Security Orchestration Automation and Response

What is SOAR?

SOAR (Security Orchestration, Automation, and Response) is a combination of software solutions and tools that allow organizations to streamline security operations in 3 key areas: threat & vulnerability management, incident response, and security operations automation.

In essence, security automation is the machine handling of security operations-related tasks. It is the process of executing these tasks—such as scanning for vulnerabilities, or searching for logs—without human intervention. Security orchestration refers to a method of connecting security tools and integrating heterogenous security systems. It is the connected layer that streamlines security processes and powers security automation.

SOAR logo resized


Why use SOAR?

As threats continually evolve in both number & volume, organizations require rapid, consistent, continuous and responses with fewer manual steps.
Most Security monitoring systems are costly to run and generate a high number of alerts, including many “false positives”.
Security and risk experts then treat alert triage manually, which generates mistakes.
This leaves many real incidents ignored.
SOAR helps improve the signal-to-noise ratio by automating repeatable aspects of incident investigation.
So, analysts can spend more time investigating and responding to threats instead of employing their time collecting the data required to perform it.
Many security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation & enrichment of existing data with threat intelligence and, especially, conversion of intelligence into actions.
Organizations are dealing with increasingly aggressive threats, where rapid response of only minutes at best is required in order to stand a chance of containing the threat.
This scenario forces organizations to reduce the time they take to respond to those incidents by delegating more tasks to machines.
Reducing the response time, including incident containment and remediation, is one of the most effective ways to control the impact of security incidents.

SOAR Use Cases

Experts frequently diagnose use cases to resolve with SOAR platforms. They are shaped after actual manual workflows and generally represent their greatest operative weak points. The workflows generally carry many human tasks and depend functioning across various products to deliver. This endevour should implicate key security personnel to help insure that the platform you choose in the present will also meet futur demands.

Alert Triage: The aim here is to approve and rank incoming alerts but also enhance events with further context. Logic can be included to remove high-trust false positive alerts from further handling.

Incident Response: Use cases differ vastly depending on the incident type. For example, responding to a spoofing attempt is quite different from responding to a successful cryptoware attack.

Vulnerability & User Management: Automating the course of diagnosing, ranking and minimising liabilities, profits to not only greater team productivity, but also more dependable outcomes by insuring that the method is always managed the same way. Also insuring that users are activated and deactivated accurately and promptly can defeat the chance that a user account is malevolently used by a threat actor.

Orchestrator: It should manage and administer all activities imparted to a given security scheme from start to finish. In all circumstances, it is crucial that the orchestrator provides consistently expectable results and ideal use of available assets.

Ingestion: Security automation and orchestration starts with data ingestion. An orchestrator should be capable to acquire data from any source and format. It should have the ability to survey data sources and pull data into the platform. If unstructured data is collected, it should be interpreted and made accessible by the SOAR platform. It should also be able of acquiring data from multiple sources and optionally kept logically separated.

Decision Making: Analysts should be able to choose the automation playbooks that are applicable to a data source. For instance, an phishing playbook might be applied to an email-based ingestion source while a malware forensic playbook might be applied to a SIEM-alert ingestion source. This procedure is closely associated to alert management competency.

Task Execution: It is generally the role of the orchestrator to manage automation tasks from in its line at the pertinent and optimal time, forwarding them to the automation engine for execution.

Human Supervision: An orchestrator should capably offset automation with needed expert supervision. There are cases where an analyst is necessary for example when permission by an asset owner is needed to allow a security action on a objective or when an assessment by an analyst is required to insure that security is offset by business continuance.

Data Administration: An orchestrator should also establish that action output is properly parsed, normalized and structured so that future actions can benefit from it. The orchestrator should also buffer pertinent data to optimize other resources.

Error Tolerance: A SOAR platform frequently collaborates with various products and services to perform automation playbooks. An orchestrator must foresee that their availability is not always secured, as their access can be interrupted or lost. In these cases, it must perform expectedly, recuperating and restarting operations as designed.

Automation Engine: This is the pillar of most SOAR platforms, receiving actions or tasks, from the orchestrator and dependably executing them. Because automation assignements run separately and essentialy without human interplay, features such as adaptivity and expandability are significant aspects to examine.

Alert Administration & Details : This ability in a SOAR platform should queue and rank incoming alerts to help experts to aptly achieve triage. Alert investigations would be implemented using manual or machine execution of actions to ensure the utmost levels of triage efficiency and accuracy. That interface capability should be made in a way that allows all facets of a security alert to be promptly managed and efficiently served upon. It should also sort information to give proper information at the apprpriate time, and keep the analyst from extensive searching or switching between environments. Their technical aspects should be coordinated in a way that allows  the expert to promptly summarize details them to comprehend the security scenario. This includes an ordered view of data like: IP addresses, domain names, user names, email details and all other pertinent data.

Delivering Actions: When investigating an alert, the expert should be able to effect manual actions to the alert platform. This includes investigation, remediation  or corrective actions. The interface should allow the expert to perform an action by choosing the data to work on. This conduct is called contextual action execution and enables rolling analysis around newly discovered information.

Activity Log: The platform should support an extensive log that exhibits a history of all actions that have executed facing an alert. Each action should show its outcomes, along with a measure of action and completness outcome.

Alert Status & Cooperation : Every alert administered by the platform should combine a status, severity and sensitivity meter. Each one should be adjustable within the interface .
The interface also should offer a space where analysts can associate, observe and offer varied details about an alert. It’s optimal for this collaboration log to be acquired and ordered as well as other alert data.

Case Administration: Once alerts or events are established and escalated, that component should drive a blarger cross-functional lifespan from inception to resolution. This element should entertain further attributes of a case that distinguishes it from an alert. Numerous alerts may have been established, aggregated and elevated as a single case. Ultimately, they tend to be lower in volume versus alerts. Many entities receive hundreds or thousands of daily alerts, while cases tend to run in single figures.