1 00:00:00,570 --> 00:00:02,060 SOAR! 2 00:00:02,060 --> 00:00:03,580 Now, when I talk about SOAR 3 00:00:03,580 --> 00:00:05,970 I'm not talking about soaring like a bird. 4 00:00:05,970 --> 00:00:08,730 No, SOAR is an acronym and it stands for 5 00:00:08,730 --> 00:00:11,950 the Security Orchestration, Automation, and Response, 6 00:00:11,950 --> 00:00:13,860 also known as SOAR. 7 00:00:13,860 --> 00:00:15,440 This is a class of security tools 8 00:00:15,440 --> 00:00:17,420 that helps facilitate incident response, 9 00:00:17,420 --> 00:00:19,650 threat hunting, and security configurations 10 00:00:19,650 --> 00:00:21,330 by orchestrating and automating 11 00:00:21,330 --> 00:00:24,120 runbooks and delivering data enrichment. 12 00:00:24,120 --> 00:00:28,040 Basically, think about this as a SIEM, version 2.0. 13 00:00:28,040 --> 00:00:29,320 Now when you're dealing with SOAR, 14 00:00:29,320 --> 00:00:31,660 SOAR is primarily used for incident response, 15 00:00:31,660 --> 00:00:33,650 but there is a large part of it that's used 16 00:00:33,650 --> 00:00:35,060 for threat hunting, as well. 17 00:00:35,060 --> 00:00:37,116 But really, the number one place you're going to see SOAR used 18 00:00:37,116 --> 00:00:39,170 is incident response because it can 19 00:00:39,170 --> 00:00:41,100 automate so many of your actions. 20 00:00:41,100 --> 00:00:44,860 Now as I said, I like to think about this as SIEM 2.0. 21 00:00:44,860 --> 00:00:47,200 Essentially, it's a next-generation SIEM. 22 00:00:47,200 --> 00:00:48,840 This takes a security information 23 00:00:48,840 --> 00:00:51,590 and event monitoring system and integrates it in with SOAR, 24 00:00:51,590 --> 00:00:53,080 and when you put those two together, 25 00:00:53,080 --> 00:00:55,780 this really does become your next-generation SIEM, 26 00:00:55,780 --> 00:00:57,950 just like when you deal with next-generation firewalls. 27 00:00:57,950 --> 00:01:00,110 They took you from dealing with layer three 28 00:01:00,110 --> 00:01:01,510 and layer four and brought you all the way 29 00:01:01,510 --> 00:01:02,630 up to layer seven. 30 00:01:02,630 --> 00:01:05,330 It made it just so much better and so much more capable. 31 00:01:05,330 --> 00:01:06,163 Same thing here. 32 00:01:06,163 --> 00:01:08,150 When you integrate a SOAR in with a SIEM, 33 00:01:08,150 --> 00:01:10,260 you get this really awesome product. 34 00:01:10,260 --> 00:01:11,990 It's going to give you the ability to scan 35 00:01:11,990 --> 00:01:13,830 security and threat data to be able 36 00:01:13,830 --> 00:01:15,380 to identify different things. 37 00:01:15,380 --> 00:01:17,620 You can then analyze it using machine learning 38 00:01:17,620 --> 00:01:19,130 and then you can also automate 39 00:01:19,130 --> 00:01:21,090 the process of doing data enrichment 40 00:01:21,090 --> 00:01:22,850 to make that data inside that SIEM 41 00:01:22,850 --> 00:01:25,310 even more powerful for you as an analyst to use. 42 00:01:25,310 --> 00:01:27,590 And finally, you can do instant response, 43 00:01:27,590 --> 00:01:29,520 so you can provision new resources. 44 00:01:29,520 --> 00:01:31,020 That means you can create new accounts, 45 00:01:31,020 --> 00:01:32,600 you can create new VMs. 46 00:01:32,600 --> 00:01:34,010 If you're using VDI you can actually 47 00:01:34,010 --> 00:01:36,310 delete somebody's infected box 48 00:01:36,310 --> 00:01:38,780 and then create a new virtual machine for them to use, 49 00:01:38,780 --> 00:01:41,450 and all this can be done using automated playbooks 50 00:01:41,450 --> 00:01:43,930 if you use this SOAR capability. 