Security orchestration, automation, and response (SOAR) solutions are designed to streamline security operations and automate incident response activities and workflows.
And what’s more, they’re also particularly popular with mature security operations center (SOC) teams. In fact, 92% of current SOAR users consider the technology to be “somewhat useful” to “extremely useful”. But why?
Well, security operation centers (SOCs) today are not only frequently left snowed under avalanches of alerts that they have neither the time nor resources to respond to, but they also struggle with repetitive manual tasks, communicating between siloed tools, facilitating speedy responses to incidents, lack of external context, and more. But luckily, this is where SOAR solutions come in.
SOAR solutions are designed to address these key challenges facing SOC teams and to create order out of chaos. They do this by correlating siloed tools and alerts, standardizing security processes, and automating response workflows.
But that’s the short answer. For the long answer, keep reading.
Throughout this article, we’ll take a look at what SOAR solutions actually do, what their key features are, and whether you should be using one.
What Is SOAR And How Does It Work?
SOAR is an innovative approach to threat detection and response that consolidates security tools and alerts, as well as streamlines and automates processes and workflows.
A SOAR solution firstly works by consolidating alerts and inputs from various security tools via two-way integration and combining these onto one single platform. This includes inputs from:
- Security information and event management (SIEM) platforms
- Endpoint detection and response (EDR) platforms
- Intrusion prevention systems (IPS)
- Firewalls
- Vulnerability scanners
- End-user behavior analytics
Then, the platform can automatically enrich and analyze collected data using machine learning (ML) and artificial intelligence (AI) in combination with human intelligence.
A SOAR platform that’s worth its salt will also have threat intelligence management (TIM) built in, and automatically feed intelligence data from multiple sources into the platform. This helps analysts to enrich and contextualize potential threats and security events.
But that’s not where the automation ends—in fact, it’s just getting started. One of the most well-loved capabilities of any SOAR platform is its ability to automate incident response workflows—standardizing common responses and freeing up analyst time for more meaningful tasks.
To set up its automation capabilities, admins and SOC teams can configure linear playbooks and process workflows. And these can be configured for a range of activities. A common use case you might hear about is automating incident response, but they can also be used for vulnerability and patch management, phishing email investigation and malware containment, threat intelligence and hunting, and more.
So, that’s in essence how SOAR tools work. Let’s now take a closer look at some of their key use cases and benefits.
Key SOAR Use Cases And Benefits
A key selling point for a SOAR solution is its customizability and flexibility to suit all types of use cases. So, what are these types of solutions typically used for?
A commonly cited use case for SOAR platforms is enhancing incident response, yet surprisingly, a recent report by Swimlane found that the top three use cases for the use of SOAR are incorporating threat intelligence (57%), addressing phishing attacks (56%), and triaging SIEM alerts (54%).
Some other honorable mentions in the report include threat hunting, endpoint protection, and vulnerability management, as well as penetration testing, malware analysis, and identity enforcement a little lower on the list.
So, SOAR solutions can be leveraged for most use cases that you require. But what are the benefits of that?
The Benefits Of Investing In A SOAR Solution
It’s no secret that SOC analysts face a large number of challenges on a daily basis.
High volumes of disconnected alerts often mean that analysts find themselves overwhelmed (with 83% of organizations saying that their employees struggle with alert fatigue), and a large number of critical alerts are going unaddressed (with 55% admitting that these are missed on a daily or weekly basis). Incidents can also take a long time to remediate, with 46% of organizations agreeing that it can take three or more days to remediate an alert.
More than half of organizations are also estimated to use five or more public cloud security tools minimum as part of their stack. This goes to show that vendor and tool sprawl is a very real problem—and organizations often struggle to correlate data between these disparate tools.
But this is where SOAR solutions can really prove their worth. The key benefits of investing in a SOAR solution include:
Reducing alert noise: With 93% of organizations saying they cannot address all alerts within the same day, SOAR solutions help reduce alert noise by integrating siloed tools, coordinating and correlating alerts, filtering out false positives, and prioritizing them based on criticality.
Improving efficiency: SOAR platforms help boost efficiency by providing more simplified and centralized alert and incident management, automating repetitive and simple tasks, and streamlining operations.
Supplying better context for alerts and events: By consolidating alerts and investigating them via AI and ML, as well as the addition of in-depth threat intelligence, SOAR solutions can strengthen investigations and help analysts make faster, well-informed, and context-driven decisions. In fact, 57% of organizations say that SOAR has greatly improved triage quality and speed alone.
