WEBVTT 0:00:03.520000 --> 0:00:08.800000 Hello everyone and welcome to this video and this final section of the 0:00:08.800000 --> 0:00:13.980000 course that deals with SOC automation and optimization and to kick things 0:00:13.980000 --> 0:00:16.760000 or to get the ball rolling. 0:00:16.760000 --> 0:00:21.580000 We're going to be taking a closer look at security, orchestration, automation 0:00:21.580000 --> 0:00:28.780000 and response systems or platforms also known quite popularly through its 0:00:28.780000 --> 0:00:33.900000 abbreviated form as a SOAR or a SOAR platform. 0:00:33.900000 --> 0:00:40.180000 So up to this point I've mentioned SOAR, a SOAR platform or SOAR in general 0:00:40.180000 --> 0:00:45.640000 in very basic detail but now we're going to take a closer look at them 0:00:45.640000 --> 0:00:55.040000 or what a SOAR is, how it works and what its role is with regards to SOC 0:00:55.040000 --> 0:00:59.100000 operations but specifically incident response. 0:00:59.100000 --> 0:01:05.520000 So security, orchestration, automation and response SOAR, that's what 0:01:05.520000 --> 0:01:07.940000 it stands for. So what is it? 0:01:07.940000 --> 0:01:14.200000 Well SOAR, a SOAR is a cybersecurity solution designed to help organizations 0:01:14.200000 --> 0:01:19.940000 automate, coordinate and streamline their security operations and incident 0:01:19.940000 --> 0:01:21.880000 response processes. 0:01:21.880000 --> 0:01:26.300000 SOAR platforms integrate with existing security tools and this is why 0:01:26.300000 --> 0:01:33.100000 they're so powerful like SEAMS, EDRs, IDSs, IPSs, firewalls, etc. 0:01:33.100000 --> 0:01:38.160000 and enabled, this is very important, automated workflows for responding 0:01:38.160000 --> 0:01:39.760000 to security threats. 0:01:39.760000 --> 0:01:44.300000 So why is this useful? 0:01:44.300000 --> 0:01:47.100000 Why were SOAR platforms created? 0:01:47.100000 --> 0:01:53.480000 Well, this is useful because it helps reduce response times, minimize 0:01:53.480000 --> 0:01:57.780000 human errors and enhance operational efficiency. 0:01:57.780000 --> 0:02:02.360000 So let's break down orchestration, automation and response and then we'll 0:02:02.360000 --> 0:02:07.480000 talk a little bit about case management which is sort of inherent to SOAR 0:02:07.480000 --> 0:02:11.000000 platforms. So orchestration, what is this all about? 0:02:11.000000 --> 0:02:16.760000 Well, in this case, the SOAR, you know, speaking about or referring directly 0:02:16.760000 --> 0:02:22.080000 to orchestration, the SOAR integrates and coordinates actions across multiple 0:02:22.080000 --> 0:02:26.980000 security tools, those being you see, EDR, firewalls, etc. 0:02:26.980000 --> 0:02:28.960000 So that's what orchestration refers to. 0:02:28.960000 --> 0:02:33.160000 So it's orchestrating these security tools. 0:02:33.160000 --> 0:02:38.440000 And again, adding onto this, you know, this ensures or the reason why 0:02:38.440000 --> 0:02:42.020000 this is done or why orchestration is important is to ensure these security 0:02:42.020000 --> 0:02:47.780000 systems or tools work together in a cohesive and efficient manner. 0:02:47.780000 --> 0:02:49.580000 We then have automation, right? 0:02:49.580000 --> 0:02:50.900000 So what is this all about? 0:02:50.900000 --> 0:02:52.640000 What exactly is being automated? 0:02:52.640000 --> 0:02:58.260000 Well, the SOAR automates repetitive and manual tasks such as alert triage, 0:02:58.260000 --> 0:03:01.940000 very important enrichment and response actions. 0:03:01.940000 --> 0:03:05.820000 So the reason this is important is because it reduces human intervention 0:03:05.820000 --> 0:03:12.360000 in the common low level, false positive type of security tasks or events, 0:03:12.360000 --> 0:03:13.980000 you know, whatever you want to call them. 0:03:13.980000 --> 0:03:19.680000 Therefore, speeding up the response process, but also reducing alert fatigue 0:03:19.680000 --> 0:03:27.640000 for the incident responders or the response aspect of a SOAR. 0:03:27.640000 --> 0:03:28.960000 Right? So what is this all about? 0:03:28.960000 --> 0:03:32.320000 Well, this is arguably one of its strong points. 