SOAR
The Exabeam Security Operations Platform offers built-in SOAR capabilities including automation management, pre-built playbooks, and a no-code playbook editor. Together, they simplify routine tasks and accelerate resolution.
AUTOMATION MANAGEMENT
Simplify and automate critical workflows
Manage and configure automation rules and triggers for the Exabeam Security Operations Platform. Centralize management of automation workflows for faster threat detection, investigation, and response (TDIR).
ACCELERATE THE RESPONSE
Streamline incident management
Speed time to resolution with predefined playbooks, simplified process documentation, and standardized actions. View, disable, or clone playbooks for easy customization and repeatability.
EFFICIENT MITIGATION OF THREATS
Improve workflows by automating processes
Set up automated workflows to triage alerts, escalate cases, gather context, and initiate response actions. Automated workflows enable analysts to quickly address common threats, minimizing investigation time.
SIMPLIFY EDITING
Standardize response actions without writing code
Easily define alert triggers, conditions, and actions with an easy-to-use, no-code playbook experience. An intuitive interface makes it simple to create and update playbooks with just a few clicks—no scripting required.
INTEGRATED CASE MANAGEMENT
Orchestrate actions from a unified work environment
Organize and automate from a single platform. Integrate with collaboration and case management solutions. Tailor use cases to your organization’s unique needs for a more efficient, error-resilient response.
3 key capabilities of SOAR
SOAR tools provide the following three capabilities that help Security Operations Centers (SOCs) respond to incidents more effectively.
Orchestration
Orchestration is the ability to coordinate decision making and automate response actions based on an assessment of risks and environmental states.
SOAR tools can accomplish this by integrating with other security solutions in a way that allows them to “pull” data and also “drive” proactive actions. SOAR provides a generic interface that allows analysts to define actions on security tools and IT systems without being experts in those systems or their APIs.
An example of orchestration: processing a suspicious email.
-
A SOAR tool can investigate whether the sender has a bad reputation, through threat intelligence, and use DNS tools to confirm the origin.
-
The tool can automatically extract hyperlinks and validate them through URL reputation, detonate the links in a safe environment, or execute attachments in an isolated environment.
-
Then, if an incident is confirmed, a playbook is executed that searches the email system for all messages from the same sender or with the same links or attachments and quarantines them.
Automation
Automation is related to orchestration: it is the execution of machine-driven actions in security tools and IT systems, as part of an incident response. SOAR tools allow security teams to define standardized automation steps and a decision-making workflow, with compliance, status tracking, and auditing capabilities.
Automation is based on security playbooks, which analysts can code using a visual user interface or a programming language such as Python.
An example of an automation playbook: Exabeam's malware playbook.
-
The SOAR tool scans the malware file and detonates it in a sandbox using external services.
-
The SOAR tool compares the file to reputation services such as VirusTotal to verify its accuracy.
-
The SOAR tool identifies the geolocation of the source or originating IP address.
-
The system notifies the user about the malware and post-scan cleanup is performed.
Incident management and collaboration
This SOAR capability helps security teams manage security incidents, collaborate, and share data to efficiently resolve the incident.
-
Alert processing and triage: A SOAR tool collects and analyzes security data, typically pulled from the SIEM, correlates the data to identify priority and criticality, and automatically generates incidents for investigation. The incident already includes relevant context information, allowing analysts to investigate further. This eliminates the need for a human to look at the relevant security data, identify it as a security incident, and manually configure an incident in the system.
-
Logging and evidentiary backup: A SOAR tool provides an investigation timeline to collect and store artifacts from the security incident, for current and future analysis. Artifacts may be related to known attacker activities, which may take place over an extended period. Additional artifacts may be pulled to investigate whether they are related to the ongoing incident.
-
Case management: The tool can record actions and decisions taken by the security team, making them visible to the entire organization as well as external auditors. Over time, the SOAR tool builds an organizational knowledge base of tribal knowledge: historical threats, incidents, responses, and decisions and their outcomes.
-
Threat intelligence management: A SOAR tool incorporates threat data from open source databases, industry leaders, coordinated response organizations, and commercial threat intelligence vendors. The SOAR tool links relevant threat information to specific incidents and enables analysts to easily access threat intelligence while investigating an incident.
CASE STUDY
Leading technology provider creates global vision of security
Founded in 1988, the company has a global team of more than 129,000 employees in over 50 countries and regions. The company is transforming its previous role as a systems builder into a global business partner that leads the way to international business success.
The Japan business unit alone has 34,500 employees and is a dominant player in government and financial services. It also serves a variety of clients in construction, real estate, manufacturing, logistics, retail, broadcasting, media, advertising, communications, transportation and energy. Consolidated annual net sales were ¥2.1 trillion (US$18.9 billion) as of March 31, 2019. The company's shares are publicly traded as NTT DATA (TSE:9613).
Challenge
The business challenge for the organization’s security was managing multiple legacy security and information event management (SIEM) platforms left over from its commercial acquisitions. The legacy capabilities could not analyze all of the operational and security data, which had increased by orders of magnitude over the past five years and was growing rapidly.
Key Benefits
-
Increased global security and compliance for businesses with behavioral analytics on unlimited amounts of security data.
-
Increased visibility into business risks and a proactive approach to addressing security issues.
-
A global solution that supports unlimited data with a fixed-price model.
Results
The implementation that took place in early 2019 at the Japan headquarters is gradually being extended to North America, Europe, and Asia Pacific. With the migration, the company is decommissioning all legacy SIEMs.
To drive the change, the implementation teams helped accelerate the use of more than 50 use cases. Use cases are unique security scenarios where Exabeam SIEM is applied for detection, monitoring, and remediation.
Fifty use cases are an aggressive start for many SIEM deployments, but Exabeam makes the process easier by providing support models for more than 400 use cases.