Search
Close this search box.

3 Workflows To Combat Rising Identity Threats with SpyCloud + Your SOAR

People – employees, third-party vendors, and customers – and their expansive digital identities have exponentially multiplied entry points for attacks on organizations. The average person has four unique usernames or email addresses exposed on the dark web, along with countless amounts of related information that can open up unauthorized access to your network and systems.

Due to the scale of this exposure, automation is an essential component of today’s cybersecurity workflows, but it alone doesn’t fully shield employees from next-generation identity threats. And in some cases, automation may not even be the best course of action, especially in risky situations where nuanced decision-making is critical.

As SOAR tools evolve, they sometimes emphasize automation over orchestration. However, preventing unauthorized access to your networks and systems requires a balance of both components. SpyCloud makes sure that your security teams are not only alerted when employees are compromised, but can also respond appropriately with their preferred tools.

In this blog, we’ll explore how SpyCloud’s cybercrime analytics and enriched employee records integrate with your SOAR platform – like Tines, Microsoft Sentinel, Palo Alto Cortex XSOAR, and more – in workflows that help you detect, respond to, and remediate compromised employee identities.

How SpyCloud supports your incident response

Many threat intelligence vendors provide feeds indicating potential compromised identities, but the challenge for many teams lies in verifying those alerts and assessing the actual extent of an exposure.

SpyCloud’s role in combating identity threats

SpyCloud simplifies this process by automatically correlating all recaptured data from breaches, successful phishes, and malware infections to map out the larger picture of a compromised employee identity for you. The result is definitive evidence of compromise you can act on.

Integrating SpyCloud with your SOAR Platform

SpyCloud offers a growing number of native, out-of-the-box integrations, free with your existing Enterprise Protection license. These include top SOAR vendors such as:

SpyCloud’s native integrations can be installed directly from the respective SOAR platform’s marketplace. Each integration includes enrichment commands and workflow playbooks designed to prevent next-generation identity threats. SpyCloud’s enriched and deduplicated analytics are pushed daily to your SOAR platform, ensuring little noise or false positives when raising an alert for compromise.

SpyCloud’s enriched breach and malware records also give your team a holistic view into the exposed employee identity – not just a username or password – but a comprehensive view of all exposed data assets and PII that can be used for unauthorized access, extending to compromised credentials and active session cookies, even for SaaS apps outside your domain.

Workflows for combating identity threats

Now that we’ve covered how SpyCloud contributes to your incident response, let’s explore three common integration workflows:

01

Data enrichment for incident prioritization

02

Identity exposure response

03

Continuous identity monitoring

SOAR workflow #1: Data enrichment for incident prioritization

SpyCloud automatically creates high-priority incidents in your SOAR for new data from breaches, malware-infected devices, and successful phishes, making it easy to correlate with other employee records through direct API integrations or SIEM integrations. This ensures that the alerts you see in tools like Microsoft Sentinel or Palo Alto Cortex XSOAR are based on evidence of compromise that is both relevant and timely.

SpyCloud’s data provides many contextual clues about the breach or malware infection within each field, including the date, targeted application, and severity. Exposed PII and even plain-text passwords will appear so you can quickly triage. Additional context surrounding infostealer malware records – like the infected time and infected path – help your team identify affected employees or devices.

Most integrations offer enrichment packages, meaning you can query SpyCloud’s APIs for additional information needed to fully remediate and isolate incidents. The most common enrichment commands include pulling in the IP address, domain, and more information about the infected device itself.

Some enrichment commands within Palo Alto Cortex XSOAR that help your response include:

Email Enrichment:

Fetching breach records associated with the email address from SpyCloud adds more context

!spycloud-get-breach-records indicator_type=”email” indicator_value=”${incident.email_address}” 

Extracting Additional Information

Query other attributes such as IP addresses, domains, and usernames involved in the incident 

!spycloud-get-compromised-usernames indicator_type=”username”indicator_value=”${incident.username}”

Associated Malware Data:

Query machine IDs or associated malware data to help with post-infection remediation:

!spycloud-get-malware-records indicator_type=”machine_id” indicator_value=”${incident.machine_id}”

Generate Incident Reports

Use DBot commands to generate detailed reports of the incident using SpyCloud’s enriched dataset:

!create-report type=”PDF” title=”Malware Incident Report” data=”Incident details, enriched data, remediation steps”

Leverage PaloAlto Cortex XSOAR’s enrichment commands to query SpyCloud’s database to add depth to your response and make more informed decisions.

SOAR workflow #2: Identity exposure response

Responding to high-severity breaches or malware infections requires different approaches. Breach response is about speed, and malware remediation is about mapping out the larger attack landscape for potential unauthorized access to your network and SaaS applications.

To address each nuanced remediation path, SpyCloud provides sample automation workflow playbooks within each integration. These playbooks range from responding to exposed plaintext passwords from a breach to checks for the breadth of malware infections, ensuring that the proper actions are initiated within your response and ITSM tools. They also can trigger internal notifications via Slack or Teams to alert and collaborate with other employees.

Responding to high-severity breaches

SpyCloud streamlines a timely response to high-severity breaches with:
SpyCloud’s sample playbook in MS Sentinel checks for compromised passwords in use

SpyCloud’s sample playbook in MS Sentinel checks for compromised passwords in use, helping to prevent employee account takeover

Malware exposure remediation

For malware-infected devices and employees, SpyCloud delivers SOAR playbooks to help you decide the appropriate response for SOC analysts to take action with better information:

SpyCloud’s malware remediation playbook within MS Sentinel runs the necessary checks to enrich the incident for your SOC analysts

SpyCloud’s malware remediation playbook within MS Sentinel runs the necessary checks to enrich the incident for your SOC analysts

SOAR workflow #3: Continuous identity exposure monitoring

Organizations need to continuously monitor for and remediate employee identity exposures – otherwise, bad actors can bypass your authentication systems, even MFA. SpyCloud monitors for identity exposures and detects new signs of compromise around the clock so you can understand how your identities, devices, and access are perceived by criminals on the darknet.

These insights from SpyCloud integrate with your SOAR to create comprehensive incident response cases, visualizing the full breadth of infections, identifying unauthorized access to applications, and facilitating appropriate communication to prevent next-generation identity threats.

“SpyCloud is an invaluable tool that reduces administrative overhead in resetting consumer or employee accounts if they are detected on the darkweb…It’s reliable, the time to integrate and onboard is easy and simple, and it just works.”

– LendingTree Security Operations Manager

SpyCloud saves LendingTree 60% of the SOC team’s time and resources with actionable data and automation.

How SpyCloud data supports a Continuous Zero Trust approach

These insights also support organizations on the path to Continuous Zero Trust. With SpyCloud, you’ll augment your static device elements with knowledge of what criminals know about your employees. With this timely identity information feeding your Zero Trust policy engine, you can continuously validate each user and device to make sure they’re not compromised.

Next-gen attack prevention with optimized SOAR workflows

What makes high performing SOC teams stand out? They equip even the least experienced analyst with the best information, enabling them to make the smartest decisions quickly. This approach reduces decision fatigue and speeds up remediation times, effectively combating targeted cyberattacks.

Protecting employee identities from next-generation identity threats requires more than just automation – it necessitates a strategic blend of automation and orchestration, enriched with actionable intelligence.

For teams who want to leverage automation, but don’t feel like they have the time or dedicated resources to do it, SpyCloud can also build and maintain automation workflows for you with SpyCloud Connect.

SpyCloud’s integrations with leading SOAR tools enable your security team to respond quickly and effectively to identity threats. By combining continuous detection of exposed identities with comprehensive incident response and integrating within your existing security tools and workflows, SpyCloud gives you the upper hand.

Protect employee identities from next-gen threats by orchestrating and automating your response with native SpyCloud integrations.

Keep reading

The impacts of account takeover can affect your customer base and business long into the future, which is why prevention is so key. Here’s how SpyCloud helps organizations reduce ATO fraud.
Your Zero Trust policy engine is only as good as the data it receives. Find out how to best fuel it to achieve Continuous Zero Trust.
Discover how SpyCloud’s identity protection solutions help your business meet NIS2 Directive requirements.
Table of Contents
Check your darknet exposure

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Check Your Exposure has been expanded with more recaptured data. See Your Results Now

X
Search
Close this search box.