SIEM, SOAR and SDAR

SDAR: Companion Series 1
Written By Rhonald John Rose

Part 2 of 2

In Part 1 of this SDAR companion series , we discussed the general functions of SDAR, SOAR and SIEM and then analyzed the SIEM in detail. We will continue this companion series by further exploring SOAR and SDAR. As you will discover, SDAR is quite robust and can be a useful cybersecurity tool, even without accompanying SIEM and SOAR systems.

SOAR

Naturally, it takes more manpower to handle the alerts that come out of a SIEM solution. SIEM works best when organizations have already automated and optimized their cybersecurity systems—otherwise it can be a drag on resources and budgets. SOAR tools help automate most of common triage activities, giving  cybersecurity teams room to breathe. Implementing SOAR doesn’t have to inflate your organization's headcount. With the right strategy, you shouldn’t have to hire any additional analysts.

SOAR requires all SIEM logs, plus additional logs to orchestrate an incident response. Once a pre-defined threat is detected, it will execute the relevant playbook. MITRE ATT&CK Framework is a great starting point to define playbooks that are not part of the SOAR solution you have bought.

In a hypothetical situation a workstation in the network has been infected with malware. The cybersecurity team must act quickly, because this malware could spread to the rest of the organization’s infrastructure in a matter of hours—or even minutes. To resolve this issue, the service desk team manually intervenes with the steps outlined in Figure 3.

Figure 3: Above is a hypothetical Incident Response process

When automated, SIEM detects the malware, notifies the end user about the process it is about to start and then raises a case to the respective team s. Then the orchestrator can run the above playbook. 

SOAR communicates with your infrastructure network management software to perform the re-routing to the isolated network microsegment, then talks to the IAM to remove the device from the domain, then to the SCCM (or similar) to re-image the device. Once done, it will verify the status and initiate an end-point scan. If the entire process is successful, it will bring the device back online. Otherwise, the malware will continue to be isolated and further manual intervention will be required.

Figure 04: Integration required for the hypothetical SOAR use case

To get this workflow up and running, many integrations are required. Additionally, the workflow must be tested frequently with every major OS and software update. However, when this workflow runs smoothly, it reduces the need for manual labor and repetitive activities. The security team can then spend more time identifying use-cases, instead of coordinating with various teams to manually execute the steps explained in the playbook. This will be also beneficial to the other teams.

One of the drawbacks to SOAR is that having automated playbooks requires periodical mock tests. Furthermore, whenever there is a major software update, you will also need to revise that the playbook is valid.  Finally,not all tools have adopted OpenDXL or similar frameworks and hence, you may have to install custom integrations for the orchestration to work. Customizations usually come with an expensive overhead. This could change in the future, so, keep an eye on SOAR technology. SOAR tools are usually equipped with powerful dashboards & reporting tools to keep the respective administrators, analysts and management informed.

SDAR

Security Data Analytics and Reporting complements the above while also having the ability to function on its own. SIEM and SOAR identify and mitigate the threats. SDAR focuses on monitoring, data analytics and environment hygiene reporting. SDAR can be integrated with SOAR tools to initiate some limited workflows. However, most SDAR use cases require manual planning & remediation.

Sufficient hygiene of the infrastructure is key in ensuring that the technology landscape of an organization is not prone to being compromised by general attacks. SIEM is akin to detecting cavities. SOAR is akin to fixing the teeth affected by cavities, by removing them and filling the affected teeth.

SDAR monitors and reports the infrastructure hygiene and when things happen despite the hygiene infrastructure, SIEM spots the threat and informs SOAR. SOAR then initiates respective workflows to handle the threat.

Figure 05: Benefits of SDAR

SDAR brings something invaluable to organizations and their cybersecurity teams, including:

  • visibility into their IT infrastructure hygiene

  • The ability to monitor IT components for security compliance

  • The ability to monitor and report effectiveness of the technical controls

  • The ability to use factual metrics based reporting to improve technical controls on IT components, to increase their immunity

  • The ability to produce evidence of the security spend by providing business-contextual insights into the improved security posture of the organization.

Conclusion

In this article, we further explored the differences between SIEM, SOAR and SDAR.

We then learned about the different benefits that SDAR offers to each of the business’ stakeholders. When SDAR is implemented correctly, the security team and the business will be able to see and understand that their cybersecurity measures are effective.

SIEM works best when organizations have already automated and optimized their cybersecurity systems—otherwise it can be a drag on resources and budgets.

 If an organization’s cybersecurity systems aren’ less automated, SIEM will probably bring down the team, unless there is enough manpower resources and expensive budgets.

Rhonald John Rose https://www.akrogoniaios.com
Previous

Security Data Analytics and Reporting: Stakeholders
Next

Business continuity planning: overview