In this week’s Whiteboard Wednesday, Jordan Ugalde, Software Engineer for InsightConnect, illustrates how security orchestration, automation, and response (SOAR) can provide streamlined solutions for your security challenges. Feeling overwhelmed with repetitive tasks? Learn how SOAR alleviates those pains, , saving time and energy for your security team.
To explore Rapid7’s orchestration and automation capabilities, learn more about InsightConnect.
Hi. My name is Jordan Ugalde and I'm a software engineer here at Rapid7 working on the Komand and InsightConnect team. Today, I will be talking to you about demystifying security orchestration, automation, and response. So, I've read some of what's been posted online about SOAR and one thing that really got to me was the statement that SOAR is only for mature organizations. As long as your SOAR product has a lot of integrations, so it integrates with all the tools you use and it has an intuitive UI and UX so that you can define the solutions to your problems without having to do any programming, then there's no reason that organizations of any maturity level can't benefit from SOAR. What is SOAR fundamentally?Show more Show less
SOAR allows you to define the solutions to your problems and automate them. In that entire process, you shouldn't need to do any programming, but what you do need is an understanding of the problems that you face day to day and I would say most importantly, you need a curiosity for the question what would it take to automate the solutions to my problems? If you automate all the things that can be automated, you have more time for solving problems that can't be automated. Let's go through a quick example. Let's say you work at a corporation that is the victim of a significant amount of phishing campaigns. You've run your employees through a significant amount of phishing training.
So, there are a decent amount of employees who forward potential phishing emails to the SOC team. This is great, but now the SOC team has hundreds if not thousands of potentially phishing emails that they have to decide, "are they phishing?" If so, we need to respond. So, this is your problem. Now, let's go through the solution and see is this something that can be automated? So, you need to take an email, shuttle it through your different security products and decide is it phishing? Could we have a program that does that? Yeah. Yeah, technically we could. I guess that part can be automated. So, now we know an email is phishing and we need to respond. We need to go through all the company mailboxes and either delete or flag every email that seems like it is part of the same phishing campaign.
Is this something that a program could technically do? Yeah. It seems like it can. So, it seems like in this case the entire process can be automated. If you have some experience with programming, you could write the integrations with all the different products and write the code to shuttle the messages across all these, but the code you write while it might work great for this solution might not be flexible for other solutions. Also, it would take a decent amount of time that could be better spent elsewhere. This is where I would say the promise of SOAR really comes through. With a good SOAR product, you should be able to define the process for your solution in less than an hour and save hundreds of hours and do this for multiple problems that you face.