Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Security Orchestration, Automation, and Response for Security Analysts
Security Orchestration, Automation, and Response for Security Analysts

Security Orchestration, Automation, and Response for Security Analysts: Learn the secrets of SOAR to improve MTTA and MTTR and strengthen your organization's security posture

eBook
$29.99 $43.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Security Orchestration, Automation, and Response for Security Analysts

The Current State of Cybersecurity and the Role of SOAR

Ransomware, data leaks, phishing, denial of service… these are some of the terms that everyone, even those who aren’t in the IT industry, will have repeatedly heard in the last few years. Everyone has received an email from a Nigerian prince or some long-lost rich, relative from Africa at least once. These are basic examples of cyberattacks called phishing attacks, which still have an acceptable success rate. If we were to talk about more tailored phishing attacks (common ones being a request to change your password or a notification that your account will be deleted if you don’t click on a link), those have an even better success rate – why is that so? Because bad actors are smart.

The first aspect to consider is that they will use many techniques to make their email seem as legitimate as possible, and the second, which is not connected to IT, is the psychological part. The psychological part manifests itself in a few different ways. It can be someone pretending to be your boss (using spoofing methods), an email containing a sense of urgency, or an email sent at the end of working hours when employee concentration is at its lowest. Because of this, organizations are on the lookout for more advanced systems to help them respond to these in a matter of minutes. That is where Security Orchestration, Automation, and Response (SOAR) comes in to save the day.

In this chapter, we will cover the main aspects of changes within cybersecurity and how those changes impact our everyday lives. A few years back, cyberattacks mainly impacted organizations, but today, their impact is felt by ordinary people as well. And this is something that will not change overnight. As one way of fighting back and improving their security posture, organizations can use many security tools. One of them is SOAR, and we will explain why SOAR is a must in every organization today.

In a nutshell, this chapter will cover the following main topics:

  • Traditional versus modern security
  • The state of cybersecurity
  • What is SOAR?

Traditional versus modern security

Security plays a significant role in our everyday lives. Even from the start of civilization, security played a role in that people built their fortifications. If we go back through history, we can see how people built their fortifications on the top of a hill or on a river fork, or if something of this kind was not applicable, people dug canals around fortifications, built big walls, and so on. All this had one thing in common – the aim of securing the people and their properties against attacks from other tribes or countries.

As those fortifications were built, attackers always sought a way to penetrate those defenses. Some of them were massive attacks directly made on fortifications, sending a single person to breach the front or back entrance or create a diversion.

Probably the most famous of these, with the equivalent in IT appearing every day, is when ancient Greece attacked Troy. Because of Troy’s fortifications, Greece couldn’t penetrate the city, even though they had a massive army and the numbers were on their side. That all changed when Odysseus came upon the idea of a diversion. Greek forces pretended to retreat and left a giant wooden horse as a present from the gods to the people of Troy. And what did they do? The people of Troy took that wooden horse into the city. They didn’t know that Odysseus and his best fighters were hiding inside that wooden horse. In the early morning, while everyone was sleeping, Odysseus and his selected army exited the wooden horse and opened the door for the rest of the army to enter Troy. After that, all the defense mechanisms in place fell apart, and Troy was defeated.

If you are in cybersecurity, even if you don’t know this story about Troy, you will be aware of what a Trojan horse is: a term for malware that misleads users about its true purpose. While it appears to be secure software, it can contain malicious code. It works in much the same way as it did 3,000 years ago.

We can see that many types of historical attacks and defenses are similar throughout history; the only part that changes is how they are performed. We can look at a full army attack on a fortress as a Distributed Denial-of-Service (DDoS) attack, a Trojan horse as a payload being delivered, a ransomware attack as Vikings asking for gold and valuables to halt their attack on Britain, a spyware intrusion as sending a spy to gather information on fortress defenses from the inside, and so on. From a defense perspective, we can see how everyone started with a perimeter defense by building walls or creating a fortress at the top of a hill. Then, they moved to layered defense by adding water canals in front of walls. The best example of a historic, layered defense was Constantinople. It started with a single wall, and in the end, it contained a moat, a low wall, an outer wall, and an inner wall. If we look at cybersecurity, we can see that there was a similar approach with a single barrier to protect the perimeter – a firewall. This was followed by adding additional layers such as DDoS protection, a Web Application Firewall (WAF), antivirus solutions, and so on.

Looking at this parallel, we all can agree that these defense strategies weren’t enough and that even the most robust defenses fell under heavy attack. Even the great Constantinople, probably the city with the best defenses of all time, fell under heavy Ottoman attacks.

