SOAR meaning: A quick point

In this case, you should integrate Splunk SOAR with User Behaviour Analytics (UBA) to detect deviations from the baseline. UBA works with unsupervised machine learning and builds profiles of entities on the network. Today’s attacks are distributed, and multiple entities are used to stage an attack.

An anomaly is sent once there is a significant deviation from normal entity behavior. Of course, an anomaly does not necessarily mean a threat. However, the anomaly can be combined with other network and infrastructure aspects to determine if a bad actor exists. So, for example, we would look at the time of day, frequency, or any other usual activity, such as privilege escalation techniques.

• Lack of Speed

Without integrated security tools with security automation and a lack of automated and orchestration processes. The manual response slows MTTR and increases the possibility of a successful threat. Bad actors can breach and exfiltrate data when the mean time to detect (MTTD) is too long.

So, the manual approach to detecting, triaging, and responding to threats must be faster. For example, ransomware is quick; the game is over once the binaries are executed. It would help if you focused your efforts on the detection phase of the kill chain and caught any lateral movements, even when they pivot to valuable assets.

• The Need for Security Automation

To address this challenge, you need a security solution that integrates its existing security products to reduce the response and remediation gap. In addition, these automation and orchestration events must be carried out across all its security vendors to consolidate response and remediation.

For secure automation, a unified and standard response to security can be made using pre-approved policies, consistently configuring resources according to pre-approved guidelines, and proactively maintaining them in a repeatable fashion.

Level of Automation Maturity

• Security-focused content collection

This provides a faster, more efficient, and streamlined way to automate the identification, triage, and response processes to security events. In addition, we can use security-focused content. In the case of Red Hat Tower, this comes in the form of collections of roles and modules dedicated to security teams.

Splunk SOAR also has secure-focused applications and content ready to use in the Splunk database. The pre-approved policies and playbooks of Ansible Tower and Splunk SOAR will reduce the chances of misconfiguration and speed up all aspects of security investigation.

• Secure Automation and Orchestration

When a few waves of Malware, Phishing, Ransomware, and under-the-radar attacks target you, automation and orchestration are the only ways to combat this. Security automation does most of the work, so you no longer have to weed through and manually address every alert as it comes in or process every security action or task.

For example, the level of automation you want to adopt depends on the maturity level of the automation you already have in our environments. If you are new to automation, you can have SOAR or Tower playbooks send an alert for further investigation. So, you can start with a semi-automated approach.

However, if you are further in your automation strategy, you can combine different playbooks to carry out coherent security detection and response. It’s easy to do this in SOAR with a playbook visualizer, and Ansible Tower has workflow templates that can be used with role-based access control.

**Red Hat Tower: How to Start**

In most organizations, we have IT operations and a security team. These teams have traditionally disjoint roles and responsibilities. The IT Operations are hardening systems, managing the infrastructure, and deploying and maintaining systems. The security operations team would track ongoing threats, perform intrusion detection/prevention, and perform firewall management activities.

A. Ansible has a common language.

With these two disjointed teams, we can use Ansible as the common automation language for everyone across your organization. Specifically, Red Hat Tower can be the common language between security tools and can be used for various security use cases that can bring the two teams together.

B. Red Hat Tower: Security Automation

Red Hat Tower can orchestrate security systems using a series of curated security collections of modules, roles, and playbooks to investigate and respond to threats using trusted content. This enables you to coordinate your enterprise security systems to perform several security duties, such as investigation enrichment, threat hunting, and incident response.

C. Pre-approved Playbooks

You can integrate Red Hat Tower with your security infrastructure here and have pre-approved playbooks ready to run upon threat detection. For example, a playbook can be automatically triggered by the results of a security scan. The following lists some of the use cases for Ansible Tower playbooks.

Security Automation Examples

1) Secure Automation: Security Patching

You could start with patching. Not patching your servers is one of the biggest causes of breaches. Automated patching boosts system security and stability, improving uptime. And this will be noticed straight away.

2) Secure Automation: System Hardening

Then, activities such as system hardening are something everyone can do for all systems. With automation, we can rapidly identify systems that require patches or reconfiguration. Then, applying patches or changing system settings consistently across many systems is easier according to defined baselines. For example, make changes to your SSH config.

Here, you can use automation to configure the SSH daemon and not allow authentication using an empty password. You can run these playbooks in check mode so those who don’t require full automation rights can run checks safely. Again, I would combine this with role-based access control.

3) Secure Automation: Network Configuration 

For network management, you can configure an ACL or filter to restrict ACL or filter management access to the device from only the management network. You can also use automation to lock down who has managed to access specific subnets.

4) Secure Automation: Firewall Integration

If an increase in incident management tickets is due to incorrect firewall rules causing an increase in change requests, aim to reduce the number of tickets or change requests through automation. For our Firewall integration, the role of automation can speed up policy and log configuration changes.

