Solarwinds use-case: Check Point NGFW + Siemplify SOAR: Reducing Risk and Response Time to Critical Attacks. Integration and partnership
What is Siemplify?
Siemplify is a SOAR Platform company and is Check Point’s strategic partner in SOAR space. Siemplify was born out of the need for a better, simpler, more effective way to manage security operations. Siemplify is built by security operations experts who spent years honing their skills on the front lines of Israeli cyber intelligence agencies. Siemplify is not a SIEM but rather an automation platform which uses playbooks and case-management.
What is Security Automation?
Security automation is used to address security operations tasks without human intervention and is an important component of security orchestration.
When automation is applied, actions typically taken by a security analyst to prevent, detect and remediate cyberthreats are instead handled in a machine-led way. Many of the day-to-day processes in a SOC are repetitive and can take an unnecessary amount of time when done manually. Pair this with an ever-growing influx of alerts and a shortage of available security talent, and you have a recipe for security operations inefficiency and risk.
Security automation alleviates these challenges because it is ideal for activities that require a high amount of manual work, require fast response, happen regularly and call for a significant degree of user involvement. Automating these items greatly improves the efficiency and effectiveness of security operations and frees up analyst time for more valuable tasks.
What is Security Orchestration?
Security orchestration is the process of integrating a disparate ecosystem of SOC tools and processes to automate tasks for simpler, more effective security operations. Security operations teams typically have dozens of cybersecurity security tools in place to prevent, detect and remediate threats. But if these technologies and resources aren’t fully integrated into a unified ecosystem, the results are inefficiencies, heightened security risks and lower employee morale. Security orchestration solves these problems by creating harmony between processes and technologies, so that most day-to-day SOC tasks can be completed in a single console.
Check Point Software didn’t have any strategic relationships with any SOAR solution vendors until Jeff met with Amos for lunch. Many thanks to Jeff Schwartz, VP of Engineering at Check Point Software and Amos Stern, co-founder of Siemplify for that lunch meeting and set vision this was late 2019, they mainly discussed a SOAR marketplace, and a strategic partnership between Check Point Software and Siemplify. This is how this all started, as a field sales initiative based on customer’s need for automation.
Check Point Software has several solutions geared towards solving major SOC challenges, and those are focused on Cloud, Endpoint, IoT, Remote Corporate Users and Data Center perimeters, more details are layed out in the diagram above.
Infinity Vision by Check Point, is a unified system that provides complete visibility within a customers’ enterprise and has the ability to generate and provide tangible information that is developed into actionable prevention with Threat Cloud.
Check Point currently offers some SOC solutions InfinitySOC, CloudGuard NDR, Security Gateways for enforcement at either perimeter in the cloud or data center. Threat intelligence feeds, IOCs, Research enhancements are provided by Check Point’s own ThreatCloud service.
As threat landscape keeps changing, especially in multi-stage attacks and increase in cross vector attacks. As a result of recent Sunburst attacks which was discovered in December, 2020, CISA published top 10 areas to monitor closely.
Top 10 High level Overview Sunburst items as of Jan 21, 2021:
- Initial access vector
2. SolarWinds Supply Chain Compromise
3. Anti-Forensic Techniques
4. Privilege Escalation
5. User Impersonation
6. Detection: Identifying Compromised Azure/O365 Resources
7. Detection: Impossible Logins and Impossible Tokens
8. Operational Security
9. MITRE ATT&CK Techniques (19 techniques)
10. Mitigations
This could be automated to detect and respond at scale using Siemplify SOAR solution using playbooks.
SOAR Architecture at high level depicted below, where logs get ingested through SOAR’s connector, then ML based engine sorts it through centric logic, stitches together all the artifacts such as Malware family, Verdict, IOC severity, IPS CVE signature if such exists, type of attack, HTTP, or application based, all gets tied together to one case if it’s related to one attack based on the setup Playbook within SOAR platform.
The enforcement happens on Check Point Security Gateways(firewalls) either on inbound or outbound traffic depending which portion of the kill chain it fits, as shown below.
This is a step-by-step visual of a playbook that is focused on mitigating SolarWinds based malicious attack.
Once playbook gets deployed it triggers the API calls to each particular set of solution and gets a verdict for IOC and sandboxing results, then attaches that info into the case. There is sophisticated logic behind this and this is unique to Siemplify and Check Point integration.
Questions that any SOC analyst would ask during an investigation, these are some of the obvious ones.
If you are interested in testing out in your own lab or SaaS instance, here is the barcode below to register for Community version of Siemplify:
