How to Automate Your Cybersecurity Initiatives Using SOAR
This Modern SOC Summit session is with Dario Forte and Andrea Fumagalli, who will take you through the automation and orchestration of SOAR. Dario is the VP and GM of Security and Orchestration at Sumo Logic. Andrea is the VP of Engineering at Sumo Logic. Today, they discuss the critical components of why Sumo Logic Cloud SOAR will be a leading platform, showing you how the platform works to understand the Open Integration Framework.
Andrea FumagalliVP Engineering at Sumo Logic
Dario ForteVP and GM Security Orchestration at Sumo Logic
Dario: Hello everybody. It's a very important moment for us today. And we're going to show you where the new journey for security automation and orchestration is going as DFLabs has been acquired by Sumo, just in May, 2021. And we are very excited to present you the way that we interpreted the SOAR, the automation, the orchestration, and the way the SOAR we think is going to be in the near future to serve clients and modernize their security operations. My name is Dario Forte, and of course I'm the former CEO and founder of DFLabs acquired by Sumo just a couple of weeks ago. And I'm currently serving Sumo Logic as a VPGM orchestration and automation. And I'm very happy to be here also with my colleague and my friend, Andrea Fumagalli, the Senior Director of Orchestration and Automation at Sumo Logic. And together we are going to present a series of interesting topics that are around SOAR. We'll present what a SOAR is, why Cloud SOAR in this case is the name of the product within Sumo Logic. Andrea then will do a brief, a product demo with some example. And of course we will be more than happy to leave our contact information after the webinar in order to be contacted by you guys and answer to all your questions that I'm personally more than sure will come out after this presentation today. Some words about DFLabs acquired by Sumo Logic as a SOAR pioneer. It's a company that we founded in 2004. At that time we started and we worked very hard as a incident response and reach investigation company. And then we capitalized our know- how into technology, building a product in our R& D facility, in Milano, Europe, and then growing fast internationally also with the help of one venture capitalist fund. And in very few years, we became the SOAR vendor, the independence SOAR vendor with the highest number of patents. The team has over 50 scientific contributions. Personally, I added the owner to be part of the international standard organization and co- editor of Triage and standards for incident response and security operations. We also work with ITF, Oasis. So we have been always very much involved in the scientific and technical community. And along that we reached a very good number of customers over the world. 60% of them is fortune 500 and global 2000. And we also are very proud in honored to serve several government agencies, including the United States and the inaudible region. As I say that we have been acquired by Sumo Logic in May, 2021, and we are very happy to be here and to contribute to the next journey with Sumo on modernizing security operations. So SOAR as an acronym has been in the market for a while, still a lot of customers haven't approached a SOAR project yet. Some customers instead reach the maturity curve quicker than somebody else. And they are now looking for the second part of the journey and at the same time inaudible are currently investigating and trying to understand what SOAR is about. And how SOAR can actually interact with SIEM within a security operation ecosystem. We think, and we've proven in the past years with very complex and large projects, both with end users and MSSPs that SOAR stats were inaudible sits on top of the SIEM and actually handled the last mile after the SIEM alert. It looks easy, but it is a simple concept that may underline some complex task before, but we demonstrated that the way that a SOAR should work is actually integrating a SIEM in order to provide the inaudible. In the way that currently SOAR could help SIEM users is that basically, if you look at the slide, SIEM may generate a pretty substantial number of alerts. And then in, let's say in the old fashioned way, analysts had to manually analyze a single or group of alerts in order to escalate and then making sure you respond. That basically created the two categories of problem. The first one is definitely the number of false positive and excessive workload to security analysts that were demanded to handle inaudible alerts manually. And the second is the reaction time to handle those alerts in, let's say again in the old fashion way, that now is becoming unsustainable, both for workload versus time versus exposure in terms of compliance and so forth. So it's unavailable that those alerts, this critical mass of alerts need to be refined because only few alerts matter. There is still a very high number of tools, alerts and processes before and or below the SIEM. And now the only way to handle this very excessive number of alerts is applying automation to perform basically four categories of tasks. The triage, the enrichment, the notification, and the containment. The triage is basically the first part of according to many statistics all over the world, both in the commercial and in the scientific world, it's probably the more time- consuming category of tasks when it comes into SecOps and an incident response. Yeah, enrichment is very crucial and it may be part of the triage, or it may be something lateral to the triage itself, depending from the company organization and the enrichment may or may not be, as I said, part of the triage. It can be also eventually part of the inaudible program. So that's why you see out of the triage context, but still chain with it. The notification it's very important because it involves management decision at any level, at every level, sorry, it involves also the interaction with the compliance related process because the right notification made in the right time with the right speed is definitely a proof of due diligence that comes out 100 percent of the cases during a data breach investigation or post data breach investigation. For example, when internal or external regulator comes into the company and make investigation about who did what and how in order inaudible but not least is the containment sites. So those sparks are chained each other. They can be independent, they can be also dependent. And that's why automation is actually the other SOAR, working on helping customers to take care of the entire process. So why DFLabs now Sumo Logic SOAR can be something that can be useful for customers. And again, also MSSPs. I prepared a list of six possible differentiators that I would like to underline today that I'm sure that you