Speeding up incident response: By reducing the time to detect and investigate incidents as well as automating response and remediation actions, SOAR solutions help analysts to quickly contain and respond to incidents. And a huge 71% of SOAR users agree that the technology has greatly improved response, containment, and remediation times.
Standardizing processes: Because SOAR solutions are designed to trigger automated workflows based on specific events and actions, this ensures that all processes are standardized and uniform, and are addressed in exactly the same way regardless of the analyst that they’re assigned to.
Streamlining reporting: What’s great about SOAR solutions is that they provide a central dashboard where admins can easily view and access security controls and analytics. This simplifies reporting across the entire IT environment and helps analysts to better communicate analytics with C-suite executives and internal teams.
Lowering costs: SOAR solutions help to lower costs in two main ways. First, by reducing time spent on incident response as well as the number of resources needed dedicated to that particular role. And second, they can help you to ensure compliance with external regulators, avoiding hefty fines in the event of a breach.
Top Features Of A SOAR Platform
While, as we’ve mentioned, SOAR platforms are highly configurable and can be programmed to suit most use cases and requirements, here are the seven key features that any great SOAR solution should include:
1. Orchestration
Representing the “O” in the acronym “SOAR”, orchestration coordinates disparate tools and processes and serves as the foundational layer for automation. While automation handles individual tasks and ensures that they go ahead without the need for human intervention, orchestration coordinates these tasks to create larger workflows so that disparate systems feed into one another and work together in unison.
Using orchestration, a SOAR platform can automate a series of tasks within a workflow that might use multiple security tools and processes. This includes combining interdependent processes—from incident alerting to investigation and response—to create larger workflows that run smoothly.
For example, orchestration is what enables SOAR platforms to collate all relevant data onto one platform, provide consolidated threat context and intelligence, and initiate workflows across disparate systems.
2. Automation
While orchestration is what connects disparate tools and enables workflows to run smoothly, automation—represented by the letter “A” in “SOAR”—is the machine-driven execution of the individual tasks within these workflows.
These tasks can include vulnerability scanning, log analysis, user access management, threat detection/triage/investigation, incident response, and more.
The automation capability of a SOAR platform relies heavily on configured playbooks. These are sets of pre-configured rules that are triggered by specific events and that inform the platform which tasks needs to be automated next as part of a specific workflow. We’ll discuss these in more detail in point number four.
Automation is incredibly useful for stressed-out, over-burdened SOC teams, as it handles a lot of the repetitive day-to-day manual tasks without need for their involvement, helping to reduce their workload and enabling them to focus their efforts on tasks that require human intelligence.
3. Case Management
Organizations today are often working across a vast number of security tools at any given time—each producing its own alerts and data. As a result, not only can it be difficult for teams to correlate data and manage incidents from end-to-end, but also analysts become increasingly overwhelmed by large numbers of related alerts from disparate systems.
Case management is the capability to consolidate related data from disparate tools into a single case record that teams can track and centrally manage on one intuitive user interface. From this interface, SOC analysts can track, manage, investigate, and respond to incidents and alerts, as well as gain a complete end-to-end view of all incident-related data investigation efforts.
A SOAR solution’s case management capabilities should include:
- Alert correlation, triage, and prioritization: The ability to collate alerts from disparate systems, enrich and analyze these alerts, and prioritize them based on their criticality. This includes assigning alerts to specific response tiers and particular analysts that might have expertise in specific areas.
- Incident escalation: Where an alert cannot be resolved by the first-line response team, the solution should include the ability to escalate that alert to a higher tier and more specialized team for a more focused response.
- Incident response actions: The case management dashboard should offer a range of response actions suitable for the specific case and that can be executed directly from within the platform.
- Collaboration between analysts and teams: The ability to share data and case history as well as communicate with other analysts to facilitate a speedy response is vital. Some solutions even come with dedicated “incident war rooms”, which are spaces where all relevant personnel across various teams can come together to analyze and swiftly solve a critical incident.
- Integrations with third-party tools: For case management, integration with your current IT ticketing system is vital, as well as with your SIEM and other tools you might be using.
4. Playbooks And Workflow Management
For SOAR solutions to carry out two of their key responsibilities—orchestration and automation—they need a set of process workflows to follow. Most solutions offer playbooks to fulfil this.