Why? As methods of attack evolved faster than methods of defense, it was harder to cover this gap.

The same is true for cybersecurity. As mentioned, we start with perimeter defense and then add layered defense, but even that isn’t sufficient. Methods of attack evolve, and bad actors always find a way to surpass existing systems. One thing is certain: traditional systems are outdated, and many organizations are in the process of updating their cybersecurity as a result.

There are a few reasons why this is happening:

  • An important aspect is that people are more aware of how they use their personal information, how it is handled, and how it can be misused. People used to trust websites to use their info internally, but those websites sold that info to advertisement companies. People now expect more rigorous privacy and security for the data they share on websites.
  • Second up on the list is reputation. Many organizations that suffer an attack experience a loss of reputation, and in the end, smaller organizations often don’t survive these kinds of attacks. The loss of existing clients and the absence of new ones to replace them affect many small and medium organizations after a cyberattack. Big organizations survive more quickly because of their size, but they suffer heavy losses.
  • The third is bankruptcy, which is directly connected to ransomware in most cases. First, you need to pay to decrypt your data, and on top of that, you have the cost of not running your business. Coupled with a loss of clients, this will all bring small and medium organizations to their knees very quickly. In addition, these companies that have suffered a successful cyberattack end up having their information shared on the dark web. Consequently, they are often targeted by even more bad actors with financial gain as their motive.

Today, organizations either need to update their defense strategies to stay ahead of bad actors or risk a significant cybersecurity incident resulting in considerable financial losses – initially or in the long run.

The current state of cybersecurity

The last few years have changed how businesses operate, and standard working will never be the same. Digital transformation and the COVID-19 pandemic have foundationally changed the way that we work. Modern tools for collaboration, such as Microsoft Teams, Slack, Zoom, and so on, make it possible for people to work from any location and still relate to their peers. When the COVID-19 pandemic started, everyone had to work from home. And something that started as a temporary solution has changed how people work permanently. However, it hasn’t just changed the way people are working. It has also changed how people connect and what network they use – it has changed cybersecurity. A traditional perimeter does not help anymore; people are expected to be outside their bubbles, and we must find new ways to protect them. The second thing to consider is that people don’t just use corporate devices to connect to corporate resources: they use personal devices as well.

Creating boundaries is becoming harder and harder, and organizations must find a new way to protect their resources. Traditional systems aren’t enough anymore. The first tools that people are turning to have been available for years in the market, such as Mobile Device Management/Mobile Application Management (MDM/MAM), Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR) platforms, Data Loss Prevention (DLP), and so on.

Introducing more security tools and hardening the working environment has a direct impact on productivity. Employees are expected to enroll devices to MDM, set up and pass MFA, avoid copying data to USBs, refrain from continuing their work on other devices, and avoid sharing any links with anyone. This significantly hampers the ability of employees to collaborate efficiently. Cybersecurity experts need to find a golden middle ground between productivity and security; often, this equates to sacrificing security under this pressure until a cybersecurity incident occurs.

To be able to detect security incidents as they happen, more advanced solutions are required: traditional ones such as Security Information and Event Management (SIEM), more modern ones such as Extended Detection and Response (XDR), and the Zero Trust methodology. SIEM allows us to collect logs from various solutions and correlate these events to detect threats more easily. However, on its own, it is ineffective. SIEM tools are only as good as the events they have as logs. We also need to have excellent Security Operations Center (SOC) analysts who can define detection rules, do cyber threat hunting, and react to security incidents in these SIEM solutions. This is why most new SIEM solutions add Artificial Intelligence (AI), Machine Learning (ML), User and Entity Behavior Analytics (UEBA), Threat Intelligence (TI), and so on, into the mix to help with detection – but what about the response? How do we acknowledge and resolve security incidents?

One of the more modern tools is XDR – this is not a single tool but a group of tools that work together to correlate cyber threat detections. In most cases, XDR will cover identities, emails, endpoints, servers, and cloud workloads. It will use AI and ML in the background to connect security incidents from these layers, which are often handled separately by different solutions, into a single incident that outlines the kill chain of an attack as it happens throughout an organization. While XDR is a must-have solution for most organizations, it still doesn’t cover the whole stack of security. You cannot ingest TI data, firewall logs, third-party solution detections, and so on. Typically, XDR will be connected to SIEM for correlation with other sources.