For example, we can add an allowlist entry in the firewall configuration to allow traffic from a particular machine to another.

We can automate a playbook that adds the source and destination IPs as variables. Then, when a source and destination object are defined, the actual access rule between those is defined.

5) Secure Automation: Intrusion Detection and Prevention Systems

Tower can simplify the rule and log management for your intrusion detection and prevention systems. Automation can be used to manage IDPS rules, and IDPS roles are offered. These roles can work with multiple IDPS providers, so the corresponding playbook needs to have a variable stating the actual IDPS provider. 

Once the role is imported, and this is the first step, the new IDPS rule is handed over via defined variables:

6) Secure Automation: Privileged Access Management (PAM) Tools

Ansible Tower can streamline the rotation and management of privileged credentials to automate the prevention. So we can streamline credential management, which is hard to do manually. 

7) Secure Automation: Endpoint Protection

Automation can simplify everyday endpoint management tasks, integrate into Endpoint Protection, and provide event-driven detection, quarantining, and remediation. 

Advanced Red Hat Tower Features

Job Templates vs. Workflow Template

When creating a job template, we choose a job or workflow template. We choose the job template to develop simple employment out of it. However, creating more complex jobs composed of multiple job templates, with flow control features between one position and the next, is possible with a workflow template. This workflow template can also be integrated into your CI/CD pipelines and Jenkins.

Security Benefits

This makes it easier to have playbooks that are job templates from different teams. This is used in large environments, so multiple job templates are connected. Then, complex interactions between jobs can be defined in a workflow before the next job starts, depending on the previous position. Any inventory and any credentials can be used. So, it brings a lot of flexibility to automation.

In its multi-playbook workflows, the user can create pipelines of playbooks to be executed in sequence on any inventory using one or more users’ credentials. Security teams can configure a series of jobs that share inventory, playbooks, or permissions to fully automate investigations or remediations, bringing many consistency and security benefits.

Ansible Tower and Scheduling:

With Ansible Tower, we have Templates with the Launch feature; think of this as an ad hoc way to run Ansible for one of the tasks. However, if you are using Tower, you should use Schedules to control your automation better. For example, you may have a maintenance window when you apply changes. Here, we can set the times and frequency of playbook runs.

Scheduling this playbook in Tower will automatically refresh systems significantly out of spec. This includes calling back into Tower to apply our basic configuration once new instances are spun up with the provisioning callback feature. I find this useful for dynamic cloud environments.

GitHub for Playbooks

GitHub is all about version control, so multiple people can work on different types of code and review and merge changes. It’s also about managing change in your other environments. When Red Hat Tower runs the playbooks, it checks the URL specified in your playbooks, and here, we can have multiple options that can enhance your GitHub integrations, such as webhooks and personal access tokens.

Benefits: Removes Inconsistency of Playbooks

This is an important feature to enable as if you don’t have it checked; there is the possibility that someone notices a problem in a playbook and fixes it, then they run the playbook feeling sure that they are running the latest version.

Someone must remember to run the synchronization task before running the playbook, effectively running the older version.

Therefore, when using this option, we are removing the inconsistency of playbooks. So, increasing your security posture is very important. A lot of security breaches first start with a simple misconfiguration.

SOAR for Automation: SOAR Meaning

• Splunk SOAR Meaning

Splunk SOAR drives accuracy and consistency in the incident response process. With SOAR, workflows can be orchestrated via integrations with other technologies and automated to achieve desired outcomes. Utilizing automation with Splunk SOAR can dramatically reduce the time to investigate malware alerts, driving accuracy and consistency across its incident response processes.

• SOAR and Phantom

SOAR is the rebranding of Phantom but has multi-deployment options. Phantom was just on-premise, but now we have both on-premise and on-cloud delivery.  Consider SOAR as a layer of connective tissue for all security operations.

Decision-making and action need to be automated. SOAR can turn proceeds into playbooks, allowing us to create complex security operation workflows.

We have an extensive collection of security-focused SOAR applications that interact with the API of existing security and network infrastructure, such as your Firewalls, to support activities such as containment and recovery. We’ll talk about these in a moment.

• Automation Broker

We have an Automation Broker, a modified version of Splunk SOAR with reduced features. It’s a reverse proxy for automation actions. The Automation Broker is a Docker container that uses an encrypted outbound connection from Splunk Cloud SOAR to the customer premises. As the communication is set outbound on the firewalls, it would help to open inbound ports to the perimeter firewall.

Security-Focused Playbooks

**SOAR Meaning: Security-Focused Playbooks**

Instead of manually going into other security tools and injecting data, enriching logs, and carrying out actions such as blocking or manual analysis intervention, SOAR playbooks can be used. You can have several security-focused playbooks that automatically carry out the tasks. The SOAR playbook can automate many repetitive duties. For example, you no longer have to respond manually to repetitive incidents. For example, you can have Splunk SOAR respond to malicious emails with playbooks. 

