Like many other new technologies, the concept of security orchestration, automation, and response (SOAR) solutions was born out of a problem that dogged IT professionals. However, in this case, it was multiple problems that couldn’t be solved with existing solutions.
Gartner, who is credited with coining the term, defines SOAR as “technologies that enable organizations to collect security threats data and alerts from different sources,” where technology and professionals can combine to analyze incidents, triage issues, and drive responses in a standard way.
Though this may sound like a security incident and event management (SIEM) tool, SOAR is different in two major ways than just the log aggregation and alerting SIEMs are built for:
Security Orchestration: SOARs integrate tools so they can work together and provide a comprehensive view of an environment. This information can combine with external threat data so users can drill down to find root causes faster.
Security Automation: SOARs can automatically perform tasks such as provision users and search logs without staff involvement.
So, how can SOAR help your organization stay ahead of the growing number of cyberthreats? Here are six of the most impactful ways:
Unifying all the tools and security data makes investigation not only faster, but also easier. For example, SOARs can independently investigate lower threats and only escalate high-level alarms for staff involvement. Once staff gets involved, all of the data and tools are already in a simplified dashboard.
The same can be said of the issue of false positives that can waste time and desensitize staff. SOAR tools help by only elevating true emergencies while handling all others based on established thresholds and workflows.
Integrating Existing Tools
Most security operations centers (SOCs) have tools from a range of vendors, some of which do not integrate well together. SOARs perform this integration, both among internal solutions and with external threat intelligence and analysis. This hurdle alone is what drives many IT professionals to consider SOAR.
When ESG Research asked IT professionals why they wanted SOAR solutions, 28 percent said they wanted to use security automation/orchestration technology to correlate and contextualize data using the output of two or more tools. Similarly, 30 percent reported wanting to use security automation/orchestration technology to add functionality on top of existing tools. Typically, this functionality is centered on orchestrating workflows relating to security investigations, incident response, or remediation tasks.
Improved Response Times
SOAR tools speed up the incident response time to cyberattacks by pulling all of a SOC’s tools together into one unified dashboard so staff can cut through the noise and drill down to the root cause of the attack. Security professionals can then make decisions in a collaborative way and utilize the integrative nature of SOAR tools to take the needed defensive and containment measures more quickly.
Reduces Manual Processes and Risk of Error
In addition to handling false alarms, security professionals spend a lot of time doing manual and repetitive tasks, from checking and updating rules to adding and removing users. These tasks are ripe for the automation built into SOAR tools.
That’s where the workflow capabilities, or the orchestration of multiple tools, of SOAR solutions can help to free up a lot of staff time so they can focus on more value-added activities. For example, the SOAR solution can request updated data from external threat intelligence sources, then automate the process of establishing new firewall rules upon receiving a list of indicators of compromise (IoCs), and then document and log the changes for reference.
Minimizes Damage from an Attack
With earlier notifications, staff can respond and drill down even faster to help limit the potential impact of an attack. With SOAR’s automation capabilities helping to minimize the spread of damage without human intervention, mitigation steps can begin before the incident response team is fully assembled.
Once it is time to act, the SOC will have the most information about the attack thanks to a multitude of threat detection tools generating metrics and monitoring system thresholds. Ultimately, SOAR tools give security professionals a more holistic picture of security incidents.
The Future of SOAR
Gartner projects that the number of organizations using SOAR tools will grow to 15 percent in 2020 from 1 percent today. Clearly, this growing interest in SOAR is for a good reason, given the many benefits organizations can realize. Ultimately, the more ways you can support your security staff, the more your can multiply their effectiveness, and, at the same time, your cyberdefenses.