0:03:32.320000 --> 0:03:37.500000 It provides playbooks and workflows for consistent and standardized incident 0:03:37.500000 --> 0:03:40.160000 response. And this is the key here. 0:03:40.160000 --> 0:03:42.140000 So why is this important? 0:03:42.140000 --> 0:03:45.740000 It's important because it ensures that incidents are responded to quickly 0:03:45.740000 --> 0:03:46.580000 and efficiently. 0:03:46.580000 --> 0:03:51.000000 And this is sort of backed up by orchestration and automation as well. 0:03:51.000000 --> 0:03:56.440000 And then we have case management, which is not included in the name, you 0:03:56.440000 --> 0:04:00.220000 know, and therefore not the abbreviation, but case management is sort 0:04:00.220000 --> 0:04:06.440000 of a feature that is built into SOAR platforms to centralize all incident 0:04:06.440000 --> 0:04:12.960000 related information for easy tracking or, you know, searching and collaboration. 0:04:12.960000 --> 0:04:14.540000 And why is this important? 0:04:14.540000 --> 0:04:17.940000 Well, it's important because it helps in documenting incidents, tracking 0:04:17.940000 --> 0:04:20.680000 progress and reporting outcomes. 0:04:20.680000 --> 0:04:27.760000 So very, very new, you know, in terms of, you know, some of the SOX that 0:04:27.760000 --> 0:04:32.980000 I have previously worked in or have visited recently. 0:04:32.980000 --> 0:04:37.900000 And so what you're seeing is that while this may be sort of a relatively 0:04:37.900000 --> 0:04:42.500000 new technology, you know, in the form of a security tool or solution, 0:04:42.500000 --> 0:04:49.100000 it is being implemented, you know, really across, forget the new SOX that 0:04:49.100000 --> 0:04:52.280000 are being built, which will include them from the get go. 0:04:52.280000 --> 0:04:56.120000 But a lot of work is being done to sort of revamp some of the older SOX 0:04:56.120000 --> 0:05:01.380000 that, you know, I've seen to start to integrate a source into the, the, 0:05:01.380000 --> 0:05:06.860000 the core tools, you know, of that particular SOC in any case, how does 0:05:06.860000 --> 0:05:09.120000 a SOAR platform work? 0:05:09.120000 --> 0:05:23.380000 Well, we need to break it down into, into quite a security alerts from 0:05:23.380000 --> 0:05:28.340000 various sources, like a CIDIS, IPS, EBR, and of course, threat intelligence 0:05:28.340000 --> 0:05:33.160000 platforms. We then have the automated triage and enrichment. 0:05:33.160000 --> 0:05:39.100000 So in this case, the SOAR platform automatically analyzes and enriches 0:05:39.100000 --> 0:05:41.220000 alerts with contextual data. 0:05:41.220000 --> 0:05:45.160000 So think of, you know, threat intelligence, you know, components of threat 0:05:45.160000 --> 0:05:47.500000 intelligence, like IOCs, etc. 0:05:47.500000 --> 0:05:52.860000 as well as geolocation and reputation for things like IP addresses, which 0:05:52.860000 --> 0:05:56.060000 is very, very useful, especially if it's automated, right? 0:05:56.060000 --> 0:05:58.520000 And that is amazingly powerful. 0:05:58.520000 --> 0:06:01.300000 You then have automated response execution. 0:06:01.300000 --> 0:06:04.540000 So this is based on predefined playbooks. 0:06:04.540000 --> 0:06:10.180000 And what happens is that the SOAR platform executes automated actions, 0:06:10.180000 --> 0:06:15.940000 for example, isolating infected endpoints, blocking malicious IPs or domains, 0:06:15.940000 --> 0:06:18.760000 and things like notifying stakeholders. 0:06:18.760000 --> 0:06:22.280000 We'll talk about playbooks in the next video, but this is actually quite 0:06:22.280000 --> 0:06:27.080000 interesting. So we then have case management and documentation, another 0:06:27.080000 --> 0:06:33.460000 very powerful feature that quite a few of the, you know, popular SOAR 0:06:33.460000 --> 0:06:34.700000 platforms offers. 0:06:34.700000 --> 0:06:39.560000 So in this case, the SOAR platform creates an incident case, logs all 0:06:39.560000 --> 0:06:44.500000 actions and enables analysts to collaborate and track the instance data. 0:06:44.500000 --> 0:06:46.520000 So it's really cool. 0:06:46.520000 --> 0:06:50.560000 And you'll end up seeing this in other courses when we end up using the 0:06:50.560000 --> 0:06:52.180000 SOAR in a practical sense. 