Security Orchestration, Automation and Response - An Introduction to SOAR

What is SOAR?

Security Orchestration, Automation and Response (SOAR) refers to technology platforms that optimise security operations by:

1. Integrating and correlating data from various cyber security point solutions
2. Streamlining and speeding up workflows via playbooks and automation, and
3. Improving investigation and response through better case management and collaborative action.

One of the main challenges that SOAR addresses is the difficulty security teams face in handling the large number of alerts generated by multiple siloed tools (firewalls, endpoint protection tools, threat intel platforms, IDS/IPS) that don’t interact with one another. Manual and time-consuming investigation and response processes and inconsistent workflows add to the problem, often leading to analyst burnout and slow, inadequate incident resolution.  

By automating repetitive, low-level tasks in the threat investigation and response process and enabling real-time collaboration within and among teams, SOAR platforms speed up incident response and facilitate deeper investigations.  

Additionally, integration with threat intelligence platforms enables SOAR technologies to operationalise intelligence and provide critical context to analysts for improved response.

The component elements of SOAR

Orchestration

Security orchestration involves the integration and correlation of data from all the different tools and technologies being used within an organisation, for better visibility, coordination and context. The best SOAR platforms allow bidirectional integration between tools, where the SOAR tool can both ingest data from other sources and also issue commands and trigger investigation and response actions.

Automation

In the context of SOAR, automation is seen as a subcomponent and enabler of orchestration. With repetitive, low-level investigation and response actions performed at speed by machines, analysts can devote time to deeper investigations and more strategic tasks.  

Response

SOAR platforms enable and streamline incident response via playbooks, real-time collaboration, and case management.  ‍

Playbooks are visual workflows that lay down the steps to be taken by analysts or machines in response to specific situations, incidents or alert types.

SOAR tools usually include both pre-built playbooks and the functionality to easily create custom playbooks with minimal coding. In the absence of standardised workflows, response processes can be ad-hoc and inefficient. Playbooks help standardise and streamline these processes, ultimately reducing the mean time to respond to an incident.  

Another response feature that SOAR offers is the functionality for real-time collaboration within and among teams as an incident plays out. ChatOps and a shared workspace enable seamless information exchange during the incident response process and minimise knowledge gaps.  

Benefits of SOAR

• Return on investment - By integrating and helping operationalise data from the tools you are already using, SOAR helps you get much more out of the technologies you have invested in.  
• Increased efficiency - It increases analyst efficiency and prevents burnout by standardising workflows, streamlining investigation and response processes, and automating low-level repeatable tasks.
• Reduced response time - The reason SOAR has risen so much in popularity in just a few years (the term was first used only in 2017) is that its adoption reduces response time drastically. By helping standardise processes and automating a wide range of tasks, SOAR platforms bring down investigation and response time from days to hours.  
• Deeper investigations - SOAR allows deeper investigations by freeing up analyst time, adding context to alerts by leveraging threat intelligence data, and tying together information from a variety of tools.  
• Incident response planning - While creating playbooks, security teams are forced to think clearly and logically about each step in the response process, the tools available and the feasibility of the actions being documented. This facilitates effective incident response planning that leverages resources that are actually available in an organisation.  

Some common SOAR use cases

• Phishing response - The most common and easily executable use case for SOAR is phishing investigation and response. SOAR platforms can ingest suspected phishing emails from various products, extract indicators from these emails, and use information from threat intel platforms to add context to the indicators. They can also automate steps like notifying the email recipient and finding and deleting instances of the email (if found malicious) on other endpoints. A large part of this whole process can be automated, saving valuable analyst time.  
• Sandboxing and malware analysis – Another important use case is checking if files flagged by detection tools are malicious by detonating them in sandbox environments. A major part of this process, too, can be automated, and analysts need be involved only if necessary.  
• Adding context to IoCs – SOAR tools can ingest Indicators of Compromise (IoCs) like IP addresses, URLs and file hashes from different sources and compare them with information found in threat intel tools. This data can then be used to determine whether a given indicator is malicious or not. Blocklists and allow-lists can be updated automatically based on the results, and in the case of false positives, playbooks can be closed without analyst intervention.
• Assigning severity scores – Because SOAR tools work in concert with all other security tools used in an organisation, they can get scores for ingested incidents from other trusted vulnerability management tools they are connected with. They can also extract specific indicators and check their criticality levels on threat intel platforms. This information can be used to assign severity levels to alerts and incidents and provide critical context to analysts in their investigations.  
• Vulnerability management – SOAR playbooks can be used to automate vulnerability management through dedicated vulnerability management tools connected with the SOAR platform. Information about assets and associated CVEs can be automatically ingested and enriched with additional context around remediation status before analysts get involved.  