ladies and gentlemen will definitely get in depth with after the presentation. And personally with Andrea would be more than happy to go a little bit more technical, but possibly those are points that can be interesting for you in order to take an initial overview of why we think Sumo Logic Cloud SOAR is going to be the leading platform for the source base. The first point is definitely the open integration framework. We strongly believe in being open. The more third- party we integrate, the more the customer can have Sumo Logic Cloud SOAR as a part of their ecosystem. And they can connect their existing ecosystem with our SOAR in a very open and fast way the more we can get a concrete results. The characteristic of this opening integration framework is that basically it allows basically everybody to get access to the platform to build their own integration in a very quick turnaround with almost no coding required and without needing the vendor intervention per se, less is necessary for time or a professional service needs. Again, everybody can get access to the platform then can get access to the community. They can definitely work with the open integration framework and build. They roll integration very quickly. That was a big debate when we were still DFLabs about opening or not opening the integration framework to the rest of the world. And we have Italian origins. So Italians are very animated and acting kind of discussion with hands that go back and forth. And it was a pretty tough period that was before the decision. But then at the end, we decided to go open and open our integration framework to the rest of the world and think about it. Before opening the OIF to the rest of the world, we had only 60 integrations available in the software. When we released the OIF, we jumped into 200 plus in just probably less than six months. So that just to give you an overview of how having an open integration framework and that community, that every customer and partner get access to how much that could be important in order to have a active and a fruitful SOAR implementation in your environment. There is a community where customers and the partners can get access to that is the possibility to inaudible the integration that have been built. Andrea will give you a little bit more technical details about it. But again, that is definitely one probably the first point that we think is going to differentiate us from the rest of the folks in the SOAR space. The second point is definitely the stronger automation engine and the case management capability that we have. Let's start from the latter. Case management for us, it's a midway between a strength point and a inaudible because we started as a case management a long time ago when we decided to move into technology, if you just Google DFLabs and IETF, and then IRF, you will probably find one of the first IRF implementation from a case management perspective with the internet engineering task force. So we have a stronger case management inaudible. We strongly believe that having a real case management then we port into the automation engine can definitely make a difference. And the reasons are basically two, first case management is important in order to keep standard operating procedures effective within the company process and second, last but not least the importance of providing evidentiary support for incident response and security operation processes that sooner or later should an incident happen somebody will ask about. We also have a very strong automation engine that can produce playbooks in a very complete way. Playbooks can be built visually with almost no coding. I will say really very little coding. And by the way, we have a library of pre- built playbooks that are available for customers and partners that they can customize or play with or eventually just use it for quick turnaround. The playbooks can be a leaner, can be simple, can be a single, or they can be complex, parallel, and chained. The engine is very powerful, I think, and still it is progressive because the engine itself is the possibility to go from totally fully automated mode down to semi- automated mode, which is very useful for companies that want to still keep humans in the loop, because we strongly believe that a SOAR must still help SOC analysts to be effective in that process. We don't believe in human replacement. We believe in humans augmentation in first multiplication. And that's why we think that our SOAR at the moment is providing a very strong, SOC analyst centric standpoint. And from the beginning to the end to the process, and depending also from the level of analysts that is involved, it can be easily configured. And of course it can be very simple or very sophisticated. Another differentiation point is the triage machine learning and what we call the supervised active intelligence. This is a very interesting differentiation. If you look at other SOAR they also perform triage, of course, but the majority, I will say the oldest SOAR's that are out on the market except DFLabs they have a one to one ratio between the number of alerts and the number of incidents that are opened in order to start inaudible be devoted to perform it triage action or chain of action. What is the results if we go that path is that basically at the end of the day, even an incident is closed after 20 seconds, because it's a false positive, at the end of the day there will be still a very high number of incidents into the incident repository and then in the incident report, which is usually interpreted, especially in very highly regulated market is interpreted as a red flag in case of audit. We take it from another way around. We open incidents only when those incidents reflect the series of peculiarities that are previously established as requirements. And we do it because we have a triage function that actually creates a funnel. Whereas in the top there are the excessive degree to the big number of alerts. Then the more the triage actions are performed, the more are distilled into a restricted number of incidents that are actually the incidents that needs to be investigated. So again, that reduced the number of false positive. With the help of machine learning, we can duplicate, we can group, we can create a series of actions that can be eventually contextualized and or recommended without opening any incidents, unless the customer decide otherwise. That is really innovative. And is really different if we compare DFLabs with the other SOARs in the market. Dashboards are very highly customizable. The KPIs are customizable as well. And we strongly believe in the fact that the dashboard customizations is important, both in the control room and at management level. We have over I think 170 different KPI that can be customized in different ways. Of course, we