How SOAR Technologies Force Multiply Your IR Assets

One of the most valuable tools cyber security professionals need is time, and security orchestration, automation and response (SOAR) technology gives this back to them, according to Mike Fowler, a cyber security and forensics investigator and vice president of professional services for DF Labs, a provider of a SOAR platform. Fowler was the guest on episode 54 of Task Force 7 Radio, with host George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.

Fowler previously served in law enforcement, training foreign and domestic forensic investigators for the U.S. Department of State, the U.S. Secret Service, and the FBI’s Cyber Division.

The conversation started with Rettas asking Fowler how he made the transition from law enforcement to becoming a cyber security professional.

Fowler recalled serving a search warrant on a home in the 1996-97 timeframe when he was a detective assigned to a vice and narcotics squad. He said he remembers finding drugs and drug paraphernalia in the home and looking at a PC on a desk.

“The number one rule in narcotics is ‘find the money.’ You make bigger and better cases as you follow that money,’’ he said. “I thought, ‘Man, if I had a way to access that information in a manner that I could submit in court that would be of evidentiary value, who knows what kind of cases I could build?’”

That led to a conversation with his chief about the need for computer forensics, and eventually the unit started deploying technology. From there, Fowler said he learned that the skillsets he developed in law enforcement researching crimes “transfer pretty easily over to the private sector and companies recognize that. They see the value in the experience that you have, and they embrace that.”

Rettas questioned whether law enforcement agencies have the tools and skillsets to respond to major incidents. Some do, he replied, because they make funding and cybercrime a prioritization.

Fowler also recalled being at an International Association of Chiefs of Police conference in the late 1990s and hearing a chief say, "we don't have any cybercrime." Fowler’s reaction? “The only crime that I could think of that didn't have a cyber juxtaposition was a traffic offense … There is no crime that could not have a cyber factor to it, at this point in our lives.” It’s up to law enforcement agencies to decide if they need a new squad car or if they send an officer for forensic training and get him a new computer, he said.

Rettas noted that it wasn’t until the mid-2000s when companies came to realize that they need law enforcement talent in the private sector. Since then, many skilled law enforcement officers have left public service to enter the corporate world, he said.

This has left a dearth of cybersecurity professionals in the public sector, Rettas said. Fowler agreed, saying the shortage is significant but that the federal government is stepping in to augment what local agencies need with programs like the Human Exploitation Rescue Operative, or HERO program that's coordinated by the Immigration and Customs Enforcement (ICE) Agency.

In the show’s second segment, Rettas asked the question that is on the minds of all business executives: Are we eventually going to win the cybersecurity battle?

Fowler replied that “There's always going to be wolves out there. We're always going to need some sheepdogs in order to take care of that ... there are some really skilled bad guys out there.” Being able to respond to threats is of course, a critical element.

Rettas asked how much of a concern are nation state attacks to the average citizen, and whether cyberattacks pose a risk to people’s everyday lives?

“If I'm going to invade a country for example, well, I could shut down the power grid, before I send in the first troop,’’ Fowler observed. “I have crippled that country. Think about the hurricane relief from Michael just a little bit ago. Being able to actually leverage that, I think, is a concern for every single person, as it is a larger micro cause of the cybercrime problems.”

SOAR is rising

In the show’s third segment, Rettas and Fowler discussed the components of SOAR, and why people should care about the technology. Fowler replied by first describing the four components of SOAR: a workflow engine for security orchestration and automated response. It also has a case management component, orchestration automation capabilities and threat intelligence management.

“The force multiplication of a threat intelligence engine can't be understated,’’ Fowler stressed. “Being able to learn from other people's investigations, in order to apply it to your own incidents, is valuable beyond compare.”

In response to Rettas’ question about whether SOAR will take the place of humans, Fowler said that “Your most valuable resource is your time. It gives you back that time by automating the tasks that are time consuming, or automating that information gathering that takes so much time, especially at the beginning stages of an incident.”

