Security orchestration, automation and response (SOAR) technology helps coordinate, execute and automate tasks between various people and tools all within a single platform. This allows organizations to not only quickly respond to cybersecurity attacks but also observe, understand and prevent future incidents, thus improving their overall security posture.
A comprehensive SOAR product, as defined by Gartner, is designed to operate under three primary software capabilities: threat and vulnerability management, security incident response, and security operations automation.
Threat and vulnerability management (orchestration) covers technologies that help amend cyberthreats, while security operations automation (automation) relates to the technologies that enable automation and orchestration within operations.
SOARs ingest alert data, and these alerts then trigger playbooks that automate/orchestrate response workflows or tasks. Then, using a combination of human and machine learning, organizations are able to analyze this diverse data in order to comprehend and prioritize automated incident response actions to any future threats, thus creating a more efficient and effective approach to handling cybersecurity and improving security operations.
Figure 1: Sample SOAR playbook for malware analysis
SIEM stands for security information and event management. It is an arrangement of services and tools that help a security team or security operations center (SOC) collect and analyze security data as well as create policies and design notifications. A SIEM system uses the following to manage security information and events: data collection, consolidation, and correlation, as well as notifications once a single event or an arrangement of events triggers a SIEM rule. Organizations also set up policies such as rules, reports, alerts and dashboards that align with their specific security concerns.
SIEM tools enable IT teams to:
SIEM combines the management of security information and security events. This is accomplished using real-time monitoring and the notification of system administrators.
Many define SOAR and SIEM as similar products since both detect security issues and collect data regarding the nature of the problem. They also deal with notifications that security personnel can use to address concerns. However, there are significant differences between them.
SOAR collects data and alerts security teams using a centralized platform similar to SIEM, but SIEM only sends alerts to security analysts. SOAR security, however, adds in automation and response to the investigation path by using automated playbooks or workflows and artificial intelligence (AI) to learn pattern behaviors, thus enabling it to predict similar threats before they happen. Because SOARs, such as Cortex XSOAR, typically ingest alerts from sources that SIEMs do not cover - for example vulnerability scan findings, cloud security alerts, and IoT device alerts - it's easier to deduplicate alerts and in fact, this is a typical use case for SOAR and SIEM integrations. This reduces the amount of time it takes to manually handle alerts, making it easier for IT security staff to detect and address threats.
Security automation is the machine-based execution of security actions with the power to detect, investigate and remediate cyberthreats, without the need for manual human intervention. It does much of the rote work for the SOC team, so they no longer need to weed through and manually address every alert as it comes in. Security automation can:
All of that can happen in seconds, without any involvement from human staff. Security analysts don't have to follow the steps, instructions and decision-making workflow to investigate the event and determine whether it is a legitimate incident. Repetitive, time-consuming actions are taken out of their hands so they can focus on more important, value-adding work.
Security orchestration is the machine-based coordination of a series of interdependent security actions, including incident investigation, response and ultimately resolution, all across a single, complex infrastructure. It ensures that all of your security and non-security tools are working together in unison whether automating tasks across products and workflows or manually alerting agents on important incidents that need more attention.
Security orchestration can:
Ultimately, security orchestration increases the integration of your defenses, allowing your security team to automate complex processes and maximize the value you receive from your security staff, processes and tools.
While security automation and security orchestration are terms that are often used interchangeably, the two platforms serve very different roles:
Security automation is all about simplifying and making security operations run more efficiently because it deals with an array of single tasks, whereas security orchestration connects all of your different security tools so that they feed into one another, creating a fast and efficient workflow process from beginning to end.They work best when paired together and security groups can maximize their efficiency and productivity when they adopt both.
In conjunction with security orchestration, automation and response, a SOAR Platform may also include the addition of Threat Intelligence Management, or TIM. Threat intelligence management (TIM) enables organizations to better understand the global threat landscape, anticipate attackers' next moves and take prompt action to stop attacks.
There is a significant difference between threat intelligence and threat intelligence management. While threat intelligence is data and information about threats, threat intelligence management is the collection, normalization, enrichment and actioning of data about potential attackers and their intentions, motivations and capabilities. This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyberthreats.
In an ever-growing and increasingly digital world, organizations today face numerous challenges when it comes to cybersecurity. The more complex and malicious threats there are, the more companies need to develop an efficient and effective approach to the future of their security operations. Because of this need, SOAR is revolutionizing the way security operations teams manage, analyze and respond to alerts and threats.
Security Operations teams today are tasked with the responsibility of manually handling thousands of alerts on a daily basis, leaving room for errors and major operational inefficiencies, not to mention inefficient, siloed and outdated security tools, as well as a severe lack of qualified cybersecurity talent.
Many security operations teams are struggling with connecting the noise from disparate systems, resulting in too many error-prone manual processes and lacking the highly skilled talent to solve all of this.
With the growing volume of threats and alerts and the lack of resources to address them all, not only are analysts forced to decide which alerts to take seriously and act on, and which can be ignored, they are often so overworked that they risk missing real threats and end up making an egregious number of errors as they try to respond to threats and bad agents.
