STAY TUNED .. coming soon

Articles - this section includes all my articles' writings starting from 1998 till present, the section includes articles about Open Source, Cyber Security, Business, Technical, Courses and Certifications :)

I have thousands of text files that include everything I learnt. I usually write down all the stuff that I do, starting from a small tip, specific experience, fast study till my professional work experiences and learnings and I am sharing all that articles here, I hope that stuff be useful to other people instead of just locking them in my desk.

Your can contribute to this section and your contribution is highly welcomed and appreciated. Just pick a topic, write it in the preferred way, send it and let's share it under your name. Although all my writings in this section are in English but I am going to add Arabic content to enrich the Arabic content on the internet when it comes to Cyber Security, so no specific language for this section, you can write in العربية, English, Frankoarab or/and any MIX of them. simply write in the language you prefer and express your/my writings in the best way.

All content in this section published under Creative Commons License, the main categories in this section as the following, please click on category link below to list all articles in specific category or use the side/main menu to navigate as well.

COMING SOON .. 

This section includes all my articles' writings about Cyber Security starting from 1998 till present and where my key expertise technically, and commercially is.

I have done thousands of engagements technical wise and business wise when it comes to Cyber Security, that involved all stages of work like technical, presales, sales, business development, technology comparisons, deployments, project management and providing support as well, I also have thousands of text files that include everything I learnt. I usually write down all the stuff that I do, starting from a small tip, specific experience, fast study till my professional work experiences and learnings and I am sharing all that articles here, I hope that stuff be useful to other people instead of just locking them in my desk.

Your can contribute to this section and your contribution is highly welcomed and appreciated. Just pick a topic, write it in the preferred way, send it and let's share it under your name. Although all my writings in this section are in English but I am going to add Arabic content to enrich the Arabic content on the internet when it comes to Cyber Security, so no specific language for this section, you can write in العربية, English, Frankoarab or/and any MIX of them. simply write in the language you prefer and express your/my writings in the best way.

All content in this section published under Creative Commons License, the main categories in this section as the following, please click on category link below to list all articles in specific category or use the side/main menu to navigate as well.

STAY TUNED .. COMING SOON .. 

Security Orchestration, Automation and Response is a hot topic indeed, as SOAR platform became a fundamental part of any security operation center today for incident response, automation and orchestration to allow incident response teams to act faster and smarter.

In this article we will focus on what's SOAR, what's the value behind it and how to implement it in your operation and it's the first in a series of articles about SOAR, its evolution, best practice for SOAR and who would be really using SOAR and gaining benefit from having it in their operations.

Back in 2017, when SOAR technologies started to gain great momentum, and Gartner released it's first market review for SOAR technologies, it was indeed a very special times not only because of the great value orchestration and automation can introduce to enterprises and MSSPs, but also due to the initial confusion that created in the market at that time :)

Gartner guidelines introduced SOAR as SIRP + SOA and TIP, and it was really interesting due to the confusion among organizations and even vendors at that time .. I can't help myself linking my 4 years' kid - Adam - games and cartoons to what was happening, it was like the popular toddlers' question game to discover new stuff and the game this time is WHAT's SOAR? :)) 

IS IT an Automation Workflow?! Adam screaming .. NOOO

IS IT Ticketing System? NOOOO

IS IT Threat Intelligence Platform? NOOO

IS IT SIRP?? NOOOO

IS IT all of that?? MAYBE .. MAYBE NOT :)) - Adam answers with frustration and he started to get bored from the interesting game and the value behind. 

It was that interesting because everyone was trying to align to Gartner's report as it drives discussions with enterprises and business and simply most of the vendors started to position themselves as SOAR marketing-wise (as it usually happen) regardless of what they actually do and which category of products' they fall in.

So, let's discover the YES answer for the above questions together :) and to understand what's really SOAR let's look first at SOAR evolution .. 

Back at 2010, when an analyst faces a case, he used to depend on some excel sheets for best practices and his own skills, if he didn't get his coffee in the morning or not feeling well at that day .. you cannot for sure expect the outcome. :)

As a result, there was a need to use a ticketing system for the analyst to organize his work and his interaction with the other teams across the organization .. hence the use of corporate Ticketing systems started in security operation centers .. 

Then quickly the enterprises and the market realized due to the nature of sensitive information and confidentiality that part of the security incidents they cannot depend on the corporate ticketing system and they must have their own ticketing system in the security operation center, still they needed to link and integrate the two systems -- the corporate ticketing system and the security ticketing system) for assigning tasking and manage interactions with other teams in the organization .. 

Then .. again the market realized that ticketing system are not security purpose-built ticketing system! it lacks many security features and functionalities that needed in day to day operations .. 

So by 2013, the first Security Incident Response Platform got created -- GUESS WHICH VENDOR ;) -- and basically it was a ticketing system with the security features and functionalities needed like NIST and SANS playbooks included, utilizing threat intelligence, incident visualizaton, automatic assignment, SLA management ..etc

and the market was like -- YESSS we got it .. we have the tasks and step by step guidance for each incident according to its type .. SO LET's DO IT .. LET's AUTOMATE IT :)

and great hype about AUTOMATION started to kick in .. BUT with BIG FAILURE ..

