How to Make Your Security Infrastructure SOAR

Security architects, SOC engineers, and response teams are increasingly moving to security workflow automation to meet the demands of new threats. It’s not enough to have a great tool to meet today’s security challenges – your tools have to work better together. The market for security automation has become so large that in 2017, Gartner identified a new market niche called Security Orchestration, Automation, and Response (SOAR). Security automation involves automating tasks and incident response workflows in response to an event. Security orchestration refers to integrating disparate security tools, facilitating automation, combining reports and dashboards to improve the efficiency of the Security operations (SOC) team. We expect more and more organizations to adopt SOAR. According to the Gartner report, SOAR adoption will rise from 1% to 15% by 2020 for companies with 5 or more security professionals [10].

According to Gartner, the 3 most important capabilities of SOAR are:

Security incident response: How an organization plans, manages, tracks and coordinates the response to a security incident.

Threat and vulnerability management: Technologies that support remediation of vulnerabilities and provide the formalized workflow, reporting and collaboration capabilities.

Security operations Automation/Orchestration: Technologies that support the automation and orchestration of workflows, processes, policy execution and reporting.

Security information and event management (SIEM), User and Entity Behavior Analytics (UEBA) and SOAR aggregate data from multiple sources but SIEM and UEBA solutions produce far more alerts than the SOC team can respond to every day. Also, according to one RSA survey in 2018, most enterprises receive over 10,000 alerts every day [2]. As you probably know, it is impossible to review so many alerts every day. Incidents can cause significant damage in a matter of minutes and hence, enterprises can’t afford to spend hours or days chasing down all the alerts, with no context on the criticality of those alerts. Since SOAR can help solve some of these problems, the last few years have seen a rise in adoption of SOAR technology. Enterprises are integrating a wide range of technologies in the hope of reducing alerts and automating more tasks.

SOAR supports multiple activities for security operations including prioritizing threats, formalizing triage and incident response and automating workflows as shown below:

These capabilities provide the following benefits to security teams:

Prioritize operational activities: A SOAR solution consolidates data from different tools, 3rd party feeds, and IT databases so that the SOC team can view everything in a single place and discern the risk level of threats.
Formalize triage and incident response: Pre-defined work-flows and tools such as ServiceNow can assist analysts and SOC teams to review/assess incidents more quickly. It allows them to begin remediation of security incidents based on best practices, thereby helping them overcome the shortage of cybersecurity workforce.
Automate Workflows: With repeatable tasks automated, SOC teams can focus on higher-value tasks such as threat hunting.

Infoblox Ecosystem Exchange:

Infoblox Ecosystem Exchange is a highly interconnected set of integrations that enable organizations to significantly improve the security, efficiency, and ROI of their entire cybersecurity ecosystem, including third-party, multi-vendor assets. It extends security, increases agility, and enhances situational awareness across networks of any scale or complexity. It eliminates silos between network and security teams and provides consolidated visibility of on-premises, virtualized and cloud infrastructure. It accelerates response to threat and network events, enabling network and security organizations to take network security, performance, efficiency and cost control to the next level.

Infoblox enables customers to automatically share IPAM metadata, DNS data, user and device information, rich network context and DNS security events with different security tools such as SOAR, SIEM, Vulnerability Management, Firewalls, NAC and others. Infoblox helps power SOAR platforms with rich network and threat data that can be easily leveraged in other security solutions.

How Infoblox Powers SOAR platforms:

SOAR can request IPAM metadata and other information from Infoblox. Once the SOAR solution receives information on IP address, Network devices and malicious events from Infoblox, it can use that information to block/unblock domains, check information on IP/host/network/domains and enrich other tools with IPAM information.

Benefits of the integration include:

Integrate disparate security tools and provide a vendor-neutral threat intelligence for all devices
Context for prioritization of threats
Automate/faster response to network and malicious events with a full set of threat intelligence APIs
Enhance and improve incident response with better threat intelligence
Improve security processes by integrating Infoblox with other solutions via SOAR

To learn more about Infoblox’s ecosystem integrations, including integration with SOAR vendors, please visit https://www.infoblox.com/solutions/cybersecurity-ecosystem/ and https://www.infoblox.com/partners/technology-partners/ .

References:

Chintan Udeshi

Product Marketing Manager at Infoblox