One thing we have seen with XDR is a change in the complexity of organizations’ cybersecurity. 10 years ago, organizations did not use the same vendor for different layers of protection. The idea was that if one failed, you would still have another vendor in line for protection – but how wrong was that?

First, our security experts had to learn to work with and manage multiple solutions and vendors. Multiple portals would therefore need to be logged in to daily. For big organizations, the number of security solutions and vendors used could exceed 40! And second, those solutions did not speak to each other. That means that they did not share intelligence; they did not correlate their shared data. Without SIEM collecting events from all devices, it was almost impossible to make connections between different security incidents. XDR changed this, as the idea behind it has been for solutions to speak with each other, share intelligence, and correlate events for better detection. Another significant benefit is that it is all in one portal, which is essential for security experts to focus on one unified product and not on five different ones.

Why is it essential to find new ways to protect organizations? Because bad actors are improving their game daily. Just in the last few years, we have had significant cyberattacks, including the Colonial Pipeline ransomware attack, the Maersk ransomware attack, the SolarWinds breach, and the Log4j vulnerability, plus many data breaches in which bad actors have stolen terabytes of personal data. These are only some of the attacks that have been top news worldwide. Even people who don’t know what a cyberattack is have started asking questions about what is happening. The reason for this is the significant impact of each attack. The Colonial Pipeline attack raised a lot of concern and panic among people in the United States. Because of this attack, a few states even reported shortages of fuel. Even though Colonial Pipeline paid the ransom (in total, around 5 million US dollars), restoring operations took them a few days. As a direct connection to the attack, fuel prices in most of the United States went up.

This is only one of the examples of how a cyberattack on critical infrastructure can impact an organization and a whole country. Let’s consider that most of the critical infrastructure in countries (electricity, water, fuel, gas, etc.) is controlled using computers. We can see why staying at least one step ahead of bad actors is crucial.

There are many different figures for the average cost of a cyberattack, and in most cases, the average cost is around $4 million. This cost is not only connected to paying a ransom but also returning to an operational state, plus the cost of losing customers. If we take a look at the Marriott hotel data breach, the total cost at the end could be in the billions, as we include the GDPR and user lawsuits. We can say that, on average, we have millions of reasons to think about cybersecurity at a time.

However, cyberattacks don’t just impact organizations; they are methods of modern warfare. We have had a few examples throughout history, but the latest one is probably the best example. As the Ukrainian-Russian war started, it didn’t start solely with typical military conflicts – guns, tanks, planes, and so on. Cyber warfare was a big part of it, and numerous attacks on Ukrainian infrastructure were reported.

Considering that we have more and more drones in the sky that are remotely managed, it shows us how serious it can be in the future if technological infrastructure is not protected.

While we can invest a lot of money into security equipment, we still have two significant issues at the top of the list regarding how a cyberattack starts. The first will be misconfiguration, and the second will be the user.

As mentioned, many organizations invest a lot in security equipment, but not in security experts or their personnel so that they can learn how to configure solutions correctly. Even a minor misconfiguration can affect the system in a manner that will leave a backdoor that a bad actor can use. Hiring security experts and continuous investment in cybersecurity personnel is more important than security solutions. Cybersecurity personnel must stay ahead of bad actors to protect critical infrastructure. While AI and ML play a significant role in cybersecurity, they will (maybe) never be able to replace security experts. Most sophisticated attacks are not initially detected by cybersecurity tools but rather by experts hunting for anomalies in raw system logs.

Users are probably the most considerable cybersecurity risk each organization faces. It is a common saying in cybersecurity that in each organization, there is at least one user who will click on every link. That is why phishing attacks are still the most common attacks on organizations. Every organization must invest in user education to reduce the risk of users clicking on a link in an obvious phishing email or downloading attachments from unknown sources. It is a long process to educate users and still, the risk will exist. As mentioned earlier, bad actors are smart and target users strategically – for example, when they know their focus will be at the lowest at the end of working hours.

On top of that, think about every conversation had with users – passwords. It is common for users to pick the same password for business and personal use and reuse it across all platforms. Some people use two different passwords, but rarely three or more. This directly impacts an organization’s security because many platforms don’t have advanced password protection – but that is not the only problem! Users incorporate personal information when creating these passwords (such as a place of birth or residence, names of pets or children, important dates, and so on) and then have all of that information publicly available on social media (pictures, About Me, favorite movies, quotes, and more). Because of all this, it is easy for bad actors to strategize their attacks. First, they have all the necessary info to create a dictionary for brute-force attacks on social media. Second, they can use a less secure platform to perform that attack and reuse the password on corporate logins. This is essentially why many organizations implement MFA.

