Trabalho de Projeto de Mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasInformation security is a must-have for any organization willing to stay relevant and
grow, it plays an important role as a business enabler, be it from a regulatory perspective
or a reputation perspective. Having people, process, and technology to solve the ever
growing number of security incidents as fast as possible and with the least amount of
impact is a challenge for small and big companies.
To address this challenge, companies started investing in Security Orchestration, Automation, and Response (SOAR) [39, 68, 70]. Security orchestration is the planning,
integration, cooperation, and coordination of the activities of security tools and experts to
produce and automate required actions in response to any security incident across multiple technology paradigms [40]. In other words, the use of SOAR is a way to translate the
manual procedures followed by the security analysts into automated actions, making the
process faster and scalable while saving on human resources budget.
This project proposes a low-cost cloud native SOAR platform that is based on serverless computing, presenting the underlying details of its design. The performance of the
proposed solution was evaluated through 364 real-world incidents related to 11 use cases
in a large multinational enterprise. The results show that the solution is able to decrease
the duration of the tasks by an average of 98.81% while having an operating expense of
less than $65/month.
Prior to the SOAR, it took the analyst 75.84 hours to perform manual tasks related
to the 11 use cases. Additionally, an estimated 450 hours of the analyst’s time would be
used to run the Update threat intelligence database use case. After the SOAR, the same
tasks were automatically ran in 31.2 minutes and the Update threat intelligence database
use case ran 9.000 times in 5.3 hours
