Free and Open-Source S.O.A.R.
The longer I spend staring at Splunk, the more I wish something; anything; would happen. Sure; there is data, logs, numerous events which make my eyes bleed. But it’s not actionable; my eyes, brain, and emotions have preconditioned me to skip, avoid and eventually discard information without setting off any alarms. The tedium of my daily routine creates gaps in an otherwise “secure” environment. If only there were a way to know which events to review.
Enter Security Orchestration Automated Response (S.O.A.R.) platforms, the hotter cousin of Security Information and Event Management (SIEM) software. The 2019 and beyond buzzword for Security Operations Centers everywhere. Replacing EDR, Next-Gen A/V, Threat Intelligence, etc., as the new must-have technology stack.
SOAR platforms endeavor to remove analysis fatigue through offering Incident Response as a service. Services include Playbook Strategies, API generated alerting and response, and some form of Content Management System (CMS). The space is occupied by large vendors, including IBM, Palo-Alto, and FireEye, for your batteries included or professional services set-up.
For the rest of us, those without the overhead to support these solutions' cost, there is the FOSS community. While not set it and forget it, a somewhat niche solution set exists which supports extensive customization if you’re willing to use a little elbow grease.
The Hive Project is a handful of well-developed, open-source solution sets that host an active community of users and contributors. Future posts will the more technical aspects of this ecosystem, but for now, let us cover the why.
- It’s free — yep, zero cost outside your sanity at times; to set up and deploy the solution.
- It’s extensible — the project is a combination of python, java, and elastic-search (depending on your version). The Hive provides API wrappers in Python to import, export, or blow up the instance.
- It’s collaborative — the CMS component allows multiple analysts to work the same case concurrently; The Hive can create cases from playbooks, alerts, or ad-hoc.
- It’s automated — the solution-set supports well over 100 automated free and paid integrations. Functions include automatic submission to virus-total, email parsing for phishing, or Domain Name querying, to name a few.
- Noise Reduction — all solutions, including The Hive, add some form of noise to your identification and analysis. The platform offers more than it detracts from, in my opinion, by offering automated methodologies to run analysis and collaborate with team members.
Future articles in this series will include:
- Installation, configuration, and deployment
- The user interface, playbooks, and workflows
- API extensibility via TheHive4py
- Workflow improvement via 3rd party integrations like synapse, MISP, and Service-Now.
