What is SOAR?
SOAR (Security Orchestration, Automation and Response) is a term used to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).
SOAR technologies enable organisations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. This helps to build automated processes to respond to low-level security events and standardise threat detection and remediation procedures.
The term was initially coined by the research firm Gartner, who have since outlined three core capabilities of SOAR technologies:
- Threat and vulnerability management
- Security incident response
- Security operations automation
What is the purpose of SOAR?
Working in security operations can be a constant battle. Speed and efficiency are vital, but ensuring all your systems work in harmony is easier said than done. Analysts can often find themselves weighed down with alerts from disparate systems, and obtaining and correlating the necessary data to separate genuine threats from false positives can be an onerous task. Coordinating appropriate response measures to remediate those threats is another challenge entirely.
The purpose of SOAR is to alleviate these challenges by improving efficiency. A standardised process for data aggregation assists human and machine-led analysis, and the automation of detection and response processes helps to reduce alert fatigue, allowing analysts to focus on the tasks that require deeper human analysis and intervention.
An increasing number of organisations are turning to SOAR to help improve their cyber security posture. By the end of 2020, 15% of organizations with a security team larger than five people will leverage SOAR, up from 1% in 2018.
Benefits of SOAR
In the face of ever-evolving and disruptive threats, a shortage of qualified security personnel and the need to manage and monitor growing IT estates, SOAR is helping businesses of all sizes to improve their ability to swiftly detect and respond to attacks. It supports cyber security needs by:
1. Delivering better quality intelligence
Tackling the latest sophisticated cyber security threats requires an in-depth understanding of attackers’ tactics, techniques and procedures (TTPs) and an ability to identify indicators of compromise (IOCs). By aggregating and validating data from a wide range of sources, including threat intelligence platforms, exchanges and security technologies such as firewalls, intrusion detection systems, SIEM and UEBA technologies, SOAR helps SOCs to become more intelligence-driven. The effect of this is that security personnel are able to contextualise incidents, make better informed decisions and accelerate incident detection and response.
2. Improving the efficiency and efficacy of operations
The need to manage so many disparate security technologies can place a huge strain on security personnel. Not only are systems in need of constant monitoring to ensure their ongoing health and performance, but the thousands of daily alarms they generate can also lead to alert fatigue. Constant switching between multiple systems only makes the situation worse, costing teams time and effort, as well as elevating the risk of mistakes being made.
SOAR solutions help CSOCs automate and semi-automate some of the day-to-day and mundane tasks of security operations. By presenting intelligence and controls through a single pane of glass and utilising AI and machine learning, SOAR tools can significantly reduce the need for SOC teams to perform ‘context switching’. They can also help to ensure processes are handled more efficiently and improve organisations’ productivity and capacity to address more incidents without a needing to hire more personnel. A key goal of SOAR is to help security staff work smarter rather than harder.
3. Enhancing incident response
To minimise the risk of breaches and limit the vast damage and disruption they can cause, rapid response is vital. SOAR helps organisation to reduce mean time to detect (MTTD) and mean time to respond (MTTR) by enabling security alerts to be qualified and remediated in minutes, rather than days, weeks and months.
SOAR also enables security teams to automate incident response procedures (known as playbooks). Automated responses could include blocking an IP address on a firewall or IDS system, suspending user accounts or quarantining infected endpoints from a network.
4. Streamlining reporting and knowledge capture
In many cyber security operations centres, frontline workers can spend a disproportionate amount of time managing cases, journaling, creating reports and documenting incident response procedures. By aggregating intelligence from a wide range of sources and presenting this information via visual, custom-built dashboards, SOAR can help organisations to reduce paperwork whilst improving communication between the C-suite and the frontline.
By automating tasks and procedures, SOAR also helps to codify knowledge and avoid loss of institutional memory; something that can happen all too easily given the difficulty organisations face in retaining security talent.
Performing tasks faster means better time to resolution. The longer threats go unaddressed, the greater the chance of damage and disruption.
How Redscan is embracing SOAR
Continuously improving the quality and effectiveness of our services is a key focus for Redscan. By working closely with clients to fully understand their security needs, we not only help organisations to capture, aggregate and validate a wider range of intelligence across their on-premise, cloud and hybrid environments, we help them make more sense of it too. We do this by generating actionable outputs that enhance threat detection and response capabilities.
By utilising our offensive security expertise, alongside our collective knowledge of the latest network and endpoint tools, we optimise systems to reduce false positives, set correlation rules and watchlists to detect new patterns of anomalous behaviour and create and develop incident response playbooks.
CyberOps™ , our proprietary threat management platform, is built to integrate with a large number of security technologies. This helps us to leverage an extensive range of telemetry, centralise workflows and improve multi-stakeholder and compliance reporting.
Improving the efficiency of our Security Operations Centre through automation enables us to reduce manual workloads, improve visibility, perform proactive threat hunting plus validate detection and response technologies and processes.