Threat actors continuously update their attacks with increasingly complex and diverse attack vectors. The cybersecurity industry has responded with software, hardware, and processes in defense from the growing attack surface. The result is increased complexity for the security professionals protecting network resources. Multiple disparate solutions create screen fatigue and delay response as analysts shift focus between tools.
Gartner recognized this and Introduced a technology stack for Security Orchestration, Automation and Response (SOAR).
The chief drivers for SOAR technologies that Gartner identifies are: staff shortages, alert fatigue stemming from a multitude of sources, the increasingly destructive nature of threats, and the need for a central repository and action center for SOCs.
DESCRIPTION AND FUNCTIONAL COMPONENTS
SOAR can be described by the different functions and activities associated with its role within the SOC, and by its role managing the life cycle of incident and security operations:
- Orchestration — How different technologies (both security-specific and non-security-specific) are integrated to work together
- Automation — How to make machines do taskoriented “human work”
- Incident Management and Collaboration — End-to-end management of an incident by people
- Dashboards and Reporting — Visualizations and capabilities for collecting and reporting on metrics and other information
CBA AND INTUITUS IMPLEMENT THE FUNCTIONAL COMPONENTS OF SOAR
CBA utilizes Intuitus® to meet the functional components required in a Security Orchestration, Automation and Response (SOAR) solution. Therefore, a secondary SOAR solution is often not necessary when choosing CBA as your cybersecurity provider.
Most SOAR solutions have some, but not all, of the following desired characteristics. Security and risk management leaders should favor SOAR solutions that have as many of the below listed characteristics as possible.
Notes: † “Innovation Insight for Security Orchestration, Automation and Response,” www.gartner.com, November 30, 2017.
1. CBA does this with Intuitus which orchestrates NIDS, Network VCR, NetFlow Analyzer, SIEM, and other tools in one GUI. (See also: Orchestration)
2. CBA does this with Intuitus where 80+ screens of tools and data are merged in one easy-to-use GUI. (See also: Automation)
3. CBA does this through use of Event Correlation Engine settings, ability to write SNORT rulesets, and ability to modify IP, port, MAC and VPN rules. (See also: Incident Management and Collaboration)
4. CBA does this through our focus on team effort, collaboration-friendly office layout, secure messaging, and well-defined standards for communication procedures. (See also: Dashboards and Reporting)
5. CBA does this through pricing structure based on a client paying only for what is needed to meet their unique security requirements. There is no hardware to purchase and 24/7 monitoring is included in set monthly price.
Out-of-the-box integration is what Intuitus is all about. Intuitus has multiple in-box security solutions, and integration points for other security event generating products. We orchestrate the remaining integration points with outside products and services, by our 24/7 monitored Security Operations Center putting tools and people together.
Intuitus tools include:
- Network Intrusion Detection System (offered as a service by CBA)
The NIDS feature of Intuitus does both anomaly-based and signature-based detection. The signature detection engine is highly customizable and versatile making it a good fit for any environment. It is based on Snort signatures. The anomaly detection engine runs on a 2-week and a 6-week rolling baseline. There are over 30 Intuitus proprietary anomaly rules that look for anomalous activity.
- Network VCR
The packet capture and storage feature of Intuitus is unique in that it captures and stores all traffic it sees. It does not just capture and store information based off of a trigger. This feature is very desirable to network administrators and managers as it allows them to use stored packets to detect and troubleshoot network issues. This feature also allows for in-depth Cyber Business Analytics and Gartner SOAR Page | 4 cyberba.net forensic analysis of potentially malicious data to determine exactly what information was exfiltrated or how far malicious software spread through the network. This data is an exact mirror of the data traversing the network; and, the chain of custody of the data is documented, which makes it legally admissible.
- NetFlow Analyzer
Intuitus provides analysis of network traffic flow for the segment of the network that it is monitoring. This feature provides visibility into network bandwidth performance and resource utilization. This feature is beneficial to network managers as it helps gauge the saturation on a given network and determine when and how spikes occur.
Intuitus provides SIEM functionality for all of the feeds and data which it generates. This feature helps analysts visualize patterns, assess risk levels, and recognize trends. This SIEM functionality is also available for logs generated by devices outside of Intuitus such as routers, switches, and servers.
Intuitus NIDS features automatically and constantly gather data and provide correlation between broken rules (events). The Intuitus intelligence engine analyzes that correlation in order to produce an alert. A person then responds to that automation to produce the desired action for the event based on a playbook, incident response plan, and service level agreement.
Gartner SOAR lifecycle of an incident and the CBA response:
- ALERT PROCESSING AND TRIAGE
- Automatic initial detection (NIDS, SIEM functionality)
- Human intelligence for triage and response
2. JOURNALING AND EVIDENTIARY SUPPORT
- Managed inside of the Intuitus software
- History database maintains a journal of all alerts forever which automatically notifies when similar alerts occur and can be correlated, if relevant
- Tools for coordination on alerts are built into the tool for interacting between analysts as well as for tracking incidents that take place over extended periods of time
- Forensic data can be exported and maintained
3. CASE MANAGEMENT AND WORKFLOW
- As an automated function of Intuitus, the history database becomes key to case management
- Tribal knowledge stays in the tool
- Intuitus News feature acts like a stock ticker to show most recent alert and case activity along with internal case management makes turnover easy
- No need to reconstruct timelines, they just exist inside Intuitus and are updated anytime a change happens in the alert
4. ANALYTICS AND INCIDENT INVESTIGATION SUPPORT
- Investigation is made easy by automated correlation of events and alerts with other related opened or closed alerts, this all means you don’t have to waste precious time manually correlating related activity
- Because full packet capture is standard, analysis can go deep - pair that with internal analytic tools the analysis can happen without leaving Intuitus, the captured data can also be exported in PCAP format for analysis in other tools as evidence or further investigations
5. MANAGEMENT OF THREAT INTELLIGENCE
- We have various forms of threat intelligence sources that utilize industry leading sources as well as customized threat signatures
- We also provide input to the threat intelligence community, law enforcement agencies, and task forces
We provide 3 types of reporting based on our client’s requirements.
Typical would include:
- Analyst — Report includes: Professional observation, assessment, assigned risk level, and recommendations for each alert
- Director/Manager — Report includes: Synopsis of activity seen, trend reporting, alert highlights, and reporting statistics
- Executive — Report includes: Trend analysis, top concerns, and top recommendations. All done using a greater range of data to focus attention on significant cybersecurity trends/threats and not minor fluctuations in network activity and reporting
Cyber Business Analytics Intuitus solution fulfilled many of the Gartner SOAR requirements before Gartner announced SOAR. We’re excited to provide Intuitus as a hardware, software, and managed monitoring partnership with our clients. We would add to Gartner’s assessment that a company should employ a secure messaging solution so in the event of a breach important communications won’t be intercepted. We’ve partnered with Topia Technology to provide just such a solution to our clients. Learn more at www.cyberba.net