RSAC insights: Deploying SOAR, XDR along with better threat intel stiffens network defense

By Byron V. Acohido

Much attention has been paid to the widespread failure to detect the insidious Sunburst malware that the SolarWinds hackers managed to slip deep inside the best-defended networks on the planet.

Related: The undermining of the global supply chain

But there’s also an encouraging ‘response’ lesson SolarWinds teaches us, as well.

Reacting to the disclosure of this momentous supply-chain hack, many of the breached organizations were able to deploy advanced tools and tactics to swiftly root out Sunburst and get better prepared to repel any copycat attacks. It was an opportunity to put their security orchestration and automation and response (SOAR) solutions, as well as endpoint detection and response (EDR) tools, to the test.

In that sense, SolarWinds validated the truckloads of investment that has been poured into developing and deploying SOAR and EDR innovations over the past five years. I had the chance recently to visit with Leon Ward, Vice President of Product Management, at ThreatQuotient, provider of a security operations platform with multiple use cases including serving as a threat intelligence platform (TIP). We discussed current developments that suggest SOAR and EDR will continue to improve and make a difference.

For a full drill down on our conversation, please give the accompanying podcast a listen. Here are my key takeaways:

Leveraging richer intel

It was by happenstance that analysts at FireEye, a leading supplier of intrusion detection systems, stumbled into a copy of the Sunburst Trojan ever-so-stealthily embedded in FireEye’s own copy of SolarWinds’ Orion network management software. That was on Dec. 13, 2020.

By that time the attackers had been at it for 16 months, slipping Sunburst deep inside 18,000 organizations via delivery of a legitimate, non-descript Orion software update. They were able to accomplish this extraordinary supply chain hack by initially breaching SolarWinds’ network and gaining access to the build machine that creates and sends out Orion updates. So from inside SolarWinds, these elite hackers were able to distribute authentic, though infectious, Orion updates.

FireEye naturally notified SolarWinds. It wasn’t until Dec. 24 that SolarWinds had two ‘hot-fix’ patches available to distribute to its Orion customers worldwide. Those nine days between discovery of widespread breaches and patch-availability put SOAR and EDR to the test.

Enterprises equipped to do so, were able to leverage their SOAR and EDR capabilities to swiftly triangulate their exposure and take immediate steps to cut off the intruders. And well-equipped managed security services providers (MSSPs) were able to do this for their clients, as well.

Just five years ago, this type of response was not being done very much, nor very effectively. But a couple of developments have changed the picture, Ward told me.


“We’ve seen a proliferation of more vendors creating threat intelligence and threat data, and there are many more new sources of useful threat intelligence coming from internal assets,” he says. “Organizations are realizing the value of combining that knowledge of what’s out there that’s bad, figuring out what’s relevant to them and then assessing what they can see internally . . . It’s great to see organizations using that information in new ways to drive more efficacy and efficiency into their security programs.”

Filtering the noise

SOAR has come on strong in the past two to three years as a tool to help enterprises and MSSPs cut down on noise and make sense of the oceans of threat data pouring into their security information and event management (SIEM) systems.

SOAR often works by utilizing sets of rules drawn up in “playbooks” – the “orchestration” piece. These playbooks are then used to trigger automated responses to known threats, thus relieving a human analyst from having to manually filter vast tiers of threat data.

However, Ward feels strongly that for efficient threat detection and response, automation should focus on what is ultimately learned when performing actions, rather than just that actions are being taken, because that’s where the true detection and analysis value is found.

The SolarWinds hack provided a chance to assess how far SOAR technology has come. Following FireEye’s disclosure, the US-CERT and its European counterpart shifted into high gear. Specialized auditing tools became freely available along with briefings about what to look for and how best to mitigate exposures. Companies are projected to spend $1.8 billion on SOAR systems by 2024, up from $868 million in 2019, according to research firm Marketsandmarkets.

Enterprises and MSSPs were able to tap into the audit tools and threat intel to speed up response. The defenders knew what to look for and had tool sets to integrate into their SOAR and EDR systems. This enabled them to carry out the best course of action, given whatever the specific scenario happened to be, Ward says.

What unfolded in the immediate wake of the SolarWinds disclosure serves as a vivid example of a trend that’s getting a lot of buzz at RSA Conference 2021: the convergence of TIP, SOAR and EDR technologies.

“Pulling strategic information down to a tactical level absolutely helped defenders in so many different ways,” Ward says. “They were able to pivot from an event found in a SIEM, relate it to a specific campaign and  take direct steps to respond to it.”

Cohesive use of intel

At the tactical level, SOAR capabilities are steadily becoming more effective in direct correlation to the quality of threat intelligence being fed into them. ThreatQuotient is a good bellwether of the major advances made in the gathering and leveraging of threat intelligence over the past decade or so.

The company was founded in 2013 by Ryan Trost and Wayne Chiang, who saw a need for a smarter approach to aggregating, organizing and maintaining threat intel. Back then, security appliances didn’t have well-documented APIs and analysts were forced to copy and paste indicators from websites, blogs and email into spreadsheets for storing.

Today, the ThreatQ platform collects and stores a wide array of security telemetry and makes it accessible in many useful ways to security analysts. Integrating SOAR capabilities is one example; and tying into EDR, as well as emerging is another. EDR has become engrained as an essential layer of protection for PCs and servers and XDR simply extends this layer to firewalls, email servers, smartphones and IoT devices. In late 2020, Gartner called XDR the number one trend CISOs should understand to strengthen security initiatives.

Going forward, there is every reason to expect the bad guys to remain highly-motivated and hyper active; making it crucial for the good guys to make highest use of available threat intelligence.

“Detection is just one part of the conundrum; let’s not forget the ‘R’ part… response,” Ward observes. “Being able to provide the toolsets and the capabilities to provide an effective response is really important, and that’s where technology integrations are really important.”

I agree. We’ll see another SolarWinds, probably sooner rather than later. The more companies can learn how to use threat intel cohesively, the better off everyone will be. I’ll keep watch, and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone