Unexpected use cases of SOAR - Security Orchestration and Automated Response
Date: 6 August 2020
Amar Singh, Founder & CEO of CM-Alliance and Patrick Bayle, Senior Systems Engineer at Cortex (a Palo Alto Networks company) delve into how Cortex’s XSOAR can automate 95% of all response actions requiring human review and allow overloaded security teams to focus on the actions that really require their attention.
In this blog, we discuss the unusual use cases for which Palo Alto Networks applies the XSOAR platform:
- Customer Success Recruitment
- Firewall Policy Change Requests
- Log Bundle Inspection
- Purple Team Automation
- Cloud Instance Spin-ups
- Self-Defense Automation
- Employee on/off-boarding
- Consumer Privacy
Cyber Management Alliance and Palo Alto Networks have earlier shed extensive light on SOAR - Security, Orchestration, Automation & Response and their platform that plugs in critical gaps in the incident response lifecycle. In this exclusive webinar hosted on July 21, 2020, Amar Singh, Founder and CEO of CM-Alliance and Patrick Bayle, Senior Systems Engineer at Cortex (a Palo Alto Networks company) take the discussion a step further. They delve into how Cortex’s XSOAR can automate 95% of all response actions requiring human review and allow overloaded security teams to focus on the actions that really require their attention.
During this unique session available on Cyber Management Alliance's BrightTALK Channel, Amar and Patrick have an interesting chat about all the unusual and unexpected tasks that XSOAR can automate and how Palo Alto Networks uses the platform in their own organisation to streamline internal processes. After all, as Patrick puts it "One must eat one's own dog food!"
What does SOAR really do?
The webinar begins with a quick look at what SOAR really is and what it does. As Patrick explains that XSOAR is the industry’s first extended security orchestration, automation and response platform with native threat intel management.
- Over the years, there has been a shift in SOAR, from being responsive to more automation-driven.
- It offers the ability to centrally interact with third-party systems like SIEM/threat intelligence/EPP/vulnerability management/many more.
- Automation pairs nicely with orchestration – anything that is being done more than twice a week must be assessed to evaluate if the underlying process should be automated to save precious time.
Here’s a look at the main, slightly unusual use cases for which Palo Alto Networks applies the XSOAR platform which builds playbooks to automate tasks:
Customer Success Recruitment
Palo Alto Networks’ Customer Success team is vital in ensuring that customers get the most from their investment . Each customer is assigned a single point of contact and it is imperative that this person is suitably skilled and understands the products well. While recruiting, it is important for XSOAR to ascertain how likely one is to be a good candidate and how likely it is that they’ll support the product well. One has to apply a constant methodology to this process for it to be successful.
More details on this are at 9:50 in the recording
Firewall Policy Change Requests
In every organisation, Firewall rules don’t stay still. It’s normally the network operations team that makes the changes. These changes have to be made rapidly and in a strategic manner. Whoever is making the changes has to be accountable for them. The larger the organisation, the more complex this process becomes, especially given that there could be a large number of vendors in the mix.
More details on this are at 13:45 in the recording
Log Bundle Inspection
Every customer has different needs. The XSOAR platform does change so there are new scripts and integrations. So, if an issue needs troubleshooting, it can be tracked internally and the support team can request Log Bundles. The errors are hidden in the debug logs which can be extracted and analysed by the team.
More details on this are at 19:40 in the recording
Purple Team Automation
The Red Team is the active testers and the Blue Team is normally the SOC. There is continuous testing of SOC products and many customers used XSOAR for simulation testing as well. The idea is to constantly assess how the SOC operates. The challenges for the Purple Team can also be resolved with the XSOAR Playbook.
More details on this are at 23:20 in the recording
On automation and more:
You don’t have to automate everything as long as there is a clear process you don’t deviate from. Amar feels this sort of a process is imperative too as it is habit forming in humans which is critical. He adds that while conducting CM-Alliance’s Cyber Incident Response Training, he stresses on the importance of automating enrichment of data, which is another vital offering of the XSOAR platform.
