Zero Trust Security by Jason Garbis & Jerry W. Chapman

Author:Jason Garbis & Jerry W. Chapman
Language: eng
Format: epub
ISBN: 9781484267028
Publisher: Apress

Security Orchestration, Automation, and Response

SOARs are often used in conjunction with SIEMs; in fact, sometimes, they’re provided by the same vendor as part of an integrated platform. A SOAR will consume information (and detected events, or threshold alerts) reported from a SIEM and provide a model and mechanism for automating a series of response actions, often guided by machine learning.

This is helpful, because as SOARs sift through the large number of events emitted by a SIEM, they provide a common context for events, and ultimately automate processes or workflow in response to the event. This integrated automation helps reduce the number of false positives in an environment, so that true incidents can be reviewed by security engineers.

SOAR’s value is not just automation but also the modeling of the logical analysis and response flows. These workflows contain information about enterprises networks, systems, dependencies, and how to work with them—which is too frequently just “tribal knowledge” that solely exists in senior analysts’ heads. With a SOAR, this knowledge can be built into an automated, repeatable, and reliable platform, which never needs to take a day off work. This codified knowledge can (and should) elevate a SOC into a seamless integration of people, process, and technology. From a Zero Trust perspective, achieving these principles requires more than standalone technologies—it requires integration and coordination, as well as “reach” to effect changes across the enterprise security infrastructure—something that a SOAR is well suited to achieve when connected with a Zero Trust platform. In particular, SOARs help SOCs achieve their mission, by providing automation of repeatable, predictable processes. Most SOARs will recognize decision patterns and help manage the entire incident response lifecycle while also actively gathering threat intelligence, and reacting and providing context to data. Additionally, vulnerability management2 and threat intelligence are core responsibilities in a SOC—with the SOAR providing a good workflow and incident response pattern to support these, and their results contributing to the continued growth and learning of the SOAR solution.

The analysis and actions that SIEM and SOAR provide are very important components of an effective Zero Trust system—as additional context into and catalysts for decisions to be made by the PDP, which we’ll explore further in the next section.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.