Playbooks are pre-defined sets of rules for process automation that determine which actions should happen next within a given workflow. And, as we mentioned earlier in the article, they can be used for a range of use cases. As a quick reminder, these include incident response, vulnerability and patch management, malware containment, and more.
Traditionally, the problems with playbooks arose in how difficult they are to configure from scratch. Which is why most solutions now offer hundreds of pre-built, out-of-the-box playbooks as part of their platforms, which include the most common tasks for SOC teams.
As well as this, most solutions also enable easy customization via code-free, WYSIWYG (“what you see is what you get”) visual editors. This means teams can not only automate any process that they need, but also those with limited knowledge of scripting languages such as Python can still set up and manage playbooks.
Playbooks are the cornerstone of security orchestration and automation and help to reduce the burden on SOC analysts to routinely perform repetitive tasks, standardize responses to ensure consistency, and maximize team efficiency across the organization.
5. Threat Intelligence Management
All too often, SOC teams find themselves relying on siloed threat intelligence management (TIM) tools that typically add complexity and cause disconnect between data. A way that many vendors have addressed this is by building automated TIM capabilities directly into their SOAR platforms.
Gartner even references TIM as one of the key capabilities of a SOAR platform in its Market Guide for SOAR Solutions. But what is TIM?
TIM is the collection, aggregation, enrichment, and actioning of both internal and external threat data. This includes data about threat actors, TTPs (tactics, techniques, and procedures), indicators of compromise, motivations, and capabilities. A SOAR platform should automate this whole process as part of a workflow and integrate closely with your other security tools.
Integrated TIM is important because it helps SOC teams to detect emerging threats before they become events, leverage additional context for investigations, make informed decisions, and resolve incidents more quickly.
6. Integrations With Security Tools
One of the most essential—and most basic—features of a SOAR solution its flexibility and ability to integrate with all security tools that you might be using.
In fact, most solutions offer easy, out-of-the-box, two-way integrations with hundreds of third-party tools, spanning across the entire IT landscape. These include IT ticketing systems, SIEM platforms, email providers, data security, identity and access management, unified endpoint management, and more.
A great SOAR solution should provide easy integrations that don’t require a huge amount of technical expertise—and that can be done via API, scripting languages, or proprietary methods. Many solutions are built on an API-first architecture, which provides the flexibility for the solution to grow with your needs and requirements.
7. Customizable Dashboards And Reporting
The final key feature that a great SOAR solution should have is a customizable reporting dashboard and analytics.
From one comprehensive dashboard, analysts should have the ability to not only track incident lifecycles from end to end, but also keep an eye on performance metrics, SLAs, number of open cases, threat intelligence, alert levels, and more.
But not only that, in addition to preconfigured dashboard views, analysts should also be able to create their own customized dashboards. This is so that everything they need to perform their roles is all in one place, and they don’t have to wade through any irrelevant data.
Who Is SOAR Best Suited For?
Large organizations with sizeable security teams and established SOCs continue to dominate the market as the key buyers for SOAR technologies.
This is because SOAR solutions require ongoing effort, engagement, and support—as well as analysts that can handle setting up playbooks, automating workflows, and following best practices.
SOAR might also share similarities with technologies like security information and event management (SIEM) and extended detection and response (XDR), and it can be difficult to determine which solutions might be best for you. But there are a few key differences between these technologies.
SIEM tools are designed for the collection and aggregation of security alerts, and often feed into and integrate with SOAR platforms. So, if you have an existing SIEM platform, SOAR is a great solution to help triage and action the alerts that it generates. And, as we mentioned earlier, this is one of the most common use cases for SOAR solutions.
XDR works in an incredibly similar way to SOAR, but the key difference lies in its tight integration of vendor-specific security tools, more advanced analysis, and better scalability. Yet, XDR comes with only basic automated incident response—teams cannot set up playbooks and workflows. SOAR is the better option for organizations that want to work with best-of-breed tools and make use of playbooks and automated workflows for tasks that go beyond incident response.
If you want to learn more about the differences between these technologies, check out our article: XDR Vs EDR, SIEM, And SOAR: Is XDR One Platform To Rule Them All?
But if SOAR sounds like the right solution for you, instead, check out our guide: The Top 10 SOAR Solutions.
Summary
SOAR solutions are an excellent choice for organizations looking to consolidate alerts from disparate tools, enhance investigation with threat intelligence, and automate remediation actions (as well as other key tasks) with playbooks and workflows.
Invest in this technology and watch your SOC teams’ performance SOAR.