provide prebuilt dashboards for folks that wouldn't start over immediately, but at the same time, the customizability of the dashboard level is very high and can be integrated with our internal incident report system that again is very powerful and customizable, but at the same time, it can provide also integration with other reporting systems. Reporting insecurity operation in incident response, for example, because of according to what is written in the NIST SP 800 related documents, or even in ISO 27035- 1, 2 or 3. Incident reporting is very important and it is going to be even more important when it comes into investigation that are related to data breach, that inaudible notified to the regulation authority of the country where the persons or the users or the inaudible working. For DFLabs, the customization of dashboards and reports is very important because they also need to be effective in order to provide evidentiary support to customers. And again, to MSSPs. We serve both customers and MSSPs where customers can be a single or a multi- tenant where MSSP can service inaudible customer or multicustomer. Because at the end of the day, we discovered in the last three years at MSSP had the same type of problem that customers have multiplied for the number of customers that they serve and multiply the number of analysts that they don't test. So automation and SOAR are very important for MSSP as well inaudible because there is a very high number of MSSPs that are now serving to beat the market where the scalability and the automation are definitely one of the major point of decision. So far, we spoken about the strategy, the vision, and we are introducing you on the next steps in the security journey with Sumo. Now it's the time to go a little bit more practical. So it's my pleasure to introduce you to Andrea. We'll give you a practical overview about how Cloud SOAR works, and don't forget, we have plenty of resources that are going to be published on our website, so stay tuned. Andrea.
Andrea: Thank you very much, Dario. Here we go. So let's try to understand first of all how it works in terms of automating maybe some use cases. So, first of all, this is our best practice that we developed over the years. It all starts from analyzing standard operating procedures, identifying what are the technologies that are required by them. And from here, we identify what are the actions to be implemented in playbooks and playbooks are a graphical representation of the workflow for the incident management. Then it's fundamental to define the KPIs and the reporting for monitoring the SOC performances and the specific metrics, which are relevant to let's say, understand how it's going with the different incidents. And last but not least, of course, we realized that it's fundamental to change the let's say analysts standpoint, providing them advanced training for learning how to work with a SOAR, which is slightly different from the typical manual tasks. Of course, the overall goal is to reduce the reaction time, which is a fundamental goal. And of course, we love the flexibility that we can implement with our tool for refining and amending the different playbooks in future and adapt it to the increase the maybe policies and change policies. Here, you can see how a playbook looks like. It's a graphical representation of the workflow. There are different types of actions. Each one is identified by category and a color code. We have operators and those operators are fundamental to evaluate results of the different actions and initiate additional actions as reaction. Now let's jump into the real platform and let's try to understand how the OIF, open integration framework, looks like. As it was mentioned by Dario, it's a combination of multiple different connectors. We have more than 200. And of course, for each one, we have specific actions that have been developed. Here, of course, we have also connectors with Sumo Logic, CIP and CSE. CSE is typically one of the platforms that we integrate with for trapping all the different alerts signals, and so on. We have here a series of actions that we developed, and you can see there the different, let's say colors representing the categories. We can create demos that are pieces of codes running at regular intervals. And here you can see that the source code can be developed with four different languages per Python, PowerShell and shell scripting. All of them are all into Jamo files. We integrate an IDE environment for developing new actions, amending existing actions. And for, of course, testing, saving and testing those actions directly from here. This is to speed up the demos and facilitate as much as possible in implementing new logic inside the playbooks. From here, we can also configure the resource that we want to reach. We can test it. And of course, the benefit is that all the source code is in clear text can be edited any time, can be easily modified, and those actions can be used for let's say, creating the required playbooks. As anticipated by Dario, we can create linear playbooks, very easy ones. We can create more sophisticated playbooks, maybe including operators to evaluate automatically conditions returned by the previous executed actions or asking the user for providing an input. This is what we call the user choice. Of course, with the different playbooks you can represent the different type of let's say processes. And of course, playbooks can be composed by different type of actions as we anticipated. Now, what are the final conclusions? First of all, inaudible with the Sumo Logic SOAR with the concept of playbook implements, actionable incident response plans. This is achieved defining easily playbooks, which are composed using the different blocks that are part of the different OIF integrations, different connectors. The analyst requires additional training for understanding how to work with the SOAR and their skills will change from let's say, performing manual tasks to applying something like governance on the activities which are executed by the playbooks for interpreting the results and take in decisions. So another important objective is to free up time for the analyst to be more focused on taking decisions instead of executing repetitive mundane tasks. And finally, the concept of progressive automation. Progressive automation means the ability to decide to add new automation steps on existing workflows, implementing new steps automatically that they were previously executed by analyst manually. So the more you build your confidence with automation, the easier it is to implement those new actions. Thank you very much for attending this presentation and we are available for, of course, providing demo as anticipated by Dario. We will publish a series of resources. So guys stay tuned. Thank you very much.