The biggest challenge for modern SOCs is the high number of raw data and security incidents. This affects the time needed to acknowledge and respond to security incidents. The initial triage of an incident can take some time, even an hour, if a SOC is inefficient or there are not enough SOC analysts (which is more common). This can lead to detecting the cyberattack too late, and the attack can spread through the system.

Would it help if we could automate everyday tasks that our SOC analyst performed as part of the initial triage so that the SOC analyst took over once the initial triage had automatically been done? This is where SOAR comes into play!

What is SOAR?

SOAR is a set of security features that helps organizations collaborate on incident investigation and automate certain actions that SOC analysts perform. As the end goal with SOAR, we want to achieve a faster mean time to acknowledge (MTTA) and mean time to respond (MTTR). The MTTA and MTTR are the two most important measurements for a SOC.

The main elements of SOAR are as follows:

  • Incident management
  • Investigation
  • Automation
  • Reporting
  • TI and Threat and Vulnerability Management (TVM)

Important note

We will touch on reporting as a separate topic in Chapter 3. We will also discuss TI and TVM through automation in Chapter 6.

SOAR is so important due to the increasing number of events to analyze and security incidents to investigate, and the deficit of security experts to perform the job. If you look at SOAR as a complete replacement for SOC analysts, you couldn’t be more wrong. SOAR is probably a SOC analyst’s best friend and provides the SOC team with the ability to analyze threats faster. SOAR as a tool and SOC teams can reduce the MTTA to a few minutes and the MTTR from hours to minutes!

How? The main aspect of SOAR is action automatization. That means that any task that the SOC team repeatedly performs during an incident should be automated. First, this will save time for SOC analysts – plus, we don’t need to worry about whether SOC analysts may forget to perform any tasks. Second, we can carry out the initial triage, and based on the input, we can auto-close false positives so that the SOC team doesn’t even need to work on them. Third, once the incident is assigned to SOC analysts, they can automatically see the enrichments made by automation to that incident. This will empower them to analyze and react to incidents much faster.

Incident management is an essential aspect of SOAR as well. If we want our SOC analysts to respond to incidents effectively, they need to have the space in which to do so. Not only space but also features will empower SOC analysts. These features include an incident overview, the possibility to increase or decrease the severity rating, close an incident, assign an incident owner, see more details, quickly navigate an investigation, comment on incidents, and so much more.

The reason why an investigation is essential is that the SOC team needs to gather as much information as early on as possible for an effective response. That can be through looking at similar incidents; checking what accounts, hosts, and IPs were included; whether those IPs, hosts, and accounts are known or not; how they connect with other data in the solution; and the ability to perform threat hunting. In addition, reporting, TI, and TVM provide even more insights to the SOC team to help perform an incident triage quickly and correctly.

So… do I need solutions such as XDR, SIEM, and so on? Or is SOAR enough?!

The quick answer is yes! These technologies differ in how they handle one common task – quickly and efficiently protecting your organization against threats.

Let’s look at the current situation in the market. We will see that many SIEM vendors either developed their own SOAR solution or bought a SOAR solution and integrated it into their environment. Microsoft Sentinel uses the power of Azure and Logic Apps for automation. Palo Alto bought Demisto (now called Cortex XSOAR) and integrated it into their XDR offering. Splunk bought Phantom and integrated it into their SIEM offering (now called Splunk SOAR). IBM bought Resilient and merged it into their SIEM offering (now called IBM Security QRadar SOAR). And the latest example is Google’s acquisition of Simplify and how they have merged it into their offering.

In all these examples, we can see a few trends. The most important one is that the future is to merge security tools into one so that you can manage your security completely in one place. The boundaries between security tools are receding constantly, and tools such as XDR, SIEM, SOAR, and so on are integrated more and more to provide a native, one-portal experience to organizations. The well-known line from Lord of the Rings is “one ring to rule them all,” and in security, it will be “one tool to rule them all.”

OK, so SOAR is here to stay – but what are the typical use cases?

  • Incident enrichment: Here, we will use the information found using TI and TVM solutions to enrich incidents with more data:
    1. Is that hash or IP malicious? Check using TI and, based on this, you can escalate the incident or even close it if all the data is well-known to your organization.
    2. Does that host have any vulnerabilities? Check using TVM whether any Common Vulnerability and Exploit (CVE) is connected to the host and decide how to proceed.

