6 minute read
AusCERT plenary panel
by Stuart Corner
AUSCERT2021 SOARS ON THE GOLD COAST
SOAR (security orchestration automation and response) refers to technologies that enable organisations to collect inputs normally monitored by the security operations team and then leverage a combination of human and machine power to help define, prioritise and drive standardised incident response activities. program kicked off with a panel session: What does a security transformation strategy look like and how can SOAR help, comprising: Jess Dodson, customer engineer at Microsoft; Casey Ellis, founder and CTO of Bugcrowd; Tony Kitzelmann, CIO of AirServices Australia; and James Young, global security specialist at Splunk.
AUTOMATION NOT A JOB KILLER
According to Gartner, SOAR tools allow an organisation to define incident analysis and response procedures in a digital workflow format.
Gartner says SOAR tools are steadily gaining traction in real-world use to improve security operations, and: “Security and risk management leaders should evaluate how these solutions can support and optimise their broader security operations capabilities.”
So, SOAR was a timely theme for this year’s AusCERT annual conference, Aust2021 its 20th, held at the Star Hotel on the Gold Coast and online.. “Security Orchestration, Automation, and Response will see us SOARing with cyber … as we focus on improving efficiencies and making security a more self-operating function within our organisations,” AusCert said.
In line with the theme the conference Dodson was quick to dispel any notion that automation enabled by SOAR might replace cybersecurity specialists. “You want to be doing cool stuff and focusing on things that are actually important rather than boring day-to-day work, … doing proactive work rather than purely reactive.”
Kitzelmann took this further, suggesting that, without technologies to automate the routine tasks of cybersecurity, skilled people were likely to leave the industry.
AusCERT plenary panel
“If we don’t bring an orchestration automation process into our thinking around managing SOCs and security intelligence centres, we run the bigger risk of losing our good people because they’re going to be dealing with rubbish day-in and day-out. And smart people do not stay in organisations where they cannot grow and evolve.”
He said simply trying to recruit and train more cybersecurity specialists was no solution. “We need to teach our technologists to deliver better technology. We need to take advantage of tooling and orchestration, bring all of the technologies together.
“The average console operator is probably sitting in front of six or seven interfaces, jumping from one environment to another to work out what’s going on. SOAR brings all that together and give them the ability to take a systematic approach to that data. That’s where they get to grow and evolve.” A FILLIP FOR THE MSP INDUSTRY
However many smaller organisations cannot afford the luxury of staff dedicated to cybersecurity tasks, boring or otherwise. So SOAR holds the potential of enabling them to significantly boost their cybersecurity posture without the cost of human resources. Not surprisingly one of the first questions put to the panel was “How could SOAR help a small to medium business?”
Kitzelmann said SOAR definitely offered the potential for cost effective cybersecurity for SMEs, but they should draw on the expertise of a security service provider to implement and support it. “With an MSP using something like the SOAR framework, this becomes a commodity product.”
He said this would mean a more competitive market for MSP services. “I know a lot of people are thinking ‘oh, we’re just going to push people towards an MSP’. But so what? MSPs are there to provide a service and the more people that consume those services drives competitiveness in the market. This will become a cost effective solution.”
DIVE IN IF YOU WANT TO SOAR
In response to another question from the audience — “Is there a base level of maturity that an organisation needs to be able to effectively implement SOAR?” Dodson said she did not believe so.
“You’re better off doing something than nothing. You’re not going to get it perfect straightaway. SOAR or any of the automation pieces are not going to be set-and-forget. You are going to be constantly tuning them and constantly monitoring them, and making tweaks.
“So doing something and getting started is going to put you in a better position straightaway rather than
just going ‘it’s too hard. I can’t deal with it. I can’t get it perfect straightaway. So I’m not going to bother’.”
Young agreed. “Customers I speak to commonly say, ‘I’m not mature enough to look at technologies like that’. I think it’s, the opposite. SOAR could be a tool that can help you to build maturity faster. One of the first things when you’re looking at building out a SOAR capability is understanding the process.
“And quite often we don’t understand the process. We haven’t defined what that process needs to be. And the first step, if you’re looking to automate something is building a mind map of what that process looks like and understanding how it works, looking for the opportunities to build that automation.
“Part of many of the SOAR tools out there is what could be called a case template: what are the steps I should follow for a particular type of incident that I might need to investigate or respond to? All the SOAR tools I’ve seen offer that capability. Defining that as the first step and then looking for avenues or areas that you can automate once you understand what that process is offers the opportunity to build maturity.”
PHISHING A GOOD PLACE TO START WITH SOAR
He suggested phishing emails represented an ideal threat that businesses of all sizes could counter with SOAR: the nature of the threat and its countermeasures are the same regardless of the size of the target business.
“emails are all traditionally the same type of thing. You can feed those into the automation engine and run through a standard process to investigate and make a determination if it is likely to be a phishing exercise or not, and then determine what to do after that, maybe pass it to a human. That’s a really fantastic place to start.”
However introducing automation begs the questions, asked of the panel, “What is the creativity? What are the ‘wicked problems’? “What’s the sweet spot that humans do so much better than automation, and how do we make sure that creativity and the human side remains active in the system?”
Kitzelmann said: “with automation, you get the volume crime off the table, leaving the analysts to deal with the wicked problems.
“Orchestration tools will enable them to move quickly and more agilely, and will also give them the ability to look at the lessons learned from previous ways that orchestration was brought to bear. For example, who is the person who solved this particular type of challenge out of the SOC team? And how can I go and leverage from them? And what unique skills did that person have?
“AI is just around the corner, and machine learning will be there every day. But it’s never going to take out of the equation the need for a smart analyst who can look at the problem and the tradecraft that the individual brings to bear. … We can deal with today’s problem, but it’s the next attack and the next tradecraft evolution that we need to be working towards.”
