Security Orchestration and Ticketing

Document your incidents using ticketing systems or SOAR solutions

Each security incident should have an associated ticket to track the progress. You can use any ticketing system or using Security Orchestration, Automation and Response (SOAR) solutions that include the ticketing aspects.

Important recommendations:

  1. Tickets should auto-escalate if not acknowleged or SLAs passed.
  2. Ownership: whoever takes the ticket is responsible until someone else has taken ownership of the ticket. Security issues should not be just sent to an inbox for another team without making sure that they got it, and they have all the information / context required to continue working without delays.
  3. Document each significant action taken on the ticket for learning and forensics
  4. Analyze Indicators of Compromise (IoCs) with previous security issues and external threat intelligence databases to identify potential threat actors and tactics.
  5. Create Metrics / KPIs to identify areas of improvement and measure progress over time.
    1. Use the status on the ticket to reflect when you’re on 1.-Detect 2.-Analisys 3.-Containment 4.-Erradication 5.-Recovery
    2. Analyze the time required to move from each phase of the Incident response process.
    3. Create Monthly or quarterly reports
  6. When possible Auto-enrich tickets adding context information about the asset related to the incident. GenAI comprehention capabilities can help.

Security Orchestration, Automation and Response (SOAR) solutions

The main SOAR solutions have integration with AWS Security Hub, and with AWS in general to take actions. Some focus more on the ticketing, while others focus more on the automation aspects.

Splunk SOAR (Phantom)

Splunk allows bi-direction integration with AWS Security Hub leveraging Amazon EventBridge to forward findings into an SQS Queue from where they are consumed by Splunk SOAR, and Splunk SOAR uses IAM access credentials to communicate with AWS Security Hub.

Palo Alto Networks: Cortex XSOAR

Palo Alto Cotex XSOAR has “packs” in their marketplace and documentation for integration with many AWS services such as AWS Security Hub, AWS Network Firewall, AWS Lambda, Amazon Security Lake etc.