Last updated at Mon, 08 Jan 2024 19:17:38 GMT
At Rapid7, we have the opportunity to talk to security professionals from all types of organizations. Whether we’re conversing with our largest customers or a Security Operations Center (SOC) team of one, there are a few challenges we hear about again and again. We believe that the best solution to industry-wide struggles with threat detection and response is to increase efficiency using SIEM and SOAR together.
Threat Detection and response challenges
Security teams often struggle to manage the increasing complexity of today’s technology landscape. This manifests in three key ways. First, as IT environments change rapidly, teams can lose track of the ever-evolving footprint, leading to a lack of visibility. Another major complaint we hear often regards alert fatigue. On average, security teams use about 40 different tools, each of which generates its own alerts. Analysts need higher-quality alerts and manageable threat intelligence. Finally, our customers tell us that investigations take too long and are tedious. The response needs to be faster. All three of these pain points are amplified by the fact that teams everywhere lack resources.
Based on our conversations with customers facing these challenges, we see the best solution for accelerated threat detection as a coupling of SIEM and SOAR products, like Rapid7’s InsightIDR and InsightConnect.
Rapid7 InsightIDR and InsightConnect
Our SIEM solution, InsightIDR, is focused on addressing the customer pain points above: the lack of visibility, alert fatigue, and the need for faster response. The core principle behind the product is to help analysts be more effective and efficient as they tackle threat detection and response. It does this in a few different ways. First, it unifies diverse data sets across complex environments, and then goes a step further by applying correlation, enrichment, and attribution to the data to turn it into actionable insights. Second, it has the ability to drive early and reliable detections with behavioral and attacker analytics. It also allows for rich, highly contextual investigations that help teams respond quickly and confidently.
We’re seeing more and more security teams leverage standalone automation solutions to eliminate redundant manual processes, expedite response, and accelerate operations. InsightConnect, our SOAR solution, enables teams to accelerate and streamline time-intensive processes. With the time savings and productivity gains that this allows, we see teams going from overwhelmed to operating at maximum efficiency.
The basics of security automation
How can you begin to identify the most effective way to deploy automation in your environment? The first step is to consider how you receive the initial trigger or alerting action. For example, you could receive email alerts from an Endpoint Detection and Response (EDR) Tool, SIEM, or IDS/IPS tool that trigger the automation, or it could be triggered on a regular schedule.
The next step is contextualizing and enriching the information you’ve received. Based on the enrichment, you probably have an idea of how you would like to respond to the incident. After the trigger and the contextualization/enrichment, there has to be a decision, which can be manual or automated.
If your team still wants to engage with the automated process, you can choose to have a human-based decision. Remediation actions won’t go forward without a human response. You can also choose to automate decisions. With this option, you configure logic indicating that when a condition is met, a corresponding remediation path is automatically followed.
The final step, the remediation action, is dependent on your team’s maturity. The action could be to create a ticket within your ticketing system for the IT team to pick up, or an automated workflow could be triggered in InsightConnect. For example, a user account could be disabled or a machine quarantined without any need for human intervention.
Automation: Alert enrichment
Let’s look at a use case: automating the response of an alert enrichment. Like every InsightConnect workflow, this one begins with a trigger action. It could be an alert from an IDS/IPS, Endpoint Detection and Response, SIEM, or User Behavior Analytics (UBA). After receiving the initial alert, the next step is to automate the extraction of the indicator that’s associated with the alert. This could be basic user information, files, hashes, domains, or URLs. By gathering these indicators, we are able to enrich the data further to give our analysts more context.
By utilizing threat intelligence, we start to get the malicious reputation of the URLS, file hashes, etc. We can also query users’ activity within the SIEM to identify notable behavior. Regardless of how we enrich and contextualize our alert, the next step is to respond.
Again, you can choose human or automated response. In this example, we’ll imagine that we chose to escalate the alert to Slack, email, or a ticketing system to efficiently pass the issue along to the security team.