Fighting cybercrime with open-source SOAR tools
Have you ever heard of alert fatigue? This is the term used to describe when security analysts become overwhelmed by the sheer volume of security alerts generated by various monitoring systems. The vast number of alerts that Security Operations Centers (SOCs) have to deal with nowadays can lead to a decrease in the responsiveness and effectiveness of the security team.
SOAR tools
SOCs have therefore started deploying SOAR tools to combat the alert fatigue, the sheer amount of monotonous and repetitive tasks, and the increasingly complex mix of security products. SOAR tools, or Security Orchestration, Automation, and Response tools, are software solutions designed to enhance an organization's ability to respond to cybersecurity threats effectively.
These tools integrate various security technologies and processes, automating repetitive tasks and orchestrating incident response workflows. By doing so, SOAR tools enable security teams to streamline threat detection, analysis, and mitigation efforts, reducing the time it takes to respond to incidents.
Challenges and limitations of SOAR tools
While SOAR tools offer significant benefits in streamlining cybersecurity operations, they also present several challenges and limitations, which starts with the complexity of implementation. Implementing SOAR tools is often a complex and time-consuming process. It requires the integration of multiple security systems, fine-tuning playbooks, and ensuring compatibility with the organization's existing infrastructure.
Additionally, SOAR tools can cause alert overloads and false positives. Despite automation, SOAR tools still rely on inputs from other systems like SIEMs, which may generate a large number of alerts - many of which can be false positives. SOAR tools can struggle to accurately filter out these false positives without proper tuning. If not managed properly, this can - again - lead to alert fatigue and reduce the effectiveness of the tool.
At the same time, SOAR systems rely heavily on data quality, and if the data is inaccurate or incomplete, it can result in false positives or negatives. Ensuring data quality can be time-consuming and complex, and organizations must have a comprehensive data management plan.
Another hurdle is the cost of SOAR solutions. Many SOAR solutions are expensive, both in terms of upfront costs and ongoing maintenance. For smaller organizations or those with limited budgets, the cost of deploying and maintaining a SOAR solution can be prohibitive, limiting its accessibility to only larger enterprises.
What’s more, most existing SOAR tools are not open-source, meaning users cannot access or modify the source code. Additionally, many SOAR platforms make limited use of open standards, which restricts the interchangeability of security playbooks across different systems.
A need for open-source solutions
To combat some of these challenges and help organizations improve their cybersecurity posture, TNO launched an open-source SOAR tool this week. The SOARCA, or Security Orchestrator for Advanced Response to Cyber Attacks tool is the first open-source SOAR tool to make full use of the open-playbook standard Collaborative Automated Course of Action Operations (CACAO). The SOARCA tool is freely available to anyone, and the goal of the tool is that it can be applied to almost any cyber security system.
SOARCA also includes a python-library software component, where users can create their own software extensions and integrations, allowing them to tailor the tool to their own organization and systems.
“In government and industry, there is a great need for open-source solutions and open standards, as they are then not subject to the ‘vendor lock-in’, i.e. not tied to one supplier. Open source further facilitates national and international collaboration between companies and research institutions, and accelerates innovations that are sorely needed in the fight against cyber criminals,” TNO said.
The code behind SOARCA is available from GitHub, a platform where anyone can view it and contribute to improving SOARCA. TNO's SOARCA team is calling on anyone interested to go onto the platform and suggest modifications, share ideas for new features, and ask questions.