What is SOAR in cyber security?
SOAR (Security Orchestration, Automation and Response) refers to the combination of three different technologies: security orchestration and automation, security incident response platforms (SIRP) and threat intelligence platforms (TIP).
SOAR security technologies allow organisations to collect and aggregate vast amounts of security data and alerts from a multitude of sources. This enables them to build automated processes to respond more effectively to low-level security events and standardise threat detection and remediation procedures.
SOAR enables businesses to significantly improve their ability to swiftly detect and respond to attacks. In this article, we outline what SOAR security includes, its benefits for business and the potential challenges associated with it.
What is the purpose of SOAR?
SOAR refers to technologies that enable organisations to collect data about security threats and respond to security events with little or no human assistance. This helps to significantly reduce the pressure on security operations teams. SOAR counteracts a number of key challenges these teams face, including:
- Ensuring that all systems are working in alignment while maintaining speed and efficiency
- Obtaining and correlating the necessary data to separate genuine threats from false positives
- Coordinating appropriate response measures to remediate threats
SOAR security alleviates all of these challenges by significantly improving efficiency. It provides a standardised process for data aggregation to assist human and machine-led analysis and automates detection and response processes to help reduce alert fatigue, allowing analysts to focus on the tasks that require deeper human analysis and intervention. As a result, an increasing number of organisations are turning to SOAR to help improve their cyber security posture.
What is included in SOAR?
The term was initially coined by the research firm Gartner, and includes three core capabilities:
Security incident response
Technologies that enable the management, tracking and coordination of incident response, helping to support workflows that are both repeatable and scalable.
Threat intelligence data enrichment
Threat and vulnerability management technologies help remediate vulnerabilities, allowing organisations to take faster and more informed action against threats, increasing prioritisation and helping to confirm the resolution of incidents.
Security controls automation and orchestration
Security orchestration and automation technologies help to connect and streamline various tools and support the automation and orchestration of workflows, processes and reporting.
Maximising SOAR: Example Use Cases
Common use cases for SOAR security include:
- A high volume of manual security processes, creating the need for automation
- Additional support with incident response required by the in-house security team
- Assessing and responding to high volumes of phishing emails
- Querying certificate management tools to identify expiring certs
- Automating the isolation of infected machines
- Streamlining SOC case management when multiple solutions are in use
In the face of ever-evolving threats, a shortage of qualified security personnel and the necessity to manage and monitor growing IT estates, SOAR helps businesses of all sizes to improve their ability to swiftly detect and respond to attacks. It achieves this by:
1. Delivering a higher standard of intelligence
Tackling increasingly sophisticated cyber security threats demands an in-depth understanding of attackers’ tactics, techniques and procedures (TTPs), as well as the ability to identify indicators of compromise (IOCs). SOAR enables SOCs to become more intelligence-driven by allowing them to aggregate and validate data from a wide range of sources.
These can include threat intelligence platforms, exchanges and security technologies such as firewalls, intrusion detection systems, security information and event management (SIEM) and user and entity behavior analytics (UEBA). By doing this, SOAR allows security teams to more easily contextualise incidents, make better informed decisions and accelerate incident detection and response.
2. Enhancing operational efficiency
Security personnel are under increasing pressure due to the requirement to manage many different technologies. As well the constant monitoring involved in ensuring the consistent performance of systems, thethe thousands of daily alarms they generate can also lead to alert fatigue.
SOAR solutions allows security operations centres (SOCs) to automate and semi-automate manyof their routine tasks. SOAR tools significantly reduce the need for SOC teams to switch from one technology to another because they present intelligence and controls through a single pane of glass and utilise AI and machine learning.
SOAR security solutions also have the capacity to ensure that processes are handled more efficiently, improving organisations’ productivity without them having to recruit more personnel. As a result, a key benefit of SOAR is that it helps security staff to work smarter rather than harder.
3. Accelerating incident response
Rapid response is a vital aspect of minimising the risk of breaches and limiting the significant damage and disruption they can cause. By enabling security alerts to be qualified and remediated in minutes, rather than days, weeks and months, SOAR enables organisations to reduce mean time to detect (MTTD) and mean time to respond (MTTR).
SOAR also allows security teams to automate incident response procedures (known as playbooks). The types of automated responses it can help with could include blocking an IP address on a firewall or IDS system, suspending user accounts or quarantining infected endpoints from a network.
4. Streamlining reporting and knowledge capture
In many cyber security operations centres, frontline, employees spend a disproportionate amount of time managing cases, creating reports and documenting incident response procedures.
SOAR helps organisations to reduce this type of paperwork whilst improving communication between the C-suite and the frontline as it aggregates intelligence from a wide range of sources and presents it via custom-built dashboards.
Performing tasks faster equals better time to resolution. This is vital because the longer threats go unaddressed, the greater the chance of damage and disruption.
SOAR vs SIEM – what’s the difference?
SOAR and SIEM tools are designed to address the same problem: the high volume of security-related information and events within organisations.
However, while SOAR platforms incorporate data collection, case management, standardisation, workflow and analysis, SIEMs analyse log data from different IT systems to search for security issues and alert engineers.
While alerts can be organised and categorised in SIEM, the actual investigation must be done manually. For example, in the event of suspicious activity being detected, SIEM only sends an alert to the IT team. With SOAR, the investigation path is automated, taking away the added burden of manual investigations and reducing the amount of taken to handle alerts.
While both aggregate data, SOAR has a wider scope and reaches a more varied set of data sources. Their complementary nature means that the two solutions can work in conjunction with each other, with the SIEM solution detecting the potential security incidents and triggering the alerts and the SOAR solution responding to these alerts, triaging the data and taking remediation steps where required. With SIEM platforms integrating SOAR-like functionality to increase response, SOAR can add significant value to an existing SIEM solution.
Gartner pointed out that the main obstacle to the adoption of SOAR security continues to be the lack, or low maturity, of processes and procedures within SOC teams. This is why it is vital to gain expert advice when planning to implement SOAR. Other key pitfalls associated with the implementation of SOAR are:
Unrealistic expectations: SOAR is not a silver bullet for addressing all security challenges Without setting clearly defined use cases and realistic goals, organisations are at risk when implementing SOAR.
Integration issues: A key challenge associated with implementing SOAR is the ability to effectively integrate the tools and technologies required for security monitoring and incident response. Because these tools will vary in terms of data formats, APIs, or protocols, information sharing and automating workflows can be complex and time-consuming.
Over-reliance on automation: It is vital to not to rely just on the playbooks and processes initially set up in SOAR. Companies should apply up to date security expertise to ensure that their SOAR is continually ready to respond effectively to new types of threats.
Unclear metrics: Failure to clearly define their parameters for success can leave organisations at risk of failing to gain the results they need from SOAR. This means it is important to understand the full breadth of what they are trying to automate.
Limited in-house expertise: While SOAR helps to reduce the burden on in-house teams in the medium and long-term, it demand a maturity level that requires SOCs to have specific types of skills and capabilities to ensure a timely and effective implementation.
How Kroll can help
Kroll Responder, Kroll’s outcome-focused Managed Detection and Response (MDR) service, integrates the latest detection technologies and intelligence, plus a team of cyber offensive security professionals to provide the hunting capability needed to proactively detect threats. Our experienced Red and Blue Team security professionals have a deep knowledge of offensive security and apply this knowledge to help better identify unknown threats.
By utilising our offensive security expertise alongside our collective knowledge of the latest network and endpoint tools, we optimise systems to reduce false positives, set correlation rules and watchlists to detect new patterns of anomalous behaviour and create and develop incident response playbooks.