What is SOAR?
Security orchestration, automation and response (SOAR) technology helps coordinate, execute and automate tasks between various people and tools, allowing companies to respond quickly to cybersecurity attacks and improve their overall security posture. SOAR tools use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.
A comprehensive SOAR product helps improve security operations by:
- Combining security orchestration, intelligent automation, incident management and interactive investigations into a single solution.
- Breaking down silos by facilitating team collaboration and enabling security analysts to take automatic actions on tools across their security stack.
- Providing security teams with a single, centralized console to manage and coordinate all aspects of their company’s security.
- Optimizing case management, creating efficiencies with opening and closing tickets, and investigating and resolving incidents.
Figure 1: Sample SOAR playbook for malware analysis
Why Companies Need SOAR
Organizations today face numerous challenges:
- A growing volume of complex security threats and malicious threat actors.
- Too many security tools, many of which don’t talk to each other. For example, a NASDAQ Global Information Services report found that the average security operations center (SOC) now uses more than 15 security products. Unfortunately, most of those products don’t offer SOC automation.
- An overwhelming number of security alerts and too much threat intel data for security teams to manually sort through, prioritize, investigate and address.
- Difficulty finding enough security people with the right skill sets to do the job.
- A lack of or limited visibility across tools, data sets and environments.
The Value of Having and Using SOAR
SOAR helps companies address and overcome these challenges by enabling them to:
- Unify their existing security systems and centralize data collection to gain full visibility.
- Automate repetitive manual tasks (via security automation) and manage all aspects of the security incident lifecycle.
- Define incident analysis and response procedures as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
- Quickly, accurately identify and assign incident severity levels to security alerts; support alert reduction.
- Better identify and manage potential vulnerabilities both proactively and reactively.
- Route each security incident to the analyst best suited to respond to it while providing functions that support easy collaboration and tracking between teams and team members.
SOAR Use Cases
Here are a few examples of common use cases for SOAR:
What Orchestration Helps With (High-Level Overview)
Handling security alerts
Phishing enrichment and response – ingesting potential phishing emails; triggering a playbook; automating and executing repeatable tasks, such as triaging and engaging affected users, extracting and checking indicators, identifying false positives and priming the SOC for a standardized response at scale.&;
Endpoint malware infection – pulling in threat feed data from endpoint tools, enriching that data, cross-referencing retrieved files/hashes with a security information and event management (SIEM) solution, notifying analysts, cleaning endpoints and updating the endpoint tool database.
Failed user logins – after a predefined number of failed user login attempts, assessing whether a failed login is genuine or malicious by triggering a playbook, engaging users, analyzing their replies, expiring passwords and closing the playbook.
Logins from unusual locations – identifying potentially malicious virtual private network (VPN) access attempts by checking VPN and cloud access security broker (CASB) presence, cross referencing IPs, confirming a breach with the user, issuing a block and closing the playbook.
Managing security operations
Secure Sockets Layer (SSL) certificate management – checking endpoints to see which SSL certificates have expired or will soon be expiring, informing users, rechecking the status a few days later, escalating an issue to the appropriate people and closing the playbook.
Endpoint diagnostics and kickstart – checking connectivity and agent connectivity, enriching context, opening a ticket, kickstarting agents and closing the playbook.
Vulnerability management – ingesting vulnerability and asset information, enriching endpoint and common vulnerabilities and exposures (CVE) data, querying for vulnerability context, calculating severity, turning over control to security analysts for remediation and investigation, and closing the playbook.
Hunting for Threats and Responding to Incidents
Indicators of compromise (IOC) hunting – taking in and extracting IOCs from attached files, hunting IOCs across threat intelligence tools, updating databases and closing the playbook.
Malware analysis – ingesting data from multiple sources, extracting and detonating malicious files, generating and displaying a report, checking for malice, updating the database and closing the playbook.
Cloud-aware incident response – consuming data from cloud-focused threat detection and event logging tools, unifying processes across cloud and on-premises security infrastructures, correlating with a SIEM, extracting and enriching indicators, checking for malice, turning over control to analysts and having them review the information, updating the database and closing the playbook.
IOC enrichment – ingesting data from multiple sources, extracting any indicators that need to be detonated, enriching URLs, IPS and hashes; checking for malice, updating the database, inviting analysts to review and investigate the information, and closing the playbook.
Assigning incident severity – checking other products for a vulnerability score and to see whether existing indicators have been assigned a score, assigning severity, checking usernames and endpoints to see if they are on a critical list, assigning critical severity and closing an incident.
The Benefits of SOAR
- Greatly improves a company’s security posture and operational efficiency.
- Accelerates security incident detection and response times; standardizes response actions.
- Supports real-time collaboration and unstructured investigations.
- Increases analyst productivity and frees up analysts to focus on improving security instead of on performing manual tasks.
- Leverages a company’s existing security technology investments.
SOAR is available as either a cloud-hosted or on-premises solution.
For more information about SOAR and related trends, read the 2019 State of SOAR Report.