Security Orchestration, Automation and Response (aka SOAR)
- What are we looking to automate?
- Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)
- No way every system can integrate directly with every other system
- Orchestration system vs the cluster of duct tape scripts you have today
- Replacing analyst repetition
- Supporting analyst complex investigation
- Typical workflows to target
- Tracking and enforcing workflows within the team (did we end up handling everything?)
- Making workflows consistent (did we handle everything in the same way?)
SOAR vs regular orchestration
- How does it differ?
- How do SOAR systems work together with regular orchestration?
Commercial options (brief summary)
Open source options (more depth, with demos)
- NSA Walkoff
- Ansible (specialised roles for secops coming - pending release)
Considerations for running SOAR platforms
- A long term, ongoing project - start simple and iterate
- Fast moving plugin community in line with integration target system releases
- Testing playbooks pre-release
- Testing playbooks post-release
- Uncommon integrations - do you need developers?
- Keeping automation pipelines sane and monitored
- Do they still perform the way initially intended?
- Do you already have clearly defined non-automated processes?