Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Security Orchestration, Automation, and Response for Security Analysts

You're reading from   Security Orchestration, Automation, and Response for Security Analysts Learn the secrets of SOAR to improve MTTA and MTTR and strengthen your organization's security posture

Arrow left icon
Product type Paperback
Published in Jul 2023
Publisher Packt
ISBN-13 9781803242910
Length 338 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Benjamin Kovacevic Benjamin Kovacevic
Author Profile Icon Benjamin Kovacevic
Benjamin Kovacevic
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Part 1: Intro to SOAR and Its Elements
2. Chapter 1: The Current State of Cybersecurity and the Role of SOAR FREE CHAPTER 3. Chapter 2: A Deep Dive into Incident Management and Investigation 4. Chapter 3: A Deep Dive into Automation and Reporting 5. Part 2: SOAR Tools and Automation Hands-On Examples
6. Chapter 4: Quick Dig into SOAR Tools 7. Chapter 5: Introducing Microsoft Sentinel Automation 8. Chapter 6: Enriching Incidents Using Automation 9. Chapter 7: Managing Incidents with Automation 10. Chapter 8: Responding to Incidents Using Automation 11. Chapter 9: Mastering Microsoft Sentinel Automation: Tips and Tricks 12. Index 13. Other Books You May Enjoy

Traditional versus modern security

Security plays a significant role in our everyday lives. Even from the start of civilization, security played a role in that people built their fortifications. If we go back through history, we can see how people built their fortifications on the top of a hill or on a river fork, or if something of this kind was not applicable, people dug canals around fortifications, built big walls, and so on. All this had one thing in common – the aim of securing the people and their properties against attacks from other tribes or countries.

As those fortifications were built, attackers always sought a way to penetrate those defenses. Some of them were massive attacks directly made on fortifications, sending a single person to breach the front or back entrance or create a diversion.

Probably the most famous of these, with the equivalent in IT appearing every day, is when ancient Greece attacked Troy. Because of Troy’s fortifications, Greece couldn’t penetrate the city, even though they had a massive army and the numbers were on their side. That all changed when Odysseus came upon the idea of a diversion. Greek forces pretended to retreat and left a giant wooden horse as a present from the gods to the people of Troy. And what did they do? The people of Troy took that wooden horse into the city. They didn’t know that Odysseus and his best fighters were hiding inside that wooden horse. In the early morning, while everyone was sleeping, Odysseus and his selected army exited the wooden horse and opened the door for the rest of the army to enter Troy. After that, all the defense mechanisms in place fell apart, and Troy was defeated.

If you are in cybersecurity, even if you don’t know this story about Troy, you will be aware of what a Trojan horse is: a term for malware that misleads users about its true purpose. While it appears to be secure software, it can contain malicious code. It works in much the same way as it did 3,000 years ago.

We can see that many types of historical attacks and defenses are similar throughout history; the only part that changes is how they are performed. We can look at a full army attack on a fortress as a Distributed Denial-of-Service (DDoS) attack, a Trojan horse as a payload being delivered, a ransomware attack as Vikings asking for gold and valuables to halt their attack on Britain, a spyware intrusion as sending a spy to gather information on fortress defenses from the inside, and so on. From a defense perspective, we can see how everyone started with a perimeter defense by building walls or creating a fortress at the top of a hill. Then, they moved to layered defense by adding water canals in front of walls. The best example of a historic, layered defense was Constantinople. It started with a single wall, and in the end, it contained a moat, a low wall, an outer wall, and an inner wall. If we look at cybersecurity, we can see that there was a similar approach with a single barrier to protect the perimeter – a firewall. This was followed by adding additional layers such as DDoS protection, a Web Application Firewall (WAF), antivirus solutions, and so on.

Looking at this parallel, we all can agree that these defense strategies weren’t enough and that even the most robust defenses fell under heavy attack. Even the great Constantinople, probably the city with the best defenses of all time, fell under heavy Ottoman attacks.

Why? As methods of attack evolved faster than methods of defense, it was harder to cover this gap.

The same is true for cybersecurity. As mentioned, we start with perimeter defense and then add layered defense, but even that isn’t sufficient. Methods of attack evolve, and bad actors always find a way to surpass existing systems. One thing is certain: traditional systems are outdated, and many organizations are in the process of updating their cybersecurity as a result.

There are a few reasons why this is happening:

  • An important aspect is that people are more aware of how they use their personal information, how it is handled, and how it can be misused. People used to trust websites to use their info internally, but those websites sold that info to advertisement companies. People now expect more rigorous privacy and security for the data they share on websites.
  • Second up on the list is reputation. Many organizations that suffer an attack experience a loss of reputation, and in the end, smaller organizations often don’t survive these kinds of attacks. The loss of existing clients and the absence of new ones to replace them affect many small and medium organizations after a cyberattack. Big organizations survive more quickly because of their size, but they suffer heavy losses.
  • The third is bankruptcy, which is directly connected to ransomware in most cases. First, you need to pay to decrypt your data, and on top of that, you have the cost of not running your business. Coupled with a loss of clients, this will all bring small and medium organizations to their knees very quickly. In addition, these companies that have suffered a successful cyberattack end up having their information shared on the dark web. Consequently, they are often targeted by even more bad actors with financial gain as their motive.

Today, organizations either need to update their defense strategies to stay ahead of bad actors or risk a significant cybersecurity incident resulting in considerable financial losses – initially or in the long run.

You have been reading a chapter from
Security Orchestration, Automation, and Response for Security Analysts
Published in: Jul 2023
Publisher: Packt
ISBN-13: 9781803242910
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime