Security Orchestration, Automation and Response (aka SOAR)

• What are we looking to automate?
• Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)
• No way every system can integrate directly with every other system
• Orchestration system vs the cluster of duct tape scripts you have today
• Replacing analyst repetition
• Supporting analyst complex investigation
• Typical workflows to target
• Tracking and enforcing workflows within the team (did we end up handling everything?)
• Making workflows consistent (did we handle everything in the same way?)

SOAR vs regular orchestration

• How does it differ?
• How do SOAR systems work together with regular orchestration?

Commercial options (brief summary)

• Demisto
• Phantom
• Swimlane

Open source options (more depth, with demos)

• NSA Walkoff
• Stackstorm
• Ansible (specialised roles for secops coming - pending release)

Considerations for running SOAR platforms

• A long term, ongoing project - start simple and iterate
• Fast moving plugin community in line with integration target system releases
• Maintenance
• Testing playbooks pre-release
• Testing playbooks post-release
• Uncommon integrations - do you need developers?
• Keeping automation pipelines sane and monitored
• Do they still perform the way initially intended?
• Do you already have clearly defined non-automated processes?