The art of cyber security: keep one step ahead of the criminals.
Over the years, we have all seen new technologies be introduced to the market. It seems to be the case that once you address a security challenge, you discover another, and I believe this will be a common pattern within the world of cyber security for some time. Whilst no one can deny that all of these technologies have reduced risk within a certain area; there’s always the argument, does the cost outweigh the risk?
However, SOAR isn’t a technology that can be overlooked. As you may have read in our previous blogs, SOAR not only solves the issue around the speed and complexity of attacks, but it addresses the internal issues around the global skills shortage, and security employee ‘burn out’. We have also discussed the commercials are easily within reach of even the smallest start up.
Over the course of this blog, I would like to focus on some of the practical applications of SOAR. Together we are going to look at 2 examples SOAR workflows, outlining the issue from a security and resource point of view, then provide an example resolution. These are insights as to what we are seeing within customer environments. However, I would like to point out that the application of SOAR is almost limitless.
First off, I am going to look at an issue that we have all suffered from, in one form or another; the fact that there aren’t enough hours in the day. With most of us working from home now, we are all guilty of working a bit later, or starting earlier to try and be productive as possible. That said, malicious actors, particularly bot-based run 24/7, 365 days a year. They don’t get tired or need a break. Now let’s assume a user clicked on a link during office hours, this link downloaded malware, the malware was zero-day ransomware. It was coded to spread across the network, but only detonate 6 hours after download. Due to this being a new piece of malware, the gateway, and endpoint AV didn’t identify the threat. For this example, we are going to assume that Rapid7 Insight IDR has been deployed, but this workflow can work with almost any monitoring tool that’s in place. One of the components of Rapid7 Insight IDR, is user behaviour analytics (UEBA). If UEBA was to see the event that I mentioned about, it would create an alert. This alert would be picked up by SOAR, and run a sequence that would simply flag the asset for quarantine via the IDR agent. This would ‘virtually’ take the asset off the network, eliminating that particular threat from your network. It could then inform the IT team via Microsoft teams or Slack.
Next, let’s look at the common issue around phishing. With more companies trusting the Cloud with their data, hackers need to find a way to access those environments, this is usually done by getting hold of user credentials through the process of phishing. If we also bear in mind that 50% of credentials, that are harvested through phishing campaigns, are collected within the first 60 minutes, this is clearly an area we need to address. Essentially, you want to get notified immediately, not wait for a summary report, and the investigate rapidly. If SOAR was able to identify a phishing email in an user’s inbox, it could kick of a compliance scan in office 365, searching for any other instances of that email. Then provide live updates within Microsoft teams. Once all instances have been located, SOAR will carry out a mass deletion of these emails. If required, you could also quarantine all affected users.
With all this in mind, it’s fair to say that you don’t need to keep one step ahead of the criminals, just work smarter, SOAR allows this.
Get in contact if you would like to know more or test this on your network.