Testing out some SOAR tools
A couple months ago I’ve been involved in a DFIR Community trying to learn and absorb most of the information out there about this very interesting subject. As I’ve explained it in some previous posts what SOAR means I wanted to share my experience with this particular tool.
The first thing I did was join the DFIR Community once I was there, I downloaded Demisto’s trial version and started to create different scenarios, read all the tutorials and used the tool.
As Demisto stated in this report called The State of SOAR 2018:
Technological advancements have made it easier to conduct business, but the job of securing these technologies falls upon already overworked security teams. Demisto conducted a study of security professionals around the world to delve deeper into security challenges, their manifestations, and possible solutions. Our results yielded fascinating insights into the state of cybersecurity in businesses of all sizes.
Some interesting trends our report uncovered:
Alerts on the rise: Organizations review an average of 12,000 alerts per week, resulting in an average MTTR of 4.35 days.
Personnel woes: It takes around 8 months to train new security employees; despite this, a quarter of employees leave within two years.
Piecemeal processes: More than 50% of respondents either don’t have defined security processes, or rarely update existing processes.
Threat hunting time: Around 62% of respondents expect SOAR tools to help with proactive threat hunting.
Using the tool
Demisto’s core is based on this:
- Automation: This area is the place you oversee, make, and alter scripts in either Python or JavaScript. These contents or scripts play out a particular activity in the incident and are involved directions related with an integration. It has a pretty nice helper where you can see the commands to make your life easier.
- Playground: Is a nonactive place where you can securely create and test commands, APIs, AI scripts, all of that so you have a clear idea of what it is before taking it to action.
- Incidents: Like security information and event management alerts, Mail alerts, Security alerts from third-party services, mailboxes, data in CSV format, or from the Demisto RESTful API.
- Playbooks: This is the core of the tool, it is made up of tasks, each of which performs a specific action. A key component of Playbooks is the capacity to structure and automate security reactions, which were recently taken care of one by one. Tasks are either manual or automatic. Manual tasks are actions that are not associated with scripts. Automated tasks are associated with scripts, mostly written in Python or JavaScript.
- Indicators: Basically this is what determines based on certain criteria what type of threat previously identified by the system.
- Integrations: Third-party tools and services that the Demisto platform orchestrates and automates SOC operations. They integrate with Analytics & SIEM, Authentication, Case Management, Data Enrichment, Threat Intelligence, Database, Endpoint, Forensics & Malware Analysis, IT Services, Messaging, Network Security, Vulnerability Management
They do a great job on incident response, report, and investigations by enabling full incident automation on the spot and providing a clearly defined workflow via “playbooks”, which analysts can use to document the investigation in great detail.
The automation for the different scenarios is just so easy to implement that it takes literally minutes to deploy, it talks and integrates with tons of different security tools to attack or automate the response.
So imagine this: You have a technical guy in your team handling all these alerts for you, going one by one clearing them out when you can create a DBot to execute this work for him while he takes care of the big stuff, pretty cool isn't it?. Take a look at this DFIR community, it’s the biggest out there at the moment.
I will be testing out more tools around and write my thoughts out of them here.