Here, we can see how we can use automation to quickly grab that info on incident creation, and when the SOC analyst picks up that ticket, the data will be there. As a result, the SOC analyst doesn’t need to perform an initial triage, thus saving time. Based on this info from automation, we can make faster decisions on how to proceed with an incident.

  • Incident remediation: Let’s say that, from the first step, we find out that an IP is malicious or that a host has a critical CVE. As a response, we can run automation that will block that IP in our firewall or EDR solution, or we can isolate that host so that it cannot cause any damage. This is done from the same portal; there is no need to go to different solutions, copy the IP, and then block it. With a click of the playbook, all will be done.
  • Reduce fatigue by reducing the number of false positives: SOC teams have significant issues when solving false positives. It takes time to open each incident, check whether it is connected to our known data, and close it. What if the SOC analyst didn’t even need to look at it? Automation can be run to check for well-known data. If it is connected to well-known data, we can auto-close an incident: this means zero engagement from the SOC analyst.

The examples mentioned are clear examples of how tools such as SOAR can help improve the MTTA and MTTR. Instead of repeating tasks, the SOC can focus on high-severity and true-positive incidents. It’s a well-known fact that good SOC analysts will burn out after a few years, and organizations will need to bring in new analysts who need to be onboarded and taught the SOC’s tricks. SOAR will help to decrease pressure on the SOC by reducing fatigue. With it, mental health improves, and SOC analysts don’t burn out. That also means they can perform their job longer, be more satisfied, and focus on the tasks ahead. By reducing the number of events and incidents that a SOC analyst needs to resolve, they can also invest more time into learning about new defense methods. Overall, the losers in this picture are the ones who should be losing out – the bad actors.

Summary

This chapter covered the importance of improving your security strategy and keeping your organization’s security one step ahead of bad actors. We saw how the traditional method of protection is outdated, a perfect scenario for bad actors, and how they can utilize even the most direct attacks to take down organizations.

Throughout the chapter, we also touched base on the state of cybersecurity, how organizations are changing their strategies, and how new tools such as XDR are emerging. Equally, these new tools directly influence SOC teams being overloaded because more tools equal more events, which equals more security incidents. Since there is a significant gap in the market for security experts – and it takes a long time to investigate the share volume of events and incidents manually – there is a need for help.

This is where SOAR jumps in and helps organizations automate everyday tasks. This directly impacts the efficiency of SOC teams, reducing the MTTA and MTTR and overall SOC fatigue. We then introduced simple use cases for SOAR, such as incident enrichment, remediation, or auto-closure. Later in the book, we will use similar cases to go through how to set up automation step by step.

The next chapter will go through some of the most well-known SOAR tools. These solutions are often part of more comprehensive SIEM tools, and we will explain how those SIEM tools were nudged forward as the ruling security solutions. We will go through the main aspects of SOAR, such as incident management, investigation, and automation, and how these features are utilized in the day-to-day activities of SOC teams.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • What’s inside
  • An exploration of the SOAR platform’s full features to streamline your security operations
  • Lots of automation techniques to improve your investigative ability
  • Actionable advice on how to leverage the capabilities of SOAR technologies such as incident management and automation to improve security posture

Description

What your journey will look like With the help of this expert-led book, you’ll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust. You’ll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help. Next, you’ll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations. You’ll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR. The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios. By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.

Who is this book for?

You'll get the most out of this book if You're a junior SOC engineer, junior SOC analyst, a DevSecOps professional, or anyone working in the security ecosystem who wants to upskill toward automating security tasks You often feel overwhelmed with security events and incidents You have general knowledge of SIEM and SOAR, which is a prerequisite You’re a beginner, in which case this book will give you a head start You’ve been working in the field for a while, in which case you’ll add new tools to your arsenal

What you will learn

  • Reap the general benefits of using the SOAR platform
  • Transform manual investigations into automated scenarios
  • Learn how to manage known false positives and low-severity incidents for faster resolution
  • Explore tips and tricks using various Microsoft Sentinel playbook actions
  • Get an overview of tools such as Palo Alto XSOAR, Microsoft Sentinel, and Splunk SOAR
Estimated delivery fee Deliver to Japan

Standard delivery 10 - 13 business days

$8.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jul 21, 2023
Length: 338 pages
Edition : 1st
Language : English
ISBN-13 : 9781803242910
Category :
Concepts :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Japan

