What is SOAR?
SOAR (Security Orchestration, Automation and Response) refers to the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP) and threat intelligence platforms (TIP).
SOAR technologies enable organisations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. This helps to build automated processes to respond to low-level security events and standardise threat detection and remediation procedures.
The term was initially coined by the research firm Gartner, who have since outlined three core capabilities of SOAR technologies:
- Incident response workflow
- Data enrichment
- Security controls automation
What is the purpose of SOAR?
Working in security operations can be a constant struggle. Speed and efficiency are vital, but it can be challenging to ensure that all your systems are working in harmony. Analysts are frequently overwhelmed by the volume of alerts from disparate systems. Obtaining and correlating the necessary data to separate genuine threats from false positives can be an onerous task. Coordinating appropriate response measures to remediate those threats is yet another challenge.
The purpose of SOAR security is to alleviate all of these challenges by improving efficiency. It provides a standardised process for data aggregation to assist human and machine-led analysis and automates detection and response processes to help reduce alert fatigue, allowing analysts to focus on the tasks that require deeper human analysis and intervention.
An increasing number of organisations are turning to SOAR to help improve their cyber security posture.
SOAR use cases
Common use cases for SOAR security include:
• A high volume of manual security processes, creating the need for automation
• Additional support with incident response required by the in-house security team
• Assessing and responding to phishing emails
• Multiple cyber security tools and solutions in use
Benefits of SOAR
In the face of ever-evolving threats, a shortage of qualified security personnel and the need to manage and monitor growing IT estates, SOAR is helping businesses of all sizes to improve their ability to swiftly detect and respond to attacks. It supports cyber security needs by:
1. Delivering better quality intelligence
Tackling increasingly sophisticated cyber security threats requires an in-depth understanding of attackers’ tactics, techniques and procedures (TTPs) and the ability to identify indicators of compromise (IOCs). By aggregating and validating data from a wide range of sources, including threat intelligence platforms, exchanges and security technologies such as firewalls, intrusion detection systems, SIEM and UEBA technologies, SOAR helps SOCs to become more intelligence-driven. This means that security personnel are able to contextualise incidents, make better informed decisions and accelerate incident detection and response.
2. Improving the efficiency and efficacy of operations
Managing many disparate security technologies can place a huge strain on security personnel. Not only are systems in need of constant monitoring to ensure their ongoing integrity and performance, but the thousands of daily alarms they generate can also lead to alert fatigue. This is exacerbated by constant switching between multiple systems, which costs teams time and effort, as well as increasing the risks of mistakes being made.
SOAR solutions help CSOCs automate and semi-automate some of the day-to-day and mundane tasks of security operations. By presenting intelligence and controls through a single pane of glass and utilising AI and machine learning, SOAR tools can significantly reduce the need for SOC teams to switch from one technology to another.
SOAR security can also help to ensure that processes are handled more efficiently and improve organisations’ productivity and capacity to address more incidents without them having to recruit more personnel. This means that a key SOAR benefit is that it helps security staff to work smarter rather than harder.
3. Enhancing incident response
Rapid response is vital in order to minimise the risk of breaches and limit the vast damage and disruption they can cause. SOAR helps organisations to reduce mean time to detect (MTTD) and mean time to respond (MTTR) by enabling security alerts to be qualified and remediated in minutes, rather than days, weeks and months.
SOAR also enables security teams to automate incident response procedures (known as playbooks). Automated responses could include blocking an IP address on a firewall or IDS system, suspending user accounts or quarantining infected endpoints from a network.
4. Streamlining reporting and knowledge capture
In many cyber security operations centres, frontline workers can spend a disproportionate amount of time managing cases, creating reports and documenting incident response procedures. By aggregating intelligence from a wide range of sources and presenting this information via custom-built dashboards, SOAR can help organisations to reduce paperwork whilst improving communication between the C-suite and the frontline.
By automating tasks and procedures, SOAR also enables organisations to retain key knowledge in the face of the global cyber security skills shortage.
Performing tasks faster means better time to resolution. This is vital because the longer threats go unaddressed, the greater the chance of damage and disruption.
SOAR vs SIEM – what’s the difference?
SOAR and SIEM (Safety Information and Event Management) tools aim to address the same problem: the high volume of security-related information and events within organisations.
While SOAR platforms incorporate data collection, case management, standardisation, workflow and analysis, SIEMs analyse log data from different IT systems to search for security issues and alert engineers.
The two solutions can work in conjunction, with the SIEM detecting the potential security incidents and triggering the alerts and the SOAR solution responding to these alerts, triaging the data and taking remediation steps where necessary. With SIEM platforms integrating SOAR-like functionality to increase response, SOAR can add significant value to an existing SIEM solution.
As Gartner points out, the main obstacle to the adoption of SOAR security continues to be the lack, or low maturity, of processes and procedures within SOC teams. This is why it is vital to gain expert advice when planning to implement SOAR. (Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, 21 September 2020).
Additional pitfalls associated with the implementation of SOAR are:
Unrealistic expectations: SOAR is not a silver bullet for addressing all security challenges. Organisations are at risk when implementing SOAR if they fail to set clearly defined use cases and realistic goals.
Over-reliance on automation: It is vital to avoid simply relying on the playbooks and processes initially set up in SOAR. Companies need to ensure that they apply up to date security expertise to ensure that their SOAR is continually ready to respond effectively to new types of threats.
Unclear metrics: Organisations are at risk of failing to gain the results they need from SOAR due to a failure to clearly define their parameters for success. It is important to understand the breadth of what they are trying to automate.
Maximising SOAR benefits with Redscan
Continuously improving the quality and effectiveness of our services is a key focus for Redscan. By working closely with clients to fully understand their security needs, we not only help organisations to capture, aggregate and validate a wider range of intelligence across their networks, endpoints and cloud environments, but also help them make more sense of SOAR benefits. We achieve this by generating actionable outputs that enhance threat detection and response capabilities.
By utilising our offensive security expertise, alongside our collective knowledge of the latest network and endpoint tools, we optimise systems to reduce false positives, set correlation rules and watchlists to detect new patterns of anomalous behaviour and create and develop incident response playbooks.
CyberOps™, our integrated cloud-architected XDR platform, is built to integrate with a large number of security technologies. This helps us to leverage an extensive range of telemetry, centralise workflows and improve multi-stakeholder and compliance reporting.
Improving the efficiency of our Security Operations Centre through automation enables us to reduce manual workloads, improve visibility, perform proactive threat hunting plus validate detection and response technologies and processes.