Want to know why? that's we gonna go through in the next part of this article ;) STAY TUNED ..

In the first part of the SOAR Bedtime story, we briefed the initial evolution of SOAR, starting with depending on the analyst’s skills and some best practice to do IR, then over time the evolution of the usage of corporate ticking system to have consistency and collaboration, then a dedicated ticketing system for security operation center that integrated with the corporate ticketing system for more confidentiality and better handle for sensitive information that part of cyber incidents, till having a Security-specific ticketing and case management system which is Security Incident Response Platforms (SIRP) that comes with security built-in features like NIST and SANS best practice, access control, threat intelligence..etc and still integrate with corporate ticketing for collaboration, assignments, tracking ..etc

At that stage, the market was finally having a step by step guidance within SIRP system for each incident type and big momentum and excitement started to automate those tasks with Automation Tools and Workflows to close the gap of skilled resources and to have faster response .. 

As a result enterprises started to adopt Automation proactively BUT that momentum, excitement and proactivity ended up with big FAILURE due to the many faced challenges when it comes to Automation in real enterprise production environments, starting with enterprise processes and operations that won’t really allow automating more than 20-30% of the operation and the processes, how system owners outside security wouldn’t trust to give privileged accounts that will be stored in the Automation tool controlled by security team, and the introduced business risk like automating the isolation an infected workstation would be okay but what if the automation tool automatically isolated a business critical application due to an infection and in such case the Automation Tool would be the actual stopper for the business!

So quickly the market evolved again to a bigger concept which is Orchestration, and unfortunately to date many doesn’t know the actual definition and role of Orchestration in incident response and what does it actually do! 

Briefly, Orchestration is the bigger concept of Automation that acts as the connective tissue for your security technologies, people and processes; and allows three specific tasks:

1. Automating the work with 3rd party technologies through integration use cases, but Automation became a human-centric automation in which the orchestration tool will still automate every thing possible for the analyst but the one to make the final decision is the one who understand the business context and associated risks which is the analyst.
2. How to integrate in the enterprise processes and orchestrate it like business, legal, HR ..etc
3. How to work with with internal and external stakeholders and orchestrate the work with them without even giving them access to any system.

And Orchestration became the real trend and the real momentum as the focus is no longer the automation workflow to automate the 3rd party technologies for bits and pieces, the focus becomes how to orchestrate people, processes and technologies to serve the enterprise purpose of acting faster and smarter on incident response and focus on what’s really matter.

I would quote one of the analysts in a keynote address in which he said SIEM is the heart of your SOC and Orchestration is the brain in the SOC. 

So at that time in 2017, Gartner released the first report for Technology Review for Security Orchestration, Automation and Response (SOAR) Technologies that sum up the evolution in that area and highlighted that SOAR is SIRP + SOA (Automation Workflows) + TIP, the report that confused Adam :) — know the full story here — before confusing the market and the vendors. However many didn’t pick the clear statement that “Some vendors use the terms “automation” and “orchestration” interchangeably as synonyms, although they are not the same concept. Automation is a subset of orchestration.”

To break down the SOAR capabilities to understand how to get the best value of SOAR and also to build the BRAIN in your security operations, the focus must be on having the following:

1. Security Case Management (SIRP) with OOTB best practice of NIST, SANS and US Cert for step by step guidance for each incident type with automatic assignment and automatic SLA management.
2. Automation Workflows that facilitate the automation use cases through integrations with 3rd party technologies for response actions, and/or investigation and analysis queries
3. Threat intelligence as a central level to enrich both the detection phase and the response phase during the work on the incident automatically.
4. Simulations and Drills to have the ability to train teams, running drills blue, purple and red teams, doing pre-audits and improve processes.
5. Taking into consideration the regulations, standards and laws around IR to help you meet/prepare for them and avoid many associated business risks (Like GDPR or PCI DSS compliance ..etc)
6. And finally the Orchestration itself as it’s the connective tissue for all the above as simply it links all the above in one consistent, repeatable, auditable and automated process for each incident type regardless of how simple / complex is the process.

So to recap, Automation is really important as it helps with many challenges when it comes to cyber security and non-cyber security, but it’s just a piece in the puzzle or a single part of the brain, for small and medium organizations that would make sense to run automation to help with those bits and pieces but for many organizations like enterprises and of course small and medium organizations it’s really crucial to focus on automating the process itself through Orchestration to have that simple/complex consistent process based on the above capabilities and having automation as part of it as per your needs to allow IR teams to act faster and smarter.. 

OK, so how can we implement the SOAR in the most effective way to get the BRAIN functioning in the security operations? 

Does the SOAR technologies facilities the above and comes with OOTB functionalities and features for easy and smooth deployment?

How long would it take to gain a value from a SOAR / Brain implementation? 

All of that will be the topic of the next article on best practices for implementing SOAR and to have the brain in the security departments and operations regardless of your organization’s size .. STAY tuned .. that’s coming shortly ;)

Coming SOON ..