Standard delivery 10 - 13 business days

$8.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Publication date : Jul 21, 2023
Length: 338 pages
Edition : 1st
Language : English
ISBN-13 : 9781803242910
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 134.96 169.97 35.01 saved
Effective Threat Investigation for SOC Analysts
$37.99 $54.99
Practical Threat Detection Engineering
$41.98 $59.99
Security Orchestration, Automation, and Response for Security Analysts
$54.99
Total $ 134.96 169.97 35.01 saved Stars icon
Banner background image

Table of Contents

13 Chapters
Part 1: Intro to SOAR and Its Elements Chevron down icon Chevron up icon
Chapter 1: The Current State of Cybersecurity and the Role of SOAR Chevron down icon Chevron up icon
Chapter 2: A Deep Dive into Incident Management and Investigation Chevron down icon Chevron up icon
Chapter 3: A Deep Dive into Automation and Reporting Chevron down icon Chevron up icon
Part 2: SOAR Tools and Automation Hands-On Examples Chevron down icon Chevron up icon
Chapter 4: Quick Dig into SOAR Tools Chevron down icon Chevron up icon
Chapter 5: Introducing Microsoft Sentinel Automation Chevron down icon Chevron up icon
Chapter 6: Enriching Incidents Using Automation Chevron down icon Chevron up icon
Chapter 7: Managing Incidents with Automation Chevron down icon Chevron up icon
Chapter 8: Responding to Incidents Using Automation Chevron down icon Chevron up icon
Chapter 9: Mastering Microsoft Sentinel Automation: Tips and Tricks Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(14 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Chris Oct 15, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This Security Orchestration, Automation, and Response book by Benjamin Kovacevic absolutely SOARS over and above any other Microsoft Sentinel (SIEM) book out there, hands down! Not only does this book come directly from the Product Manager/Team responsible for features and functionality within Microsoft Sentinel, it's physically jam packed with examples and best practices to integrate, detect, automate, analyze and respond to current and future persistent cybersecurity threats. This resource keeps the examples easy to follow but challenging enough to even folks that have been in this space for a while and gives tips on additional products like Splunk and Google SOAR offerings to help compare and contrast!I personally love the section covering enrichment of incidents with Logic Apps design and automation - with a small background in both Logic Apps and Power Automate, this inspires so many additional use cases that can be quickly and easily created within Microsoft Sentinel. A true zero to hero reference that any SOC Analyst should have within reach!
Amazon Verified review Amazon
Nicholas L DiCola Aug 15, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
"Security Orchestration, Automation, and Response: A Guide for Analysts" is a game-changing book for anyone in cybersecurity. The authors skillfully navigate through the complex world of SOAR, making it accessible even for beginners. The practical examples and up-to-date insights ensure that both theory and application are covered comprehensively. A standout feature is the authors' attention to detail, offering solutions to challenges and sharing best practices. Whether you're a newbie or a pro, this book is a vital resource for mastering effective security automation.
Amazon Verified review Amazon
Dwayne Natwick Jul 22, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Benjamin does an excellent job of breaking down the process of a SOAR and how to maximize the use of Microsoft Sentinel, Splunk, and Google Chronicle to automate incident management, investigation, response, and reporting. I recommend this book for anyone that is interested or involved in security operations and incident response.
Amazon Verified review Amazon
Nermin Smajic Sep 10, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book presents a comprehensive exploration of the SOAR (Security Orchestration, Automation, and Response) platform's capabilities, allowing security analysts to streamline their operations and mitigate threats more efficiently. By delving into the world of automation, readers will gain valuable insights into transforming manual investigations into automated scenarios, saving time and resources while improving the accuracy of their investigations. The authors offer practical techniques that enable analysts to prioritize and resolve such incidents with greater speed and effectiveness. This empowers security teams to focus their efforts on more critical threats, ensuring a higher level of protection for their organizations.In conclusion, this book is a must-read for security analysts looking to stay ahead in the rapidly evolving domain of cybersecurity. By exploring the potential of SOAR platforms, automating routine tasks, and applying efficient incident management techniques, readers will acquire the skills needed to bolster their security operations and protect their organizations effectively.
Amazon Verified review Amazon
Brodie Aug 22, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Technical Reviewer (Disclaimer)A guide not tool agnostic but security oriented to multiple platforms with hands on examples and use of third party apis to include in your workflow for orchestration. Definitely a tool to keep in your arsenal of SOAR operations. If you are starting your journey in Splunk, or Sentinel this is a must use in guiding decision points and operations.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact [email protected] with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at [email protected] using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on [email protected] with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on [email protected] within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on [email protected] who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on [email protected] within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela