Design and Generation of a Set of Declarative APIs for Security Orchestration

The emerging threat landscape causes continuous change in the Incident Response Process (IRP) and security tools of security orchestration platforms (SOAR). Users of such platforms often struggle to adapt to these changes because they are addressed in an ad-hoc manner through a complex architecture. The complex design of the SOAR can be hidden behind an easy-to-use user interface. This article introduces a Declarative API (DAPI)-driven Orchestration approach, DecOr, that alleviates the need for security teams' detailed understanding of the libraries and plugins to address the changes of a SOAR. DecOr comprises 1) three sets of dAPIs to encapsulate the activities of security orchestration and 2) a semantic framework to support the design and generation of dAPIs from task descriptions, leveraging natural language processing techniques. The dAPIs are mapped with an ontological knowledge base to execute IRPs. We experimentally evaluate the effectiveness and efficiency of DecOr based on 147 task and dAPI pairs, curated from real-world playbooks. We show the end-to-end process from identifying dAPIs to executing 48 IRPs with seven security tools. The evaluation results show, DecOr accurately generates dAPIs in near real-time, with precision and recall values over 80% and successfully executes changing IRPs 93% of the time.