SOAR Solutions: Everything You Need To Know (FAQs)
What Is Security Orchestration, Automation, And Response (SOAR)?
Security Orchestration, Automation, and Response (SOAR) solutions take information from all the security tools in your cybersecurity stack to gain extensive visibility. From this vantage point, it is easier to identify threats and understand their potential impact, than from one security tool alone. This centralized management then allows remediation and response capabilities to be initiated.
SOAR can effectively analyse data from your endpoints through its comprehensive use of AI and ML capabilities. This allows it to work much faster than a human could, without increasing the risk of making a mistake. In practice, this allows it to carry out advanced threat hunting and even identify dormant malware that may be activated later. As it monitors your network, it can also identify network vulnerabilities and catalogue how previous attacks have been initiated.
What Features Should You Look For In A SOAR Solution?
There are three key features to look out for when selecting a SOAR solution.
- Alert triage and investigation. As these solutions will take in a great deal of information from across your entire network, the amount of data they can gather will be vast. It is simply unfeasible for a human analysis to shift through this data and identify anomalies. Your SOAR solution should analyse data automatically, and only alert admin users to the most critical events, or events that require human input.
- Playbooks. There are many thousands of events that your SOAR solution could run into. Rather than needing AI and ML capabilities to “decide” how best to respond in each case, you can use pre-built playbooks to respond. For instance, if a known attack type is encountered, you can follow the steps as prescribed in a playbook to ensure that you are responding efficiently an effectively. Your SOAR solution should have pre-built and customizable playbooks for you to use.
- Reporting dashboard. As these solutions assess large quantities of data, there should be an effective and streamlined dashboard that can highlight key findings and present information in an accessible way. There should be a record of remediation events that have happened without any need for human interaction. Overtime you can assess these trends and decide if any security protocols need changing.
How Do SOAR Security Tools Work?
SOAR security tools analyse data from across your network to carry out advanced and comprehensive analysis. This allows you to respond to attacks quickly, as well as gaining visibility of an entire attack lifecycle. This provides valuable information that can help to prevent future attacks and identify vulnerabilities. Let’s break each of these stages down into a little more detail.
- Data Gathering – Through deep integration with your endpoints and your network, SOAR solutions will gather as much data as possible. It is important that they have unrestricted access to ensure that the SOAR solution does not miss any threats. If there are areas that the solution cannot monitor, these blind spots could be exploited by attackers.
- Data Analysis – A SOAR solution will use machine learning (ML) to sift through the vast quantities of data that it has access to. The tool will then carry out analysis to determine if any processes are occurring abnormally – this would suggest that a system is under attack. Prioritized notifications can be sent to SOC teams to pick up anything that has been missed.
- Response – Once a threat has been identified, a SOAR solution can work to automatically enact remediation procedures and stop an attack before it causes too much damage. There will be several inbuilt playbooks that will dictate the correct response given a particular scenario.
What Is The Difference Between SOAR And SIEM Tools?
SIEM stands for Security Information and Event Management. These tools will collect and log cybersecurity event data from across your network, including your servers, applications, and databases. If anything suspicious or anomalous is detected, the SIEM solution will send an alert notification.
SOAR solutions work in a similar way – they start by monitoring and detecting networks events. The two solutions begin to differ in their response. Rather than sending a notification alone, SOAR tools are capable of responding and remediating the issue. Some issues are too complex for SOAR solutions to automatically remediate, in these instances, the tool will triage the threats, then notify admin teams.
Key SOAR Use Cases And Benefits
A key selling point for a SOAR solution is its customizability and flexibility to suit all types of use cases. So, what are these types of solutions typically used for?
A commonly cited use case for SOAR platforms is enhancing incident response, yet surprisingly, a recent report by Swimlane found that the top three use cases for the use of SOAR are incorporating threat intelligence (57%), addressing phishing attacks (56%), and triaging SIEM alerts (54%).
Some other honorable mentions in the report include threat hunting, endpoint protection, and vulnerability management, as well as penetration testing, malware analysis, and identity enforcement a little lower on the list.
So, SOAR solutions can be leveraged for most use cases that you require. But what are the benefits of that?
The Benefits Of Investing In A SOAR Solution
It’s no secret that SOC analysts face a large number of challenges on a daily basis.
High volumes of disconnected alerts often mean that analysts find themselves overwhelmed (with 83% of organizations saying that their employees struggle with alert fatigue), and a large number of critical alerts are going unaddressed (with 55% admitting that these are missed on a daily or weekly basis). Incidents can also take a long time to remediate, with 46% of organizations agreeing that it can take three or more days to remediate an alert.
