Security Orchestration, Automation and Response (SOAR) solutions help security teams to improve their security operations by providing greater automation of key processes and helping SOC teams to respond faster to threats.
Key features of these solutions include incident response, orchestration, and automation, with threat intelligence capabilities and workflow integrations which can help to speed up key processes such as compliance monitoring, incident response and incident triage.
A market-leading provider in the SOAR space is Swimlane. Founded in 2014, Swimlane has been recognized by industry analysts Gartner as a leader in the space, supporting customers globally across multiple market sectors.
To find out more about SOAR solutions and how they can help organizations to stay secure against cyber-threats, we spoke to Nick Tausek, Security Solutions Architect at Swimlane. Tausek has worked in the security industry for over a decade, working in SOC teams across government agencies and NGOs before joining the Swimlane team.
We discussed the threat landscape, the importance of information, and how faster automation can help organizations to vastly improve their security posture.
SOAR solutions help security teams to take important actions much more rapidly, simplifying the process of remediating security events, Tausek says.
“As the name implies, SOAR platforms orchestrate and automate responses to security problems,” he says. “If you think about a traditional analyst in a SOC team, a lot of their day is spent investigating alerts, performing research to determine the maliciousness of artefacts they’ve uncovered, and then responding, whether that be dismissing events as a false positive, or quarantining hosts, shutting down shared drives, in the case of a serious event like ransomware.
“What we do is help to automate a lot of the drudgery in that process. We can automate the research process from your alerts so, by the time the analyst sees it, they can do what a human does best––which is of course to aggregate the information, analyze it and make a cogent decision on whether it needs to be acted upon. We can also automate the response actions, so once the analyst has made his or her decision about what needs to be done, those actions can be taken in a much more rapid, uniform and predictable way.”
Customers of SOAR solutions typically include small- and medium-sized businesses and MSPs; really, any organization with a SOC team that needs to automate to deal with the increasing volume of security incidents. Operational technology systems are also increasingly utilizing SOAR in the wake of high-profile attacks such as the recent Colonial Pipeline and JBS ransomware incidents. SOAR solutions are a fast-growing market for many reasons. But one that cannot be understated, Tausek says, is the increasing prevalence of cybersecurity incidents.
“Traditionally, we’ve been thinking about cyberattacks as something that is just confined to cyberspace. But cyberspace, of course affects the real world more and more. If you look at the example of the annexation of Crimea, the Russians used cyberattacks to take out the energy grid in parts of the Ukraine so they could invade. We’ve recently seen ransomware actors stopping a gas pipeline.
“These are events that really affect the real world and can cost companies millions upon millions upon millions of dollars to repair, and even deal with.”
How Do SOAR Solutions Help To Improve Cybersecurity?
SOAR solutions can help organizations to respond to the security incidents that matter much faster, Tausek says. “When you’re talking about responding to an event that’s occurring in real-time, you need the right information about what’s going on, so you can make the right decision about what to do about it. Having that information as quickly as you can, so you’re not fumbling to reconfirm things that should already be known, is huge.
“The average mean time for detection for major security breaches is abysmal; it’s almost a year. That is of course when cyber-criminals are laying low, and they’re stealing data. They’re not shutting down an oil pipeline for example. With that long a remediation time, there’s a significant amount of damage that can be done.
“So, increasing the speed of remediation is paramount, and SOAR solutions are well-positioned to help with that, partially because of the breadth of things you can look at, but also with event correlation, which can help you to build a pattern of events and cut down on some of those lengthy detection times.”
The second key benefit of SOAR solutions is visibility across technologies, tying in data not just from SIEM solutions but also email gateways and endpoint protection solutions. “Minimizing the number of interfaces an analyst has to deal with to do their job can only benefit your organization,” Tausek says.
SOAR solutions can also help to standardize research and response, a feature especially important in larger teams. “When you have a SOC that has 40 analysts in it, and everyone is using different methodologies to do everything, SOAR can be a big boon to organizations to standardize actions that need to be taken, what happens when events are found, and standardizing the discovery process.”
The Swimlane Solution
One of the key benefits of the Swimlane solution is its customizability, Tausek says. “Traditionally, Swimlane has excelled over other SOAR platforms in creating use cases and solving challenges that require a high degree of customization.
“If you’re connecting to a lot of different databases and doing vulnerability management and scanning, for example, or other complex and difficult-to-automate use cases, we really excel in those situations because of the customizability of the platform. We have not only hundreds of sets of plugins that integrate with all kinds of vendors across the industry, but we also have a fully built integrated development environment inside the platform that allows you to write Python code to solve pretty much any challenge you’re dealing with.”
Swimlane has also been API-forward and integration-heavy, he says. Integrations are a crucial component of SOAR solutions, helping to collate information and detect events across security systems and technologies. Automation typically takes place via APIs, and vendor technologies without strong API integrations are extremely difficult to automate around, which should be considered when purchasing technologies you will be using for years to come.
Another key selling point of Swimlane is the pricing model, Tausek says. Many SOAR solutions use per-action or per-event price modelling. Swimlane is per-user, which can scale far better for some SOC teams. This can be particularly useful in the case of a DDoS or ransomware attack, which could generate a huge number of alerts and exhaust system resources, adding an unnecessary stress over pricing to SOC teams in a crisis.
Keeping Protected Against Cyberattacks
Casting an eye over the threat landscape, Tausek says that he expects ransomware to continue to be the biggest developing cybersecurity story. “There’s a lot of money in it, especially after the last pipeline attack. The victims paid $5 million to the criminals to get the pipeline flowing again and, unfortunately, it’s a decision some companies make because they didn’t do the prep work to be ready for this kind of thing.
“So, my biggest advice to these organizations is to be prepared for these types of attacks. Have backups in place, have disaster recovery plans. If you are a SOAR, or are thinking about becoming a SOAR customer, integrate your SOAR with disaster recovery plans, so you’re ready in the event of having to press the big red button and shutting everything down.
“SOAR can also be useful on the IT side as well as information security, because if you have 500 pieces of network infrastructure that need to have their settings changed in the event of a major incident, you can have that action set up in your SOAR, so that if a terrible attack happens you are prepared.
“An ounce of preparation is worth a point of cure, and having these types of built-in actions you can leverage when things do happen, whether it’s a small-scale attack or large-scale event, can really help save your team in a pinch.”
Thanks to Nick Tausek for participating in this interview. If you want to find out more about Swimlane and their SOAR platform, visit their website here: https://swimlane.com/.