A caveat

While ideal for solving some of the most pressing issues in the cyber security industry, SOAR solutions can provide real value only if they integrate well with the other security tools and technologies in use in an organisation. This means that before selecting a SOAR solution, you must make sure it will work with your existing toolstack, and also review and possibly upgrade some of these tools so they generate good data.  

Questions to ask when selecting a SOAR platform:

• Does it integrate with the existing point solutions used by your organization?
• Does it add value in terms of functionality, when seen together with the existing toolstack?
• Does it allow easy (drag and drop) playbook creation?
• Does it offer real-time collaboration and chat options for better handling of events?
• Are there multiple deployment and hosting options available, and is it scalable?
• Does the pricing model fit your needs?
• Are the reports easy to understand and can dashboards be adjusted by need and preference?

High-level capabilities to think of:

• Bidirectional integration with different products and alert sources
• Data/alert ingestion and the ability to add context to data
• Playbooks with manual and automated steps - both custom and out-of-the-box.
• User-friendly interface and visual representation of SOC data
• Reporting and documentation capabilities
• Ticketing, case management and integrations to trigger response
• Threat intelligence integration and operationalisation

The difference between SIEM and SOAR

Security Information and Event Management (SIEM) tools are designed to aggregate and organise logs and data from multiple point products deployed across an organisation’s environment, and help with faster threat detection, triage and investigation. They provide a single pane of glass to security teams to view and make sense of data ingested from a variety of tools, minimising console switching and increasing efficiency.  

SOAR, on the other hand, is focused on streamlining investigation and response processes, improving workflows, facilitating faster and standardised incident response, and automating repeatable low-level tasks to free up analyst time for strategic planning and action. The best SOAR platforms are highly extensible and allow bidirectional integration with a wide variety of point solutions like NGFWs, EDR tools, UEBA, NTA, IDS/IPS, threat intel platforms, etc.  

While there is some overlap between the functionalities of SIEM and SOAR tools, they are designed for different use cases, with SIEM focused on efficient alert handling, detection, triage and log management, and SOAR focused on the later stages of the incident lifecycle, standardising workflows, automation, incident response and case management.  

An evolving technology

While SIEM and SOAR solve different security challenges, they complement each other (SOAR ingests data from SIEM tools, in addition to other products), and provide some similar functionalities (product and data integration, unified dashboard, correlation of alerts). Having emerged as a fully formed concept only in 2017, SOAR is a young technology solution with immense promise, but it is still evolving. It remains to be seen what becomes of it in the coming years. Some security experts predict that the two product categories may come together at some point to provide even greater value to security teams.  

For now, however, organisations must keep their existing technology stack and skillset in mind before investing in a SOAR platform. While SOAR can help streamline IR processes and cut down response time sharply, it does need to be set up correctly and work seamlessly with the other tools in your security arsenal to provide real value. Automation use cases, too, need to be planned and programmed based on your specific business needs and security-related challenges. This whole process takes time, effort and expertise.  

A large number of organisations that do not have the engineering expertise or resources to deploy and manage SOAR solutions in-house, are turning to managed security providers to deliver SOAR as a service. This makes sense because it means you can use the orchestration and automation capabilities of best-in-class SOAR platforms without having to invest in one yourself and without the headache of setting up, tuning, monitoring and managing the platform around the clock.  

Talk to security experts at LinearStack  

If you want to leverage the power of SOAR to bolster your security capabilities but do not have the time or resources to add it to your environment independently, get in touch with us. Our security experts can help you understand how to incorporate SOAR in your cyber security program and get the most value from it. We offer a range of managed and professional cyber security services to businesses in New Zealand and Australia.

Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free consultation.