SOAR works best when integrated with an organization’s existing technologies, Fowler said.

A force multiplier

Rettas also questioned Fowler on what the hurdles are in deploying the technology. Fowler said there are two things he consistently sees. The first is that people don't understand what SOAR technology is and they liken it to artificial intelligence, which is also a big umbrella term.

“If I say, ‘we leverage artificial intelligence’ to 10 different people, I'm going to have 10 different definitions of what makes up artificial intelligence. It's the same as SOAR. It's just educating yourself on what that means.”

The second issue is that some organizations tend to have a siloed approach to their data. SOAR technologies allow multi-users to have a single pane of glass visibility “so that all of your individuals who are associated with the incident response process are able to see what's going on at any time,’’ he said.

Rettas asked him to elaborate on what “force multiplication” means to an incident response professional. Fowler said it is a military term and compared it to a soldier fighting another solider.

“If I'm a soldier and I've got a hand grenade, that hand grenade makes me a much powerful soldier than the other guy. That's what SOAR does. It doesn't take the place of a person,’’ he said. “It just makes them much more powerful.”

At the beginning stages of an incident, there is a lot of information that has to be gathered, he added. “What if that information could have been gathered before you even were aware an incident was there? That's the force multiplication part; not being sure of ‘What do I do next?’”

Having a step-by-step process, that has been carefully vetted and that you can follow is force multiplication, Fowler said. A SOAR platform should also be configurable, so organizations can tailor it to their individual needs, he added.

Incident response pain points

SOAR offers a correlation engine “where you can do a visual associational link analysis, between not only previous incidents that you've worked, but threat intelligence that may, or may not be a part of the incident that you're working,’’ he said.

It is designed to solve an organization’s pain points by offering “full dual-mode orchestration,’’ meaning not only checklists, but also certain conditional factors. So if an incident is flagged as positive threat intelligence, an organization can tell a SOAR platform how it wants it to respond. This is made possible through automated responder knowledge, the ability to look at how previous incidents were successfully resolved. A SOAR platform should offer choices when new incidents come up, he said.

SOAR platform components

In the show’s final segment, Rettas and Fowler discuss how using SOAR technologies can help with the shortage of skilled cybersecurity professionals.

This problem affects both the public and private sectors, Fowler said, and to cope, organizations must train their existing staff to “evolve our response capabilities.” An effective SOAR platform can also help, he added.

Rettas questioned Fowler on why SOAR isn’t a critical part of every security operations center (SOC) right now in every company.

Fowler replied that there are three core elements to consider when it comes to knowledge transfer and the processes and procedures a company implements: they have to be repeatable, defensible and consistent. “So being able to incorporate those three things, regardless of what framework that you're using, is going to be critical,’’ he said. But sometimes, he added, “it's difficult to gauge the ROI … for a trained versus a non-trained person.”

In the final minutes of the show, the two discussed what the realistic goals of an incident response team should be when organizations are thinking about rolling out a SOAR platform.

The platform should be cost effective and it must also provide teams with opportunities to build upon the knowledge they already have, Fowler advised.

“Now this can be developing new skills, enriching different areas of the organization,” he said. “I'm not talking about just specifically instance responders, but … the legal folks who are involved in the IR process, or the HR people who are involved. They need to be part of this knowledge transfer as well.”

The platform must also be able to promote, support and leverage the technological resources and tools an organization has to improve work flows. “So incorporating the tools that you have into this knowledge transfer is critical,’’ he said. “And finally, you have to be able to provide your leadership with some type of a return on that investment.”

Fowler concluded by saying that when putting together a knowledge transfer plan, you need to ensure the information is appropriate for the audience through a focused curriculum and that you designate the appropriate delivery method – whether automated and manual. A platform’s playbooks, even for a beginning organization, “should be elevated from using Excel spreadsheets and some type of a ticketing system to a true SOAR platform,” he said.

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub. To listen to this and past episodes, click here.