0:06:52.180000 --> 0:06:57.160000 But it allows you to say, hey, that log or, you know, that incident or 0:06:57.160000 --> 0:07:00.100000 alert looks quite interesting. 0:07:00.100000 --> 0:07:02.720000 I'm going to create a case to investigate it. 0:07:02.720000 --> 0:07:07.300000 And it treats it as, you know, sort of a separate, you know, you sort 0:07:07.300000 --> 0:07:12.780000 of get a dedicated working area limited to that particular, that particular 0:07:12.780000 --> 0:07:15.460000 alert or event, and you can then investigate it. 0:07:15.460000 --> 0:07:19.740000 And with all the permutations involved in the investigation, you keep 0:07:19.740000 --> 0:07:22.040000 things nice and centralized and organized. 0:07:22.040000 --> 0:07:24.520000 So very, very powerful and useful. 0:07:24.520000 --> 0:07:26.640000 You then have post incident reviews. 0:07:26.640000 --> 0:07:31.160000 So SOAR platforms provide analytics and reporting to help improve future 0:07:31.160000 --> 0:07:32.700000 response strategies. 0:07:32.700000 --> 0:07:35.540000 So very, very powerful as well. 0:07:35.540000 --> 0:07:40.520000 So the big question that you may be asking, well, and that is, what exactly 0:07:40.520000 --> 0:07:44.300000 is the difference between a SOAR and a SEAM? 0:07:44.300000 --> 0:07:50.560000 And I've typically seen that quite a few seams have a SOAR or SO-like 0:07:50.560000 --> 0:07:52.840000 functionality built into them. 0:07:52.840000 --> 0:07:55.440000 Well, that's a very good question. 0:07:55.440000 --> 0:08:01.080000 If you had that question in your mind, and I'm sort of going to you know, 0:08:01.080000 --> 0:08:04.600000 the SOAR versus a SEAM, but then also add an important point, which is 0:08:04.600000 --> 0:08:06.480000 noted at the bottom here. 0:08:06.480000 --> 0:08:10.720000 But we have a few comparison criteria. 0:08:10.720000 --> 0:08:15.340000 And they're primarily based on, you know, the primary role focus automation 0:08:15.340000 --> 0:08:20.200000 capabilities, whether they can integrate playbooks and automate that and 0:08:20.200000 --> 0:08:25.320000 the use case. So let's start off with SOAR or sorry, the primary role. 0:08:25.320000 --> 0:08:33.120000 So in the case of automate and orchestrate response processes, what's 0:08:33.120000 --> 0:08:37.840000 the primary role of a SEAM to aggregate and analyze security event data? 0:08:37.840000 --> 0:08:40.600000 So there you can actually see the difference. 0:08:40.600000 --> 0:08:42.040000 You then have the focus. 0:08:42.040000 --> 0:08:44.200000 So what is a SOAR focused on? 0:08:44.200000 --> 0:08:47.940000 Well, it's focused on response and automation. 0:08:47.940000 --> 0:08:51.940000 And what is a SEAM focused on detection and correlation? 0:08:51.940000 --> 0:08:55.880000 So SEAM comes before the SOAR, because without detection, you can't have 0:08:55.880000 --> 0:08:58.620000 response. So very, very important there. 0:08:58.620000 --> 0:09:03.240000 And then the automation capabilities, the SOAR automates response actions 0:09:03.240000 --> 0:09:04.900000 using playbooks. 0:09:04.900000 --> 0:09:08.620000 And the SEAM, in the case of the SEAM, the automation capabilities are 0:09:08.620000 --> 0:09:12.760000 limited. And because it's primarily focused on alerting, right? 0:09:12.760000 --> 0:09:16.820000 Now a lot of SEAMs, like even was, was or was zoo, depending on how you 0:09:16.820000 --> 0:09:19.940000 pronounce it, have SOAR like functionality. 0:09:19.940000 --> 0:09:22.040000 But it's not really what you'd call a SOAR. 0:09:22.040000 --> 0:09:23.640000 It's really a SEAM within XDR. 0:09:23.640000 --> 0:09:28.340000 In the case of was, you know, I'm being very specific there. 0:09:28.340000 --> 0:09:32.080000 So we then have playbook integration. 0:09:32.080000 --> 0:09:37.420000 In the case of a SOAR, it provides customized response workflows. 0:09:37.420000 --> 0:09:40.880000 So you can, you know, create your own playbooks in the form of workflows, 0:09:40.880000 --> 0:09:44.700000 as you would, and we'll take a look at that shortly. 