Because of this, it's critical that organizations have systems, such as a SOAR platform, that enable them to systematically orchestrate and automate their alert and response process. By filtering out mundane tasks that are taking up the most time, energy and resources, security operations teams are more effective and productive when handling and investigating incidents and thereby able to vastly improve the organization's overall security posture.
SOAR enables you to:
Companies and organizations find value in SOAR because it minimizes the impact of security incidents of all types, while maximizing the value of existing security investments, and reduces the risk of legal liability and business downtime overall. SOAR helps companies address and overcome their security challenges by enabling them to:
See the XSOAR advantage with this ROI calculator and get a custom report to clearly show the business value - based on size and usage - that XSOAR can bring to your organization.
The table that follows offers examples of common use cases for SOAR.
What Orchestration Helps With (High-Level Overview)
Handling security alerts
Phishing enrichment and response - ingesting potential phishing emails; triggering a playbook; automating and executing repeatable tasks, such as triaging and engaging affected users; extracting and checking indicators; identifying false positives; and priming the SOC for a standardized response at scale.
Endpoint malware infection - pulling in threat feed data from endpoint tools, enriching that data, cross-referencing retrieved files/hashes with a security information and event management (SIEM) solution, notifying analysts, cleaning endpoints, and updating the endpoint tool database.
Failed user logins - after a predefined number of failed user login attempts, assessing whether a failed login is genuine or malicious by triggering a playbook, engaging users, analyzing their replies, expiring passwords and closing the playbook.
Logins from unusual locations - identifying potentially malicious virtual private network (VPN) access attempts by checking VPN and cloud access security broker (CASB) presence, cross-referencing IPs, confirming a breach with the user, issuing a block and closing the playbook.
Managing security operations
Secure Sockets Layer (SSL) certificate management - checking endpoints to see which SSL certificates have expired or will soon be expiring, informing users, rechecking the status a few days later, escalating an issue to the appropriate people and closing the playbook.
Endpoint diagnostics and kickstart - checking connectivity and agent connectivity, enriching context, opening a ticket, kickstarting agents, and closing the playbook.
Vulnerability management - ingesting vulnerability and asset information, enriching endpoint and common vulnerabilities and exposures (CVE) data, querying for vulnerability context, calculating severity, turning over control to security analysts for remediation and investigation, and closing the playbook.
Hunting for threats and responding to incidents
Indicators of compromise (IOC) hunting - taking in and extracting IOCs from attached files, hunting IOCs across threat intelligence tools, updating databases and closing the playbook.
Malware analysis - ingesting data from multiple sources, extracting and detonating malicious files, generating and displaying a report, checking for malice, updating the database, and closing the playbook.
Cloud-aware incident response - consuming data from cloud-focused threat detection and event logging tools, unifying processes across cloud and on-premises security infrastructures, correlating with a SIEM, extracting and enriching indicators, checking for malice, turning over control to analysts and having them review the information, updating the database, and closing the playbook.
Automating data enrichment
IOC enrichment - ingesting data from multiple sources, extracting any indicators that need to be detonated, enriching URLs, IPS and hashes; checking for malice, updating the database, inviting analysts to review and investigate the information, and closing the playbook.
Assigning incident severity - checking other products for a vulnerability score and to see whether existing indicators have been assigned a score, assigning severity, checking usernames and endpoints to see if they are on a critical list, assigning critical severity, and closing an incident.
Read more Top Security Orchestration Use Cases.
Now that you’re able to define SOAR and understand it’s different capabilities, how do you know which SOAR product is right for your organization’s needs? What should you be looking for in a SOAR platform?
When comparing different SOAR providers, there are a handful of different factors that you’ll want to consider before making a decision. Aside from the core technology, the buyer’s decision-making process is heavily influenced by the factors and services that follow being offered as a whole. Some factors organizations should consider before implementing any SOAR product include an evaluation of their own maturity, the technology integrations and tool stack needed, existing processes, as well as their chosen method of deployment.
After an organization does an internal audit of its state of security, it must then consider the factors pertaining to the SOAR product itself. Considerations such as:
Organizations should work toward an end-state scenario where the SOAR tool ingests alerts from detection tools that they currently deploy and executes automated playbooks that coordinate actions across enrichment, response and allied tools.
How many commands or actions can be executed from within the platform? Are the integrations able to address the following areas of focus? These include:
What kind of flexible deployment options does the platform have? Is the platform designed for multitenancy, and does it have the security needed to support network segmentation for communication across organizational networks? Does the platform have horizontal scalability across multiple tenants and a level of guaranteed high availability?
Finding the best SOAR solution for any security operations requires alignment of the vendor’s offerings and the SOC organization’s need to improve efficiency and efficacy. The right SOAR solution should not only complement and be compatible with the products, playbooks and processes that are already set in place, it should also optimize collaboration, offer flexibility in both deployment and hosting capabilities, and have a pricing model that aligns to the needs of the organization.