**Actions based on the Playbooks**

Then, we could have a list of actions based on playbook results. This could include additional investigation tasks or notifying users. Finally, when you want to push the boundaries of automation, we could take several steps to isolate or quarantine hosts, depending on the results of the previous playbooks. These steps would be integrated with multi-factor authentication to ensure the action is appropriately authorized. 

Splunkbase with Security-related Apps

Additionally, Splunkbase offers over 800 other security-related apps with pre-built searches, reports, and visualizations for specific third-party security vendors. These ready-to-use apps and add-ons help monitor security, a next-generation firewall, and advanced threat management capabilities. You can even build your custom application, from monitoring and Observability to improving safety.

**SOAR Meaning: SOAR Apps**

You are using many tools from many vendors, and when you respond, each one performs a different event and function. Splunk integrates with all devices with API, and SOAR can directly integrate all tools to act in a specific sequence.

So it can coordinate all security actions. With SOAR, you don’t get rid of your existing tools; instead, SOAR can sit between them and abstract a lot of complexity.

Think of Splunk as the conductor that supports over 350 apps. It has tools to build apps; you can create your own if it has an API. In addition, it can perform over 2000 actions. SOAR apps are Python modules that collect events from anything, such as SIEM, then normalize the information and make it available to playbooks.

**SOAR Meaning: Example: SOAR playbooks**

We have a network-based sandbox to detect malware that can enter via email. An Alert is received from SIEM, sent to SOAR, and triggers a playbook. SOAR communicates back to SIEM to query Active Directory to identify who is there and which department, and based on that, SOAR can query Carbon Black to see how the threat lives.

Finally, the SOAR can notify an analyst to manually intervene and double-check the results. This could take 30 mins by hand, but SOAR can do it in 30 seconds. 

Let’s look at another SOAR playbook in action. A Splunk SOAR playbook is triggered when an email malware alert is received. Due to the lack of context in these alerts, Splunk SOAR’s first order within the playbook is to query the security information and event management (SIEM) solution for all recipients, then Active Directory to collect context from all affected users’ profiles, business groups, titles, and locations.

A key point: SOAR means with workbooks and phases

Another name for a playbook is the SOAR workbook. Each workbook can have several phases, each with tasks to carry out our security actions. In this scenario, one phase and several playbooks will be in a single step. Some playbooks can be triggered automatically, and some are invoked manually.

Then, some are being gathered manually but will have prompts for additional information. These tasks will be semi-automatic because they can automatically import data for you and enrich events. Furthermore, they can import this data and enhance events from several platforms. 

Prevent Lateral Movements

A **Splunk and Lateral Movements**

You can have playbooks to hunt for lateral movements. There are many ways to move laterally in active directory networks. For example, Psexec is a sysadmin tool that allows admins to connect to other machines and perform admin tasks remotely. However, what if psexec is used to gain a remote shell or execute a PowerShell cradle on a remote device? When looking for lateral movement, we identify processes connecting remotely to a host.

B **Lateral Movement Activity**

To start a threat investigation, we could have a playbook to conduct an initial search for a known lateral movement activity. Windows security logs contain a wealth of information. The playbook can look for authentication events over the network from rare or unusual hosts or users.

C **Event Window Code**

For example, in a Windows event log, you would see a Windows event code for successful login, another log for a network connection, and another for privilege escalation events. Each event doesn’t mean much by itself but indicates a threat together. For example, here you can see that someone has used an admin account to connect over the network from a particular host and gained command-line access to a victim host.

D. Splunk SOAR’s visual playbook editor

Splunk SOAR comes with 100 pre-made playbooks, so you can start automating security tasks immediately and hunt for lateral movements. To simplify life, we have a Splunk SOAR visual playbook editor that makes creating, editing, implementing, and scaling automated playbooks easier to help your business eliminate security analyst grunt work.  

Popular Playbook Examples

• Splunk Intelligence Management (TruSTAR) Indicator Enrichment

Then, we have a Splunk Intelligence Management (TruSTAR) Indicator Enrichment. This playbook uses Splunk Intelligence Management normalized indicator enrichment, which is captured within the notes of a container. An analyst can view details and specify subsequent actions directly within a single Splunk SOAR prompt for a manual response.

• Crowdstrike Malware Triage

There is a Cowdstrike Malware Triage. This playbook walks through the steps performed automatically by Splunk SOAR to triage file hashes ingested from Crowdstrike and quarantine potentially infected devices.

• Finding and Disabling Inactive Users on AWS Splunk SOAR’s

Then, there are playbooks specific to cloud environments. Finding and Disabling Inactive Users on AWS Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are available from your mobile device.