0:09:44.700000 --> 0:09:48.740000 But with the SEAM, you really, you don't have response playbooks or even 0:09:48.740000 --> 0:09:51.660000 workflows of how to deal with certain events. 0:09:51.660000 --> 0:09:56.340000 Or when, you know, a certain event is identified or logged, you know, 0:09:56.340000 --> 0:09:59.440000 there's not there's really not much, you know, you can do with the SEAM 0:09:59.440000 --> 0:10:05.800000 with regards to, you know, using or automating a response that is essentially 0:10:05.800000 --> 0:10:11.340000 based on a playbook or a playbook style of actions, if you will. 0:10:11.340000 --> 0:10:13.480000 And then finally, the use case. 0:10:13.480000 --> 0:10:18.060000 So what's the use case of a SOAR to reduce incident response times and 0:10:18.060000 --> 0:10:22.640000 improve efficiency of your analyst as a whole, which it does really well. 0:10:22.640000 --> 0:10:27.660000 I can tell you that like really well, I worked in a SOC and built a SOC 0:10:27.660000 --> 0:10:30.560000 worked in a SOC before a SOAR. 0:10:30.560000 --> 0:10:35.480000 And, you know, I've since used a SOAR and I can tell you just the case, 0:10:35.480000 --> 0:10:40.660000 the case management functionality alone hooked, you know, got me hooked 0:10:40.660000 --> 0:10:45.480000 or, you know, immediately was a huge selling point or a plus point. 0:10:45.480000 --> 0:10:48.160000 You know, in the case of the SEAM and I'm not denigrating a SEAM because 0:10:48.160000 --> 0:10:52.480000 a SEAM really feeds without a SEAM, you don't have a SOAR because remember 0:10:52.480000 --> 0:10:56.640000 when I mentioned here, the alert ingestion, it's getting its information 0:10:56.640000 --> 0:11:00.600000 or security alerts from the SEAM. 0:11:00.600000 --> 0:11:04.840000 So I'm just comparing it so you don't mistake the two. 0:11:04.840000 --> 0:11:13.900000 And you actually know when a SEAM, you actually know when a SEAM claims 0:11:13.900000 --> 0:11:18.500000 to have SOAR like functionality, hopefully this table is able to tell 0:11:18.500000 --> 0:11:22.020000 you whether it is that really accurate or not. 0:11:22.020000 --> 0:11:25.200000 So that's the only reason I have this comparison table. 0:11:25.200000 --> 0:11:29.460000 In any case, the use case of a SEAM is to detect security threats through 0:11:29.460000 --> 0:11:32.260000 log analysis. Pretty much it, right? 0:11:32.260000 --> 0:11:35.420000 Now the key note, so the point I wanted to make here is that the SOAR 0:11:35.420000 --> 0:11:37.220000 and SEAM are complementary. 0:11:37.220000 --> 0:11:40.180000 That's the absolute important thing that you need to know. 0:11:40.180000 --> 0:11:45.040000 So the SEAM detects and analyzes incidents or allows for analysis of the 0:11:45.040000 --> 0:11:48.780000 incident while the SOAR automates and orchestrates the response. 0:11:48.780000 --> 0:11:53.960000 So only the good stuff or the exciting events go into the SOAR, if that 0:11:53.960000 --> 0:12:00.500000 makes sense. And here I have an example of what a SOAR workflow looks 0:12:00.500000 --> 0:12:07.240000 like that essentially allows you to automate, you know, responding to 0:12:07.240000 --> 0:12:08.420000 a fishing attempt. 0:12:08.420000 --> 0:12:10.860000 So this is what the workflows look like. 0:12:10.860000 --> 0:12:16.080000 You know, they follow the standard workflow, you know, model or framework. 0:12:16.080000 --> 0:12:19.240000 So you essentially build it just like this. 0:12:19.240000 --> 0:12:22.860000 Don't worry, you'll actually get to do this in another course, but you 0:12:22.860000 --> 0:12:24.340000 have to do it logically first. 0:12:24.340000 --> 0:12:31.300000 So you need to tell the SOAR what to do when something happens. 0:12:31.300000 --> 0:12:36.140000 So in this case, the something that's happening is a fishing email is 0:12:36.140000 --> 0:12:40.020000 detected. So, you know, that is ingested. 0:12:40.020000 --> 0:12:44.420000 You ingest the alert into the SOAR and then you automate email analysis. 0:12:44.420000 --> 0:12:47.540000 So in this case, it's a very simple workflow. 