Security Orchestration, Automation and Response (SOAR) refers to technology platforms that optimise security operations by:
One of the main challenges that SOAR addresses is the difficulty security teams face in handling the large number of alerts generated by multiple siloed tools (firewalls, endpoint protection tools, threat intel platforms, IDS/IPS) that don’t interact with one another. Manual and time-consuming investigation and response processes and inconsistent workflows add to the problem, often leading to analyst burnout and slow, inadequate incident resolution.
By automating repetitive, low-level tasks in the threat investigation and response process and enabling real-time collaboration within and among teams, SOAR platforms speed up incident response and facilitate deeper investigations.
Additionally, integration with threat intelligence platforms enables SOAR technologies to operationalise intelligence and provide critical context to analysts for improved response.
Security orchestration involves the integration and correlation of data from all the different tools and technologies being used within an organisation, for better visibility, coordination and context. The best SOAR platforms allow bidirectional integration between tools, where the SOAR tool can both ingest data from other sources and also issue commands and trigger investigation and response actions.
In the context of SOAR, automation is seen as a subcomponent and enabler of orchestration. With repetitive, low-level investigation and response actions performed at speed by machines, analysts can devote time to deeper investigations and more strategic tasks.
SOAR platforms enable and streamline incident response via playbooks, real-time collaboration, and case management.
Playbooks are visual workflows that lay down the steps to be taken by analysts or machines in response to specific situations, incidents or alert types.
SOAR tools usually include both pre-built playbooks and the functionality to easily create custom playbooks with minimal coding. In the absence of standardised workflows, response processes can be ad-hoc and inefficient. Playbooks help standardise and streamline these processes, ultimately reducing the mean time to respond to an incident.
Another response feature that SOAR offers is the functionality for real-time collaboration within and among teams as an incident plays out. ChatOps and a shared workspace enable seamless information exchange during the incident response process and minimise knowledge gaps.
While ideal for solving some of the most pressing issues in the cyber security industry, SOAR solutions can provide real value only if they integrate well with the other security tools and technologies in use in an organisation. This means that before selecting a SOAR solution, you must make sure it will work with your existing toolstack, and also review and possibly upgrade some of these tools so they generate good data.
Security Information and Event Management (SIEM) tools are designed to aggregate and organise logs and data from multiple point products deployed across an organisation’s environment, and help with faster threat detection, triage and investigation. They provide a single pane of glass to security teams to view and make sense of data ingested from a variety of tools, minimising console switching and increasing efficiency.
SOAR, on the other hand, is focused on streamlining investigation and response processes, improving workflows, facilitating faster and standardised incident response, and automating repeatable low-level tasks to free up analyst time for strategic planning and action. The best SOAR platforms are highly extensible and allow bidirectional integration with a wide variety of point solutions like NGFWs, EDR tools, UEBA, NTA, IDS/IPS, threat intel platforms, etc.
While there is some overlap between the functionalities of SIEM and SOAR tools, they are designed for different use cases, with SIEM focused on efficient alert handling, detection, triage and log management, and SOAR focused on the later stages of the incident lifecycle, standardising workflows, automation, incident response and case management.
While SIEM and SOAR solve different security challenges, they complement each other (SOAR ingests data from SIEM tools, in addition to other products), and provide some similar functionalities (product and data integration, unified dashboard, correlation of alerts). Having emerged as a fully formed concept only in 2017, SOAR is a young technology solution with immense promise, but it is still evolving. It remains to be seen what becomes of it in the coming years. Some security experts predict that the two product categories may come together at some point to provide even greater value to security teams.
For now, however, organisations must keep their existing technology stack and skillset in mind before investing in a SOAR platform. While SOAR can help streamline IR processes and cut down response time sharply, it does need to be set up correctly and work seamlessly with the other tools in your security arsenal to provide real value. Automation use cases, too, need to be planned and programmed based on your specific business needs and security-related challenges. This whole process takes time, effort and expertise.
A large number of organisations that do not have the engineering expertise or resources to deploy and manage SOAR solutions in-house, are turning to managed security providers to deliver SOAR as a service. This makes sense because it means you can use the orchestration and automation capabilities of best-in-class SOAR platforms without having to invest in one yourself and without the headache of setting up, tuning, monitoring and managing the platform around the clock.
If you want to leverage the power of SOAR to bolster your security capabilities but do not have the time or resources to add it to your environment independently, get in touch with us. Our security experts can help you understand how to incorporate SOAR in your cyber security program and get the most value from it. We offer a range of managed and professional cyber security services to businesses in New Zealand and Australia.
Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free consultation.