Santa Clara, Calif. July 6, 2022 – We are pleased to announce that NSFOCUS has been listed as a Representative Vendor in 2022 Gartner® released Market Guide for Security Orchestration, Automation and Response Solutions report for our product ISOP. ISOP has flexible out-of-the-box capabilities, automated orchestration capabilities and rich intelligence operations and management capabilities to provide end-to-end security orchestration capabilities, from threat detection, threat analysis to automated collaborative response closed-loop solutions, and it has accumulated a wealth of customer practical use cases.
As the market definition of SOAR, Gartner defines” SOAR as solutions that combine incident response, orchestration and automation, and threat intelligence platform management capabilities in a single solution. SOAR tools can be used for many security operations tasks, including: To document and implement processes. To support security incident management. To apply machine-based assistance to human security analysts and operators. To better operationalize the use of threat intelligence. Workflows can be orchestrated via integrations with other technologies, and automated to achieve desired outcomes — example use cases include: Incident triage. Incident response. Threat intelligence (TI) acquisition curation and management.”[1]
SOAR convergence of three technologies, security incident response platforms (SIRPs), Security orchestration and automation (SOA), and threat intelligence platforms (TIPs). Further Gartner states, “Large security teams looking to automate well-established processes remain the main buyers of pure-play SOAR solutions — using it for productivity, efficiency and consistency improvements. Many use cases supporting security operations beyond threat monitoring and detection, vulnerability management, threat intelligence, and incident response and threat hunting remain nascent.” The report adds, “Below are some strongly recommended requirements to consider when selecting a SOAR solution. SOAR solutions should:
- Support a wide range of security products across multiple existing point solution markets (for example, endpoint, firewalls, intrusion detection and prevention systems [IDPSs], SIEM, secure email gateways, SSE and vulnerability assessment technologies).
- Support the ability to do event correlation and aggregation for the purpose of improving security operations processes and alerting with better event enrichment. A key way to do this is through the implementation of low-code “playbooks,” which allow for the codification of processes where automation can be applied to improve consistency and time savings.
- Have the ability to be deployed either on-premises or as a cloud solution (like SaaS).
- Support the ingestion of a wide variety of sources and formats of threat intelligence from third-party sources, supporting open-source, industry and government (information sharing and analysis centers [ISACs] and computer emergency response teams [CERTs]) and commercial providers.
- Bidirectional integrations with IT operations solutions like ticketing systems for case management and collaboration tools, like messaging applications for better real-time communications.”
The key ability of NSFOCUS ISOP
NSFOCUS ISOP has deep integration of people, security technology and process through visual choreography; The Playbook script is used to build the workflow of security event disposal in series and parallel, which automatically triggers different security devices to execute response actions. A more comprehensive, end-to-end understanding of the security incident context helps transform complex incident response processes and tasks into a consistent, repeatable, measurable, and efficient workflow, transforming passive emergency response into automated continuous response.
Adhering to the concept of iterative and continuous delivery of third-party data sources and equipment out of the box, the company covers four categories of security detection, security defense, vulnerability assessment and security response. Nearly 100 kinds of equipment and products can be integrated into the automatic response and disposal process through standard interface docking. Through the capability of the platform defined DevSecOps framework, device interfaces are defined in a plug-in manner in the system, and out-of-box automation integration of devices is supported in the platform running state.
In addition, enterprises can quickly create cases and their corresponding Playbook use case through visual drag-and-drop arrangement. Different steps of security analysis are often dependent on each other. Security incident analysis provides context for security disposal through visual drag-and-drop. Traditional O&M operations avoid switching between different pages, reducing the complexity of handling security events. Once a case is successfully created and enabled, subsequent events that hit the case can be handled in an automated way, reducing the cost of collaborative communication and process flow between different departments. Case can help the enterprise to a set of events related to the investigation and analysis of streamline, the steps and response disposal track record, the execution of a case, security incidents among each process execution status (success, failure), the execution of all can to display in the visualization process, achieving the end-to-end operational flow visualization.
For the case where the Playbook execution script was solidified and a known threat occurred, when the threat was sent to the SOAR platform, the SOAR engine automatically called the solidified Playbook script. According to the processing process and processing priority of the solidified Playbook, Global containment of threats, clearing of infected hosts, hardening of affected hosts and other response processes are implemented.
Actual combat use scenario accumulation
SOAR can be used to drill for rapid disposal, in-depth analysis of daily operation and maintenance, and continuous solidification of human-machine collaboration experience, effectively enhancing enterprise safety management capabilities from different aspects. In red-blue confrontation, they often focus on “the ability of fast blocking of a large number of IP addresses in a short time”. By docking with network security devices, SOAR delivers blocking tasks to security devices at different outlets of the whole network to achieve fast blocking of attacking IP addresses and shorten the time for attackers to spread horizontally and raise rights. As the O&M habit is solidifies, the defender will continue to optimize the blocking based on the attributes of the service system. For a service system that does not have foreign access, the defender will also directly block the entire network of foreign source IP addresses. During the security drill, attackers usually use some 0DAY attack methods, and security devices often have no rules to detect the event. The cloud expert team can borrow professional knowledge of attack and defense security analysis and analyze the attack methods, attack paths and attack characteristics adopted by attackers in the first time through the cloud-ground cooperation mode, and send them to SOAR in time. In daily operation and maintenance, a threat event can be simply judged based on threat intelligence IP, and SOAR requires a comprehensive judgment on the disposal method of threat events combined with hazard level and attack frequency. For example, if the risk value of an attack IP address is high and more than 50 attacks are launched within 30 minutes, the whole network of the device can be blocked by SOAR.
In the future, SOAR can effectively help security teams accelerate standardization, automation and intelligence of security processes. The construction of SOAR will not happen overnight. As security teams continue to increase the need for application automation in secure operations, SOAR’s ecosystem will accelerate, dramatically increasing the efficiency and maturity of secure operations by continuously connecting different solution capabilities.
[1] Gartner, “Market Guide for Security Orchestration, Automation and Response Solutions “, Craig Lawson, Al Price, 13 June 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.