Understaffed security teams need all the help they can get, and they are finding that help through SOAR.
SOAR — security orchestration, automation and response — is defined by Gartner as the “technologies that enable organizations to collect inputs monitored by the security operations team.” Gartner identifies a SOAR platform’s three prime functionalities: Threat and vulnerability management, security operations automation and incident response.
The number of threats coming across the network and endpoints each day overwhelms most organizations. Adding SOAR technology strengthens your overall security posture by automating the most repetitive and tedious aspects of threat management and incident response.
The Role of Each Component
The efficiency of SOAR’s security operation comes from each of its components. Collectively, SOAR automates the most mundane and time-consuming tasks in a Security Operations Center (SOC) — tasks that are absolutely necessary to ensure the highest levels of protection for networks and data, but also tasks that take already overworked security teams from their other duties. Understanding how each piece of the SOAR platform operates will help organizations build the solution that works best for them.
Orchestration connects and simplifies all of the security tools and systems within the infrastructure. It integrates custom-built applications with built-in security tools, so they all work with each other seamlessly. In addition, it connects disparate endpoints, firewalls and behavior analytics. While all this connectivity means more alerts, it also improves the ability to detect potential threats before they become full-blown incidents.
Automation affects security procedures across the SOC. Security automation takes the vast amount of information generated through orchestration and analyzes it through machine learning processes. When performed manually, these tasks were not only time-consuming but also subject to human failures. The number of alerts, both false and positive, overwhelmed security teams and left them little time for other projects. With security automation, SOAR handles manual tasks such as scanning logs and handling ticket requests, vulnerability checks and auditing processes. This allows security teams to address anomalies quickly.
Incident response within SOAR allows security teams to monitor, manage and take action when a potential threat is indicated. The response component also handles post-incident activities such as threat intelligence sharing and case management. Incident response tools collect all the information surrounding the incident and share that information through open-source databases for others to reference to add to their security automation toolkit.
The Playbook
Essential to the success of the SOAR automation solution is its playbooks. Like a football coach’s playbook, the SOAR playbook outlines the game plan for the security team’s incident response. Simply, the playbook is a set of workflows that put incident response into action. Automated systems using AI and ML need predefined sets of procedures to be able to detect anomalies, and the steps to follow whenever an issue occurs. With these defined workflows within the playbook, automation takes over with minimal human involvement.
The playbook not only spells out the entire process of how to handle incidents, but it offers consistency and redundancy. Playbooks are useful in situations such as threat hunting and threat intelligence, as well as vulnerability management. They also offer workload guidance to security team members, providing institutional knowledge about the organization’s security processes and incident response.
Included in the playbook will be lists of permissions, tools and network access, potential conflicts with business operations and a defined list of expected results. They aren’t static documents and should be updated and revised whenever there are failures in the system. The National Institute of Standards and Technology (NIST) offers guidelines for creating playbooks.
The Importance of SOAR
With more endpoints to protect and more data generated, protecting the network has never been more important or more difficult. Security teams face a steady flow of alerts, many of them false positives, and do so with limited staff. The more time the SOC spends addressing alerts, the less time they have to spend on other vital security projects. When this task is handled manually, it sets up the additional risk of human error — something gets missed, leading to a cyber incident.
The digital transformation, while streamlining so many processes and improving overall productivity, has created a security gap problem. Legacy systems don’t easily integrate with new technologies. Security tools become outdated or are siloed. And again, the talent shortage comes into play; these new technologies require specific skills and there just aren’t enough people out there with the specific training needed.
SOAR solutions won’t fix all your security problems, but the orchestration and automation handle the repetitive and redundant tasks while connecting disparate security systems and data collection. It makes security processes more efficient in real-time. The security team can more accurately identify and respond to incidents without developing alert fatigue.
The Relationship Between SOAR and SIEM
Many organizations already deploy security information and event management (SIEM) solutions to detect and manage threats, so they may not see the point of adding another security solution. However, for threat management to be successful, it needs rapid incident response. SIEM and SOAR don’t stand alone; they are more effective at working together.
SIEM is all about detection, but detection alone is not enough. Playbooks for SIEMs are complex and expensive to produce, so the detection layer may not go as deep as it should. SOAR solutions balance this with playbooks and processes that introduce well-defined incident response plans.
Using SIEM in tandem with SOAR saves time and money. Using the solutions alone means going through one step (detection) and then following it up with the second step (incident response) as separate procedures. Instead, when the SIEM and SOAR solutions run concurrently, the high number of alerts generated through the SIEM are addressed in real-time with the SOAR.
SOAR solutions should be part of an overall security defense system rather than a stand-alone platform. It should complement the other tools in the SOC, just as it should complement, and not replace, humans on the security team. Used in this way, SOAR solutions will augment the SOC with automated and orchestrated incident response.