51 00:01:43,930 --> 00:01:45,150 Now, when we talk about this, 52 00:01:45,150 --> 00:01:46,420 I just mentioned the word playbook. 53 00:01:46,420 --> 00:01:47,930 What exactly is that? 54 00:01:47,930 --> 00:01:49,300 Well, a playbook is essentially 55 00:01:49,300 --> 00:01:51,214 a checklist of actions that you're going to perform 56 00:01:51,214 --> 00:01:54,370 to detect and respond to a specific type of incident. 57 00:01:54,370 --> 00:01:56,630 So if you said, hey if I have an alert 58 00:01:56,630 --> 00:01:58,150 that says there's a phishing campaign 59 00:01:58,150 --> 00:02:00,000 and somebody clicked the link on this machine, 60 00:02:00,000 --> 00:02:01,900 we're going to do steps one through 10, 61 00:02:01,900 --> 00:02:03,570 and then we're going to reimage their machine 62 00:02:03,570 --> 00:02:05,010 and we're going to give them a new computer. 63 00:02:05,010 --> 00:02:06,430 That might be your steps. 64 00:02:06,430 --> 00:02:07,810 So for example, if you have somebody 65 00:02:07,810 --> 00:02:09,705 who clicked on a link in a phishing campaign, 66 00:02:09,705 --> 00:02:11,770 you might have steps one through five, 67 00:02:11,770 --> 00:02:14,342 which says go to the machine, isolate it from the network, 68 00:02:14,342 --> 00:02:17,500 do a virus scan to make sure they haven't infected themself, 69 00:02:17,500 --> 00:02:18,700 check the registry to make sure 70 00:02:18,700 --> 00:02:20,660 there's nothing in their for persistency, 71 00:02:20,660 --> 00:02:22,640 and then back up all the user data, 72 00:02:22,640 --> 00:02:24,955 refill them at the computer and then reinstall the computer 73 00:02:24,955 --> 00:02:27,250 and put their data back on. 74 00:02:27,250 --> 00:02:29,170 These might be the actions you're going to do. 75 00:02:29,170 --> 00:02:31,110 Now, these could be manual or automated, 76 00:02:31,110 --> 00:02:32,430 but in the case of a playbook, 77 00:02:32,430 --> 00:02:35,050 usually you're talking about just the steps involved. 78 00:02:35,050 --> 00:02:36,890 Now, if I can automate a lot of that, 79 00:02:36,890 --> 00:02:38,450 that becomes a runbook. 80 00:02:38,450 --> 00:02:40,870 Now a runbook is an automated version of a playbook 81 00:02:40,870 --> 00:02:43,060 and it leaves clearly defined interaction points 82 00:02:43,060 --> 00:02:44,450 for human analysis. 83 00:02:44,450 --> 00:02:46,520 For example, my SOAR might say 84 00:02:46,520 --> 00:02:48,520 if somebody clicks the link in a phishing email, 85 00:02:48,520 --> 00:02:50,510 do these steps one through five. 86 00:02:50,510 --> 00:02:52,430 When you get to step two, pause, 87 00:02:52,430 --> 00:02:54,280 send it to an analyst who will then say 88 00:02:54,280 --> 00:02:56,990 reimage the machine or don't reimage the machine. 89 00:02:56,990 --> 00:02:58,500 These are the ways that we can use these things 90 00:02:58,500 --> 00:03:00,030 and they all work together to create 91 00:03:00,030 --> 00:03:02,640 a better environment and to help reduce the workload 92 00:03:02,640 --> 00:03:04,230 of our analyst, because again, 93 00:03:04,230 --> 00:03:06,500 we only have so many cybersecurity professionals 94 00:03:06,500 --> 00:03:08,080 and if we're having them waste their time 95 00:03:08,080 --> 00:03:10,490 on very minor things that we could automate, 96 00:03:10,490 --> 00:03:11,750 that's not very helpful to us. 97 00:03:11,750 --> 00:03:14,060 So instead, we want to automate what we can, 98 00:03:14,060 --> 00:03:16,560 and SOAR allows us to do a lot of that automation.