Security Orchestration Automation & Response

Security Orchestration Automation & Response (SOAR) solutions enable organisations to collect data about security threats and respond to security events without human assistance. The goal of using a SOAR platform is to improve the efficiency of human operated and digital security operations.

SOAR platforms consist of three main components. These are security orchestration, security automation and security response.

1. Security orchestration
   The solution is able to integrate and connect both internal and external tools via either built in, or custom integrations and through application programming interfaces. The typical systems the solution connects with are vulnerability scanners, endpoint protection products, end-user behavior analytics, firewalls, intrusion detection and prevention systems as well as SIEM platforms and external threat intelligence feeds. All data that is gathered offers a better change to detect threats and add even more context and better collaboration. The result of this is that more alerts and more data is generated for ingestion and analyzing. Consolidation of data in order to initiate response functions is done within the security orchestration process. The security automation process makes sure that the right actions are taken.
2. Security Automation
   The data and alerts that are fed from the security orchestration process are ingested and analyzed by the security automation process. In this process the repeated, automated processes to replace manual processes are created. Tasks that have previously been performed by analysts such as log analysis, ticket checking, auditing actions, and vulnerability scanning can be ‘standardized’ and automatically executed by the SOAR platform. Machine learning and artificial intelligence to decipher and adapt insights from analysts are used to help the SOAR Automation to make informed decisions and provide recommendations and automate future responses. Automation can even elevate threats in cases where human intervention is necessary. In order to guarantee SOAR success Playbooks are absolutely essential. The predefined or customized playbooks are actually predefined ‘automated’ actions. A combination of multiple SOAR playbooks can be connected to complex complete actions. For example in case a malicious URL is found in a particular employee e-mail and is identified during a scan, a playbook can be activated which blocks the e-mail, alerts the employee of the phishing attempt and also blacklists the IP address of the sender. Follow up – investigative – actions by security teams can also be triggered by the SOAR in case they are necessary. In the previous phishing example the follow up could also include searching in other employee inboxes for similar e-mails and blocking them and their respective IP addresses, if found.
3. Security Response
   A single view for analysts into the planning, monitoring, reporting of actions carried out after a threat is detected and managing is provided by the security response process. This process also includes post incident response activities such as case management, reporting and threat intel sharing.

Below we have outlined the most important benefits of SOAR for security operations teams:

• Incident detection and reaction times are much faster. The velocity and volume of security threats and events are constantly increasing. The improved data context from the SOAR in combination with automation can reduce the mean time to detect and mean time to respond drastically. By detection and response to threats more quickly, the impact can be reduced.
• Better threat context. The integration of more data from a wider array of systems and tools results in the fact that SOAR platforms can offer more context, better analysis and highly up to date threat information.
• Simplified management. SOAR platforms are extremely useful for consolidating the various security systems’ dashboards into one single interface. SecOps and other teams are helped by centralizing information and data handling, simplifying management and thus saving time.
• Scalability. Scaling the various time-consuming manual processes can be a drain on employees and in some cases it is even impossible to keep up with as security event volume constantly grows. The orchestration, automation and workflow of SOAR can meet scalability demands more easily as well.
• Accelerating the productivity of analysts. By automating the lower-level threats the responsibility of SecOps and SOC teams are augmented, enabling them to perform better prioritization providing them the ability to prioritize the threats more effectively and to better respond to threats that require human intervention even faster.
• Streaming operations. Standardized playbooks and procedures that automate lowel-level tasks enable SecOps teams to respond to more threats in the same time period. These workflows also ensure that the same standardized remediation efforts are applied across all systems organization-wide.
• Reporting and collaboration. The reporting and analysis by SOAR consolidates information quickly, improving the data management process and even better response efforts to update the existing security programs and policies for more effective security. The centralized dashboard of the SOAR platform also improves the entire information sharing process across disparate enterprise teams, enhancing communication and collaboration between these teams.
• Reduction of costs. Augmented security analysts with SOAR tooling at hand can in many occasions lower the costs, when compared with manually performing all the threat analysis, detection and response actions.

The challenges when implementing a SOAR:

The SOAR should be part of a well implemented defense strategy since input of other security systems to better detect threats is vital. SOAR certainly is not a silver bullet technology, nor a standalone system.

SOAR is a complementary technology, not a replacement for other security tools. SOAR is also not a replacement for human analysts, but augment their workflows and skills more effectively for improved incident detection and response saving time and money.

A few other attention points are:

• failure to remediate a broader security strategy;
• expectations that are conflated;
• the complexity of deployment and management of the SOAR;
• lack of or limited metrics.

Garter says the following about the most important SOAR capabilities:

1. Vulnerability management and threat management technologies that support remediation of vulnerabilities introducing a formalized workflow, collaboration and reporting capabilities;
2. Incident response technology supporting how organizations plan, manage, track and coordinate the response to security incidents; and
3. security operation automation technology that supports automation and orchestration of processes, workflows, policy execution and reporting as well.

This definition is expanded even further by Garter to the below:

• Security incident response platforms, including capabilities such as vulnerability management, case management, incident management, workflows, incident knowledge base, auditing and logging capabilities, reporting and more;
• Security orchestration and automation, which includes workflow automation, playbooks, integrations, playbook management, data gathering, log analysis and account lifecycle management; and
• Threat intelligence platforms, including threat intelligence aggregation, analysis and distribution, alert context enrichment and threat intelligence visualization.

SOAR compared with SIEM

Both SOAR- and SIEM systems aggregate data from a variety of multiple sources but the terms are however not interchangeable. The SIEM system collects data, identifying deviations, ranking threats and generates alerts. The SOAR systems also handle these tasks, but they include a number of additional capabilities. SOAR platforms integrate with a much wider array of internal and external applications, both security and non-security, whereas SIEM systems only provide alerts to security analysts of a particular event.

iSOC24 carries the SOAR solutions of Swimlane, Rapid7, Logpoint and ThreatQ in its portfolio.