Running Your SOC Playbooks as Code
Security Orchestration, Automation and Response (aka SOAR)
What are we looking to automate?
Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)
No way every system can integrate directly with every other system
Orchestration system vs the cluster of duct tape scripts you have today
Replacing analyst repetition
Supporting analyst complex investigation
Typical workflows to target
Tracking and enforcing workflows within the team (did we end up handling everything?)
Making workflows consistent (did we handle everything in the same way?)
SOAR vs regular orchestration
How does it differ?
How do SOAR systems work together with regular orchestration?
Commercial options (brief summary)
Open source options (more depth, with demos)
Ansible (specialised roles for secops coming - pending release)
Considerations for running SOAR platforms
A long term, ongoing project - start simple and iterate
Fast moving plugin community in line with integration target system releases
Testing playbooks pre-release
Testing playbooks post-release
Uncommon integrations - do you need developers?
Keeping automation pipelines sane and monitored
Do they still perform the way initially intended?
Do you already have clearly defined non-automated processes?