More than half of organizations are also estimated to use five or more public cloud security tools minimum as part of their stack. This goes to show that vendor and tool sprawl is a very real problem—and organizations often struggle to correlate data between these disparate tools.
But this is where SOAR solutions can really prove their worth. The key benefits of investing in a SOAR solution include:
Reducing alert noise: With 93% of organizations saying they cannot address all alerts within the same day, SOAR solutions help reduce alert noise by integrating siloed tools, coordinating and correlating alerts, filtering out false positives, and prioritizing them based on criticality.
Improving efficiency: SOAR platforms help boost efficiency by providing more simplified and centralized alert and incident management, automating repetitive and simple tasks, and streamlining operations.
Supplying better context for alerts and events: By consolidating alerts and investigating them via AI and ML, as well as the addition of in-depth threat intelligence, SOAR solutions can strengthen investigations and help analysts make faster, well-informed, and context-driven decisions. In fact, 57% of organizations say that SOAR has greatly improved triage quality and speed alone.
Speeding up incident response: By reducing the time to detect and investigate incidents as well as automating response and remediation actions, SOAR solutions help analysts to quickly contain and respond to incidents. And a huge 71% of SOAR users agree that the technology has greatly improved response, containment, and remediation times.
Standardizing processes: Because SOAR solutions are designed to trigger automated workflows based on specific events and actions, this ensures that all processes are standardized and uniform, and are addressed in exactly the same way regardless of the analyst that they’re assigned to.
Streamlining reporting: What’s great about SOAR solutions is that they provide a central dashboard where admins can easily view and access security controls and analytics. This simplifies reporting across the entire IT environment and helps analysts to better communicate analytics with C-suite executives and internal teams.
Lowering costs: SOAR solutions help to lower costs in two main ways. First, by reducing time spent on incident response as well as the number of resources needed dedicated to that particular role. And second, they can help you to ensure compliance with external regulators, avoiding hefty fines in the event of a breach.
While, as we’ve mentioned, SOAR platforms are highly configurable and can be programmed to suit most use cases and requirements, here are the seven key features that any great SOAR solution should include:
1. Orchestration
Representing the “O” in the acronym “SOAR”, orchestration coordinates disparate tools and processes and serves as the foundational layer for automation. While automation handles individual tasks and ensures that they go ahead without the need for human intervention, orchestration coordinates these tasks to create larger workflows so that disparate systems feed into one another and work together in unison.
Using orchestration, a SOAR platform can automate a series of tasks within a workflow that might use multiple security tools and processes. This includes combining interdependent processes—from incident alerting to investigation and response—to create larger workflows that run smoothly.
For example, orchestration is what enables SOAR platforms to collate all relevant data onto one platform, provide consolidated threat context and intelligence, and initiate workflows across disparate systems.
2. Automation
While orchestration is what connects disparate tools and enables workflows to run smoothly, automation—represented by the letter “A” in “SOAR”—is the machine-driven execution of the individual tasks within these workflows.
These tasks can include vulnerability scanning, log analysis, user access management, threat detection/triage/investigation, incident response, and more.
The automation capability of a SOAR platform relies heavily on configured playbooks. These are sets of pre-configured rules that are triggered by specific events and that inform the platform which tasks needs to be automated next as part of a specific workflow. We’ll discuss these in more detail in point number four.
Automation is incredibly useful for stressed-out, over-burdened SOC teams, as it handles a lot of the repetitive day-to-day manual tasks without need for their involvement, helping to reduce their workload and enabling them to focus their efforts on tasks that require human intelligence.
3. Case Management
Organizations today are often working across a vast number of security tools at any given time—each producing its own alerts and data. As a result, not only can it be difficult for teams to correlate data and manage incidents from end-to-end, but also analysts become increasingly overwhelmed by large numbers of related alerts from disparate systems.
Case management is the capability to consolidate related data from disparate tools into a single case record that teams can track and centrally manage on one intuitive user interface. From this interface, SOC analysts can track, manage, investigate, and respond to incidents and alerts, as well as gain a complete end-to-end view of all incident-related data investigation efforts.
A SOAR solution’s case management capabilities should include:
- Alert correlation, triage, and prioritization: The ability to collate alerts from disparate systems, enrich and analyze these alerts, and prioritize them based on their criticality. This includes assigning alerts to specific response tiers and particular analysts that might have expertise in specific areas.
- Incident escalation: Where an alert cannot be resolved by the first-line response team, the solution should include the ability to escalate that alert to a higher tier and more specialized team for a more focused response.
