Building Blocks

Utopia.  That's where every SOAR conversation starts.  Sadly, that's not day 1 of a SOAR deployment.

Security operations is compromised of a plethora of tools and processes.   Building a security automation requires understanding of how your security operations center functions.  There are no fully built out playbooks.  When we start out creating playbooks, we want to focus on reusable building blocks.  Every engagements starts with us focusing on the following:

• Most common alerts  
  
• Incident response capabilities
• Compliance / red team controls

When we initiate deploying a SOAR solution, we will ask:

What controls are critical to the security objectives of your security organizations?

• How do you validate the controls which are in place?
• What red team testing controls do you require on a regular basis?
• How do you report on security testing and controls?

What are the most common alerts you triage on a regular basis?  

• How do you identify the alert as a true or false positive? 
• What steps do you take to investigate the alert?

Do you have a process for the following items?

• Indicator Enrichment
• Isolating a host
• Blocking a URL with the proxy, DNS and external gateway
• Ingestion of Threat Intelligence 
• Revocation of a user's session

As a security operations professional, you can see how these start to form reusable snippets of code.  These snippets of code enable us to easily test and debug any changes which occur.  For example, if a system is upgraded and an API endpoint changes, this enables us to easily troubleshoot the change.  

As we put these blocks together, these form the utopia.  Defining the building blocks gives us the ability to easily build, test, and implement SOAR.  This is the approach we've consistently seen be successful.