0:12:47.540000 --> 0:12:53.180000 So you essentially tell these, you know, you tell the SOAR platform, you 0:12:53.180000 --> 0:12:58.080000 know, if this is malicious, then quarantine the email and notify the user 0:12:58.080000 --> 0:13:02.280000 and then update detection rules and generate an incident report. 0:13:02.280000 --> 0:13:06.920000 If it's not malicious, you know, mark the market is safe and close the 0:13:06.920000 --> 0:13:08.900000 case. That's pretty much it. 0:13:08.900000 --> 0:13:13.480000 And so you can build really cool workflows, you know, for automation, 0:13:13.480000 --> 0:13:17.820000 not just of, you know, responding to incidents, but for a lot of stuff. 0:13:17.820000 --> 0:13:20.720000 Anyway, wanted to use a very simple example. 0:13:20.720000 --> 0:13:27.300000 And yeah, so finally, what are some SOAR popular SOAR platforms or solutions? 0:13:27.300000 --> 0:13:32.960000 Well, the most popular in SOAR, as I know, is Palo Alto Cortex X sort. 0:13:32.960000 --> 0:13:36.440000 Now I personally have used this, you know, Splunk SOAR, which is, you 0:13:36.440000 --> 0:13:39.420000 know, formerly Phantom and FortiSaw. 0:13:39.420000 --> 0:13:42.300000 FortiSaw was really good, really, really good. 0:13:42.300000 --> 0:13:46.540000 But in the case of Palo Alto Cortex X SOAR, what are the key features, 0:13:46.540000 --> 0:13:51.060000 robust automation, orchestration and case management capabilities, Splunk 0:13:51.060000 --> 0:13:54.020000 SOAR, strong integration with Splunk SOAR. 0:13:54.020000 --> 0:13:57.420000 That's the reason I used it and other third-party tools. 0:13:57.420000 --> 0:14:01.300000 IBM Resilient, I haven't used, but based on what I've seen, it focuses 0:14:01.300000 --> 0:14:07.000000 on flexible and customizable incident response workflows. 0:14:07.000000 --> 0:14:09.860000 So if that's what you're looking for, by the way, you can perform your 0:14:09.860000 --> 0:14:11.420000 own research on these. 0:14:11.420000 --> 0:14:15.880000 You then have SWIM lane, which is highly scalable with advanced automation 0:14:15.880000 --> 0:14:20.420000 capabilities. And then FortiSaw, which is, you know, the only reason I 0:14:20.420000 --> 0:14:26.040000 used it was again, because we were using FortiSeeam, and, you know, it 0:14:26.040000 --> 0:14:31.200000 offers extensive integrations with Fortinet security solutions. 0:14:31.200000 --> 0:14:37.220000 So the only, or the only reason I used Splunk SOAR and FortiSaw is actually 0:14:37.220000 --> 0:14:39.520000 a key point I wanted to make. 0:14:39.520000 --> 0:14:52.260000 Because a SOAR needs a seem to work, what ends up happening, the, if I 0:14:52.260000 --> 0:14:58.180000 was using Splunk SOAR, it's extremely easy for me to, you know, come to 0:14:58.180000 --> 0:15:02.680000 the decision that the SOAR that I will use is going to be Splunk SOAR, 0:15:02.680000 --> 0:15:05.240000 because the integration is so seamless. 0:15:05.240000 --> 0:15:10.440000 Likewise, for FortiSaw, it is very difficult to connect FortiSeeam to 0:15:10.440000 --> 0:15:13.980000 another SOAR or to integrate them so they work together. 0:15:13.980000 --> 0:15:19.000000 So what ends up happening, and this was why I compared the seem to the 0:15:19.000000 --> 0:15:24.940000 SOAR is a lot of the companies or vendors that develop the seams will 0:15:24.940000 --> 0:15:28.240000 end up developing their own SOAR. 0:15:28.240000 --> 0:15:31.080000 You know, in the beginning, they'll be separate with, you know, very good 0:15:31.080000 --> 0:15:37.320000 integration, but the inevitable, to me, it is inevitable that the SOAR 0:15:37.320000 --> 0:15:41.260000 will sort of be combined into the SOAR, which makes a lot of sense. 0:15:41.260000 --> 0:15:44.200000 In any case, don't want to dive too deep into this. 0:15:44.200000 --> 0:15:45.920000 That brings us to the end of this video. 0:15:45.920000 --> 0:15:51.120000 Hopefully you know more about the SOAR platforms or solutions. 0:15:51.120000 --> 0:15:55.460000 And that was, you know, sort of the intro to the SOAR automation and optimizations 0:15:55.460000 --> 0:15:58.460000 section of this course. 0:15:58.460000 --> 0:16:01.680000 And with that being said, I'll be seeing you in the next video.