This is an excerpt from a panel we participated in at the NY Cyber Security Summit. You can check out the entire panel below:
Security Orchestration Automation Response (SOAR) refers to security information and event management (SIEM) technology that enables DevOps security teams to free up time from manual tasks so they can focus on innovation. SOAR can be used to mitigate threats and vulnerabilities, respond to incidents and automate security operations. According to Gartner, which coined the term, “SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team.”
How Automated Threat Modeling Reduces the Element of Human Error
Stuart Winter-Tear, Director of Sales Engineering at ThreatModeler, warns that SOAR is not just for the reactive part of security (incident response). It can be for the prevention part as well. “Automating the decisions we make on how we build services and applications and building them more secure” is part of the equation, he says. “It’s not just for the end when it’s in production. Let’s get SOAR for the beginning part of design and building.”
“If you’re still manually threat modeling cross site scripting and SQL injections, you’re doing it wrong,” says Stuart. “With infosec, architectural components are not necessarily novel. Threat mitigations tend to repeat over and over again. Humans aren’t that great at the repetitive and the mundane.” The human element introduces error and inconsistency. “Rather than repeating things that come up time and time again, we should be aiming towards automation.”
Through automation, organizations can gain a clear understanding of the assets, attack surface and different paths an attacker can take to prevent a cyberattack – also known as taking a proactive approach to security.
How Does Existing Technology Integrate with SOAR Solutions?
A good SOAR solution will yield high quality input and outputs from technology stacks. An automated threat model will not only show the inputs and outputs, but also how they all fit together. With Process Flow Diagram-based threat modeling (such as with ThreatModeler), a model based on an architecture identifies the features and functions, plus the processes and how components communicate with each other. Use cases are also valuable inputs, as they show how users interact with a system. You get a complete picture from start-to-finish, of how the application is used. Use case insights enable you to “think like a hacker” to understand how attackers can compromise a system.
Actionable outputs from SOAR threat modeling include the automatic identification of threats and security controls needed to address those threats to applications and underlying infrastructure. Understanding the outputs empowers DevOps to prioritize and implement effective security requirements from the ground up.
Crawl, Walk or Run to SOAR
Organizations may be a little bit nervous about giving SOAR tools the autonomy of detecting security events and responding without human intervention. It may be hard for some security professionals – change can be scary and people may be concerned about losing their jobs. However, an automated threat modeling tool such as ThreatModeler, with its instant building of threat models and dashboard for communicating risk widely, actually invites even non-security professionals to participate in DevOps with security built in.
“We have to automate and orchestrate in security,” says Stuart. “DevOps is doing so and that’s why security is getting left behind.” But there are some things we can do and it all doesn’t have to happen all at once. For one thing, Stuart encourages to really dig down on what sort of support vendors are going to give us after implementation, to make sure they’re not going to leave us holding the baby. “If we are dealing with vendors, they need to be our partners in all of this,” he says.
Do Your Homework and Understand Your Current Manual Processes
Stuart also states that we need to understand the processes as they exist now in manual form. That way, when you flip to automation, it will be much easier. You’ll have your baseline and that can help to reduce the fear of the unknown.
Nathan Wenzler, Chief Security Strategist at Tenable, Inc., mirrors Stuart’s sentiments about the fear of machines taking over the world. “The organizations that I find are really concerned about automation usually haven’t done their homework before. They’re the ones who don’t understand their own processes and procedures today. They struggle with their existing processes before getting to automation.”
Nathan believes it’s really a fear-based kind of problem, because they don’t know what they’re doing today and they’re going to turn it over to a machine – everybody kind of panics. “But understanding how your processes and procedures work now means that you know how everything’s supposed to work,” he said. “When you automate it, you know what the results should be, because you’ve already documented it and understand what the process should be. And it makes everything a lot less scary.”
Ron Bennatan, Senior Vice President and General Manager, Data Security at Imperva, suggests scoring how much damage automation can do, for example, if automation is run at the wrong time or the wrong way. This gives people a good understanding of where there is more risk. “Once you introduce some of the automation, you don’t introduce it day one, you run it in the background, you still have the manual response.”
When you establish the system is doing what it would have done – perhaps demonstrating it to people on a dashboard saying it is exactly what people would have done manually, or better, it makes people more comfortable with automation. Ron also suggests running automation with a machine assisted model where the human is still making the decision based on recommendations.
“Maybe you don’t want to automate everything right away, because of that double edged sword we’re all referring to,” Kevin Kennedy, Senior Engineer at Malwarebytes says. “A big false positive can really take down the productivity of an organization. As long as you get there with baby steps, another technique I’ve seen involving high risk activities that would otherwise be automated is to have some type of human in the middle at some point to push the green button – say okay, go – as opposed to it being fully automated.
What Is SOAR’s Impact on the Workforce?
“As we move towards automation … and have the machines take over some of the tasks that we’re doing manually today, I think we’re going to see the workforce do more of a process, versus just the hands on of getting through the day,” says Torsten Larson, Director, Solutions Consulting at Galvanize. “People are going to be very excited, energized to spend more time doing what most security people like to do, versus the manual tasks that are kind of repetitive.”
People may be afraid of automating things because they’re afraid of giving up control. But The machines are not going to take our jobs away. The machines are going to make everyone’s job more fun and easier because they can concentrate on the things that they’re really good at instead of all the grunt work.