality. A company measures their compliance compared to certain standards like NERC CIP and HIPAA for example but, they can’t account for a company’s environment. They are intended as a starting point. The problem for organizations is when they stop with just meeting compliance standards and don’t look for avenues to bolster their cybersecurity efforts. They might follow the best practices of the CIS Top 20, but they need a more comprehensive approach. They require a suite of tools and policies that allow them to handle the challenges of remote working and access, nation state-sponsored attacks, and broader digital transformation.

An ideal counterpoint to various threats and digitization is a SOAR platform. SOAR stands for Security Orchestration, Automation, and Response. Orchestration means coordinated devices and software applications. Automation involves security processes and protocols happen based on pre-set rules, and Response relates to a collection of information and rapid actions taken against threats in real time. It’s an ideal solution for protecting critical infrastructure against an ever-increasing number of threats.

Threats for OT, Industrial Control Systems, and SCADA Environments

The threats for OT, ICS and SCADA vary by sector. Nation states are a consistent threat which are targeting municipalities, electrical grids, and other similar entities. They’re looking to destabilize these systems and, in some cases, they’re fronting the efforts of ransomware gangs.

For industrial control systems (ICS), the challenge comes when security experts are asking engineers and system operators to think about cybersecurity. These people often feel the data produced by their ICSs is not valuable and might not warrant strong cybersecurity. However, bad actors have interest in control over these systems, not the data.

The push towards remote work and broad digitization of services complicates the cybersecurity responses. Within OT, ICS and SCADA environments, there’s a range of related threats, including the risk of human error and usage of old and outdated legacy systems. With spreading digitization, there’s also an increased need for connectivity for information sharing and insights. Further digitization means additional endpoints and transits that expose data to bad actors. Within all three of these environments there’s also some networks and systems that are not secure by design, so there is deep inherent flaws. Adding to all these flaws are a market with too many vendors and not enough integrated systems that enable continuity.

With remote work, firms are reliant on their employees to maintain security over their home networks but, traditionally these staff don’t have the training or the background to understand the risks and threats facing their home networks. People remain the vector for threats. Firms need robust hardened endpoints and implement technologies that can provide endpoint detection response (EDR) as well as adopt zero trust architectures (ZTA). Managing all these threat exposures at scale proves challenging for any business unless it brings onboard a SOAR platform to unify its infrastructure and automate various processes.

SOAR Adds Efficiency to Cybersecurity Efforts

SOAR uses automation to extend the ability of security teams to manage multiple systems. It integrates across various platforms and efficiently codifies existing workflows to expand the work of understaffed teams. It’s an operations platform, one that blends technology and operational processes. In the hands of an experienced practitioner, SOAR can improve various processes.

SOAR platforms provide almost infinite capabilities because at heart, they are application platforms. This means if a user can think it, it can most likely be implemented in a SOAR platform. Since it’s only limited by one’s imagination, sometimes SOAR platforms can intimidate teams. However, when used properly SOAR functions as an integrative platform that saves time and gives cyber teams a deeper reach. It automates vital processes and integrates various systems within a single platform, which creates streamlined actions and familiarity over time.

With SOAR, organizations can orchestrate existing resources together with automation. It enables a more proactive response model, with UI standardization, improved data gathering, and workflow analysis that work together to manage today’s complex threats.

For example, a firm might spend several hours performing an indicators of compromise (IOC) investigation. They might receive a notification from E-ISAC about checking certain domains or IP addresses or even a specific hash of a file. This creates a significant amount of work, as the analyst will need more information than what’s provided in the alert. For example, if a file hash alert comes in, the analyst requires more data to really understand what it’s doing. They might reach out to AlienVault or Virus Total and lookup that hash and get all the details, such as what things it usually changes, attack vectors, and other details that build a forensic case. Once this information has been collected, a search of a systems endpoints is required to check if that IOC is present in the environment. With the tasks already programmed into SOAR, along with an email parser that recognizes the E-ISAC alert, a company can tackle the investigation in minutes. The SOAR platform produces a report, so the team can take further actions as needed.

This dynamic cuts through the noise for optimal efficiency and accuracy. So, the cybersecurity team can focus on dealing with present threats that are in the network, while automating threat identification and investigations. It also limits analyst burnout from responding to the hundreds of thousands of threat alerts that come across their desks nearly every hour. Going through these manually and determining which ones are actionable is not a reasonable task.

One caveat for SOAR is before a significant implementation, an organization needs to review and improve its documentation. Especially if the company expects the full SOAR capabilities of incidence response, endpoint detection, phishing management, and asset management. A quality SOAR platform can manage all of this, but it requires a mature organization that has its policies in place with documentation. It doesn’t work with “tribal knowledge” that differs based on staff’s opinions because it cannot automate unknown processes. Before diving into a SOAR platform, it’s worthwhile for organizations to take any undocumented processes and put them on paper and then perform smoke testing to insure they are indeed the right processes.

SOAR provides an operations platform that enables threat investigation at scale and can streamline existing processes. It addresses staffing shortages and the need for leaner operations by automating mundane tasks. Through integration of different systems, SOAR drives efficiency for the benefit of overworked cybersecurity teams who now have time and energy to conquer other operational issues.

About the Author

Joshua Magady is a proven security professional and leader of security teams and programs within a variety of markets. For the past 5 years he has been working to secure our nations critical infrastructure with 1898 & Co. For the 10 years prior to that, he was leading the charge in the DoD helping to keep the systems our warfighters rely on safe and secure. He has many initials after his name, including CISSP, OSCP, and GICSP. He has a passion for helping the average person and new security professionals understand the why, what, when and how of security.

Joshua can be reached online at https://www.linkedin.com/in/joshuamagady/ and at our company website: https://1898andco.burnsmcd.com/.