Patrick corroborates Amar’s point and adds that the logical flow is that you extract the indicators and then you can ask for all the background data which is part of the data enrichment process after the extraction of indicators.
It’s very essential as this saves a lot of time thanks to it being done by a machine at machine speed. “You need to be able to systematically ensure that something happens the same way, every time and let the analysts do the subjective bits. Let them be the hunters. But let the machines do the boring/repetitive stuff,” highlights Patrick.
Cloud Instance Spin-ups
Working with the public cloud is great. They’re all driven by APIs that allows them to be so dynamic. The use case in terms of XSOAR is that if you buy it, you’ll have to engage with the DevOps team whose main driver of leveraging the cloud does not always align to security. The process of ensuring that cloud apps have been implemented without gaping security holes has been automated, leading to days or even weeks of man hour savings.
More details on this are at 30:00 in the recording
Self Defense Automation
XSOAR is also used internally for a lot of functions like roadmap tracking, customer engagement, spinning up cloud instances and to monitor XSOAR itself. The product is used to test itself to ensure it’s working effectively.
More details on this are at 35:35 in the recording
This isn’t really a security challenge (in most cases) but it can turn into one if it’s not properly dealt with. It’s also a really time consuming process which is why it makes sense to automate it.
When engaging with HR, the onboarding workflow looks a bit like this:
Creating employee email address > Admin tasks (Take in requests for a travel account/corporate laptop/business card) > Setup their financial accounts > Send them a welcome email > Check if they need a Salesforce account > Create the account > Playbook closed
More details on this are at 37:22 in the recording
The challenges in consumer privacy pertain to:
- CCPA & GDPR
- Global Searches
- Tracking SLA
- Report Structures
- Audit Trail
The GDPR Playbook in XSOAR, for instance, can alert someone if there is a possibility of a GDPR breach, ask the user to confirm if the breach indeed took place and give them context about the breach. The idea is to streamline the process and capture the data in a place that can’t be removed, thus ensuring compliance and potentially reducing a significant enforced fine in the event of a breach.
More details on this are at 52:09 in the recording
Best Practices: What we’ve learned
Finally, at the end of the webinar, the two cybersecurity experts conclude that Cortex XSOAR is essentially a mindset, it’s about dismantling what you’re doing now and replacing it with automation. It’s not a golden ticket that will solve all your manual task problems and repetitiveness. It’s something you work with and the more you use it, the more you get out of it.
Patrick also adds that it’s futile to buy an automation tool if as an organisation you’re unsure about what you need to improve and automate. To sum up, he concludes the Cortex XSOAR best practices as the following:
- Think of SOAR as a mindset. Approach it as not just a technology but also keep people and processes in mind
- It is imperative to know the Use Cases where you will make SOAR deployments (which we can help to identify of course)
- Automate Responsibly – Track SLA times so users are not neglected and ensure that users can contact some form of human support if needed
Resources/Attachments available with this webinar:
- Security Orchestration for Dummies
- Top Security Orchestration Use Cases
- How SOAR is Transforming Threat Intelligence
- A free 30-day trial of the Enterprise version of Cortex XSOAR
To listen to the full Webinar and download the free attachments, click here.
Check out CM-Alliance’s BrightTALK Channel here.
Founded in 2015 and headquartered in London, UK, Cyber Management Alliance Ltd. is a recognised independent world leader in Cyber Incident & Crisis Management consultancy and training. The organisation is renowned globally as the creator of the flagship Cyber Incident Planning and Response course, certified by the UK Government’s National Cyber Security Centre.
Cyber Management Alliance has serviced over 300 enterprise clients in multiple verticals including government, banking, finance, IT, consultancies, healthcare, oil & gas and retail across 38 countries. It has carved a niche by assessing, building and improving its clients’ Cyber Incident & Crisis Management capabilities through training, tabletop exercises, health checks and audits. Today, Cyber Management Alliance has a global and diverse network of over 80,000 cyber executives and practitioners worldwide.
Listen to the full webinar here.