Created by John Tuckner and the staff at workflow and automation platform Tines, the SOC Automation Functionality Matrix (SOC ACM) is a set of strategies designed to assist safety operations groups perceive their automation capabilities and reply extra successfully to incidents.
A customizable, vendor-agnostic device that includes lists of automation alternatives, it has been shared and really useful by members of the safety neighborhood since its launch in January 2023, notably by Airbnb engineer Allyn Stott in his BSides and Black Hat discuss, How I Realized to Cease Worrying and Construct a Fashionable Detection & Response Program.
The SOC ACM has been in comparison with the MITRE ATT&CK and RE&CT frameworks, with one consumer saying, “it may very well be a normal for classification of SOAR automations, a bit just like the RE&CT framework, however with extra automation focus.” It has been utilized by organizations in Fintech, Cloud Safety, and past, as a foundation for assessing and optimizing their safety automation packages.
Right here, we’ll take a more in-depth take a look at how the SOC ACM works, and share how you need to use it in your group.
What’s the SOC Automation Functionality Matrix?
The SOC Automation Functionality Matrix is an interactive set of strategies that empower safety operations groups to reply proactively to widespread cybersecurity incidents.
It isn’t an inventory of particular use circumstances associated to anyone services or products, however a means to consider the capabilities a corporation may observe.
It provides a strong basis for freshmen to know what’s potential with safety automation. For extra superior packages, it serves as a supply of inspiration for future implementations, a device to gauge success, and a method to report outcomes.
Whereas the device is vendor-agnostic, it pairs properly with a platform like Tines, which was developed by safety practitioners to assist fellow safety practitioners automate their mission-critical processes.
How does the SOC Automation Functionality Matrix work?
The SOC ACM is cut up into classes that include automation capabilities.
Every functionality includes:
- Description – a short overview of what the aptitude is doing
- Strategies – technology-agnostic concepts for the best way to implement the aptitude
- Examples – related workflow templates from the Tines library
- References – different analysis contributing to the aptitude
The framework reads from left to proper and prime to backside inside classes. Whereas it’s minimally opinionated about which capabilities convey probably the most worth or are simpler to implement, the framework is adaptable to what organizations discover most beneficial.
Every functionality can stand alone within the matrix, however becoming a member of many capabilities collectively can produce many extra advanced and impactful outcomes.
The best way to use the SOC Automation Functionality Matrix
Subsequent, we’ll illustrate the best way to use the SOC ACM, taking phishing response as our instance. Many organizations make the most of a number of strategies to seek out and analyze suspicious messages to reply appropriately to malicious emails.
To begin, listed below are some processes a routine phishing investigation may embrace:
- Obtain a phishing electronic mail or alert
- Ship a notification to the safety staff for processing
- Create a ticket to trace and report the evaluation
- Assessment the weather of the e-mail, together with attachments, hyperlinks, and electronic mail message headers
- If suspicious, delete the e-mail and add options to blocklists
- Ship a notification to the recipient with a standing replace
Throughout the matrix functionality, Phishing Alerts seem within the Alert Dealing with part; it mentions that many organizations implement instruments like electronic mail safety gateways to forestall suspicious emails from being delivered to inboxes whereas additionally producing alerts of assault campaigns that may very well be automated.
The potential additionally outlines a method to create a purposeful inbox for customers to simply ahead phishing emails that will have handed via the filters. Implementing each of those capabilities provides a possibility to start an automation workflow.
As soon as a suspicious message has been recognized, both via the consumer reporting or generated alert, extra automation capabilities grow to be out there. One suggestion is to create a location for monitoring the lifecycle of every alert as quickly as potential.
Using the Monitoring Location functionality within the Situation Monitoring part, we will determine the place these alerts needs to be recorded, up to date, and reported. Discover how the workflow has now moved between sections of the Automation Functionality Matrix to increase the method.
With the alert and monitoring location selected, we will transfer in the direction of performing an intensive evaluation of the phishing alert in query. Phishing emails generally include doubtlessly malicious attachments and suspicious hyperlinks to seize authentication materials and are usually despatched from spoofed sources.
Transferring into the Enrichment section, we need to deal with using a couple of key capabilities at a minimal: Area Evaluation for any hyperlinks current within the electronic mail physique, File Hash Evaluation/File Evaluation to have a look at any attachments to the e-mail, and E mail Attributes to look deeper into electronic mail headers for indicators of emails from spoofed addresses.
For Enrichment alternatives, the variety of choices for API-driven instruments and companies that can be utilized to offer these capabilities grows exponentially. Some widespread choices embrace VirusTotal for information, URLscan for domains, and EmailRep for sender data. Every of those enrichment outcomes may be recorded within the related monitoring location recognized beforehand to doc the outcomes and supply analysts with a view into the outcomes.
This reveals what number of capabilities from the identical part may be utilized to the identical automation workflow, on this case, to offer as a lot data as potential to analysts.
After enrichment happens, a verdict could be reached already, however extra seemingly, the problem would require a fast assessment from an analyst. At this level, the Person Interplay part turns into essential.