- Incident response actions: The case management dashboard should offer a range of response actions suitable for the specific case and that can be executed directly from within the platform.
- Collaboration between analysts and teams: The ability to share data and case history as well as communicate with other analysts to facilitate a speedy response is vital. Some solutions even come with dedicated “incident war rooms”, which are spaces where all relevant personnel across various teams can come together to analyze and swiftly solve a critical incident.
- Integrations with third-party tools: For case management, integration with your current IT ticketing system is vital, as well as with your SIEM and other tools you might be using.
4. Playbooks And Workflow Management
For SOAR solutions to carry out two of their key responsibilities—orchestration and automation—they need a set of process workflows to follow. Most solutions offer playbooks to fulfil this.
Playbooks are pre-defined sets of rules for process automation that determine which actions should happen next within a given workflow. And, as we mentioned earlier in the article, they can be used for a range of use cases. As a quick reminder, these include incident response, vulnerability and patch management, malware containment, and more.
Traditionally, the problems with playbooks arose in how difficult they are to configure from scratch. Which is why most solutions now offer hundreds of pre-built, out-of-the-box playbooks as part of their platforms, which include the most common tasks for SOC teams.
As well as this, most solutions also enable easy customization via code-free, WYSIWYG (“what you see is what you get”) visual editors. This means teams can not only automate any process that they need, but also those with limited knowledge of scripting languages such as Python can still set up and manage playbooks.
Playbooks are the cornerstone of security orchestration and automation and help to reduce the burden on SOC analysts to routinely perform repetitive tasks, standardize responses to ensure consistency, and maximize team efficiency across the organization.
5. Threat Intelligence Management
All too often, SOC teams find themselves relying on siloed threat intelligence management (TIM) tools that typically add complexity and cause disconnect between data. A way that many vendors have addressed this is by building automated TIM capabilities directly into their SOAR platforms.
TIM is the collection, aggregation, enrichment, and actioning of both internal and external threat data. This includes data about threat actors, TTPs (tactics, techniques, and procedures), indicators of compromise, motivations, and capabilities. A SOAR platform should automate this whole process as part of a workflow and integrate closely with your other security tools.
Integrated TIM is important because it helps SOC teams to detect emerging threats before they become events, leverage additional context for investigations, make informed decisions, and resolve incidents more quickly.
6. Integrations With Security Tools
One of the most essential—and most basic—features of a SOAR solution its flexibility and ability to integrate with all security tools that you might be using.
In fact, most solutions offer easy, out-of-the-box, two-way integrations with hundreds of third-party tools, spanning across the entire IT landscape. These include IT ticketing systems, SIEM platforms, email providers, data security, identity and access management, unified endpoint management, and more.
A great SOAR solution should provide easy integrations that don’t require a huge amount of technical expertise—and that can be done via API, scripting languages, or proprietary methods. Many solutions are built on an API-first architecture, which provides the flexibility for the solution to grow with your needs and requirements.
7. Customizable Dashboards And Reporting
The final key feature that a great SOAR solution should have is a customizable reporting dashboard and analytics.
From one comprehensive dashboard, analysts should have the ability to not only track incident lifecycles from end to end, but also keep an eye on performance metrics, SLAs, number of open cases, threat intelligence, alert levels, and more.
But not only that, in addition to preconfigured dashboard views, analysts should also be able to create their own customized dashboards. This is so that everything they need to perform their roles is all in one place, and they don’t have to wade through any irrelevant data.
Who Is SOAR Best Suited For?
Large organizations with sizeable security teams and established SOCs continue to dominate the market as the key buyers for SOAR technologies.
This is because SOAR solutions require ongoing effort, engagement, and support—as well as analysts that can handle setting up playbooks, automating workflows, and following best practices.
SOAR might also share similarities with technologies like security information and event management (SIEM) and extended detection and response (XDR), and it can be difficult to determine which solutions might be best for you. But there are a few key differences between these technologies.
SIEM tools are designed for the collection and aggregation of security alerts, and often feed into and integrate with SOAR platforms. So, if you have an existing SIEM platform, SOAR is a great solution to help triage and action the alerts that it generates. And, as we mentioned earlier, this is one of the most common use cases for SOAR solutions.
XDR works in an incredibly similar way to SOAR, but the key difference lies in its tight integration of vendor-specific security tools, more advanced analysis, and better scalability. Yet, XDR comes with only basic automated incident response—teams cannot set up playbooks and workflows. SOAR is the better option for organizations that want to work with best-of-breed tools and make use of playbooks and automated workflows for tasks that go beyond incident response.