To begin, we will use Chat Alerts to inform the safety staff in a Slack channel {that a} phishing electronic mail has arrived and a monitoring concern has been created, with numerous enrichment particulars added as further context is prepared for assessment.
That takes care of informing the safety staff, however what about updating any customers who could be impacted or who reported the e-mail? Phishing response processes, specifically, are distinctive as a result of many organizations actively practice customers to report emails they may determine as suspicious. Informing these customers with a assured verdict inside a brief timeframe is a good way to empower operations corresponding to getting delicate paperwork signed shortly or stopping mass malware outbreaks.
To do that, we will use the Person Notification functionality to determine the consumer who reported the e-mail and supply them with the outcomes of the e-mail evaluation. Within the case of Person Interplay, it isn’t solely about further notification of the safety staff but in addition extending the attain and empowering others with real-time data to make the fitting choices.
At this level, plenty of exercise has taken place, and we now have plenty of data at our disposal. Whereas extra data is all the time useful, performing on it appropriately is what in the end counts most, ensuing within the remediation section. Most of the knowledge factors (indicators) we gathered earlier than can be utilized for remediation motion. Relying on how the scenario has performed out, we might take a few of the following steps:
- Area blocklist: Add any domains and URLs recognized as suspicious to a blocklist.
- File hash blocklist: Add any file hashes recognized as malicious to a blocklist.
- E mail deletion: Take away emails associated to an assault marketing campaign from inboxes.
- Password invalidation: Change the passwords of any customers discovered to have submitted credentials to a phishing web site.
The important thing to any remediation is figuring out what’s potential and beginning small, particularly when using automation to construct confidence. A method to do that is to offer hyperlinks or buttons that should be manually clicked to take remediation actions, however in a repeatable method. If you wish to introduce full automation, maintaining lists of suspicious domains that may be blocked supplies you with nice utility, minor danger, and may be mounted shortly with little total influence when errors happen.
Trying on the course of end-to-end, we now have utilized the next capabilities to assist automate essential actions for a lot of cybersecurity groups:
- Phishing alerts
- Monitoring location
- File hash evaluation
- Area evaluation
- E mail attributes
- Chat alerts
- Person notification
- Area blocklist
- File hash blocklist
- E mail deletion
- Password invalidation
A major good thing about growing these capabilities in your group to deal with a single course of, corresponding to phishing, is that many of those capabilities are actually out there to be reused for added functions like malware detection or dealing with suspicious logins, making every subsequent automation alternative simpler.
Customizing the matrix
The SOC ACM can also be out there on GitHub for individuals who want to run it themselves or contribute.
This manner, the SOC ACM may be absolutely personalized to suit your wants. This consists of:
- Including new classes and capabilities
- Reorganizing in line with your priorities
- Monitoring automation workflows that align with these capabilities
- Exporting the configuration
- Darkish and light-weight mode
You can too assess completely different environments or completely different organizations in a different way by creating separate boards. For instance, in case your group acquires an organization with completely different capabilities from yours, you need to use the matrix to visualise that setting utterly in a different way.
All of this configuration may be saved regionally in your browser for privateness. In addition to exporting the configuration, you’ll be able to import it to revive previous assessments, all with no login account, and with none monitoring.
The SOC ACM as a reporting device
Groups accessing the SOC ACM on GitHub may use the matrix to visually display the place they’re of their automation journey and talk the worth of their automation program to management and different key stakeholders.
Quickly after implementing a couple of capabilities, groups will perceive which capabilities they’re using most, the related actions, and their worth, corresponding to time saved or decreased response time. This permits them to share outcomes with related groups and determine what to prioritize subsequent.
Case examine: monitoring time saved and executions to indicate worth with the SOC ACM
On the Tines Roadshow: San Francisco, the creator of the SOC Automation Functionality Matrix, John Tuckner, shared how he labored with a Fintech firm to evaluate and improve their automation program utilizing the matrix. They advised Tuckner, “The Automation Functionality Matrix helps us arrange our workflows, determine which workflows are saving us probably the most time, and spotlight future areas of alternative.”
Highlights:
- 25 capabilities carried out and tagged
- 10 workflows using Slack slash instructions with 2,000 executions
- Ship multifactor immediate workflows ran 721 instances for six.5 hours of time financial savings per thirty days
Suggestions:
- Take a look at managing lists of IOCs for response capabilities, “IP record,” “area record,” and “hash record.”
- Doc and spotlight the efforts made in time saved when using case administration.
Future state – what they will do in a different way:
- Tackling distributed alerting, consumer interplay by way of Slack
- Person notification
- Person response
- Updating safety Slack channel and incident reporting to make use of a Slack bot and route experiences and asks to the right subteam
- Notify emergency sources
- Timed escalations
- Slash instructions
- Add extra response actions by way of Tines automation via our Slack bot
- Artifact gathering
- Disabling MFA system
- Asset lookup (not simply endpoints, want to incorporate cloud property)
The SOC Automation Functionality Matrix is a helpful useful resource for groups in any respect phases of their automation journey, offering inspiration for his or her subsequent automation builds and a method to evaluate their automation program.
If you would like to discover the SOC Automation Functionality Matrix in additional element, you will discover it on Notion, hosted by the Tines staff.
