What Is SOAR?
What is security automation?
Security automation is the machine-based execution of security actions with the power to programmatically detect, investigate and remediate cyberthreats without the need for human intervention.
SA does much of the work for your security staff, so they no longer have to weed through and manually address every alert as it comes in. Security automation can:
- Detect threats in your environment.
- Triage potential threats by following the steps, instructions and decision-making workflow taken by security analysts to investigate the event and determine whether it is a legitimate incident.
- Determine whether to take action on the incident.
- Contain and resolve the issue.
All of that can happen in seconds, without any involvement from human staff. Repetitive, time-consuming actions are taken out of the hands of security analysts so they can focus on more important, value-adding work.
What is security orchestration?
Security orchestration is the machine-based coordination of a series of interdependent security actions across a complex infrastructure. It ensures that all of your security tools — and even non-security tools — are working in concert, while automating tasks across products and workflows.
SO coordinates incident investigation, response and ultimately resolution. Additionally, it eliminates the need for security analysts to navigate multiple screens and systems, compiling everything in one place and displaying it on a single dashboard.
Security orchestration can:
- Provide context around security incidents. A security orchestration tool aggregates data from different sources to offer deeper insight. As such, you gain a comprehensive view of the entire environment.
- Allow for deeper, more meaningful investigations. Security analysts can stop managing alerts and start investigating why those incidents are occuring. Additionally, security orchestration tools typically offer highly interactive and intuitive dashboards, graphs and timelines, and those visuals can be highly useful during the investigative process.
- Improve collaboration. Additional parties, including analysts at different tiers, managers, the CTO and C-suite executives, legal teams and HR, may also need to get involved with certain types of security incidents. Security orchestration can put all the necessary data at everyone’s fingertips, making collaboration, problem solving and resolution more effective.
Ultimately, orchestration increases the integration of your defenses, allowing your security team to automate complex processes, and maximize the value you receive from your security staff, processes and tools.
What are some SOAR use cases?
One of the smartest things you can do before you begin talking to vendors about SOAR platforms is to think about how your organization will use the solution. Use cases should represent your greatest pain points and dictate how you can benefit the most from the technology.
Typical use cases are highly contingent on your industry. Here are some examples that will prompt you to think about how you could use SOAR in your own organization.
1. Combating cyberattacks with automatic incident response: The types and degrees of security incidents can vary, and some industries are experiencing more pain than others. For example, while phishing attacks are on the rise everywhere, the healthcare industry in particular has seen an explosion, largely aimed at stealing credentials from people within hospital databases.
The retail industry is dealing with ransomware attacks at unprecedented levels, and manufacturing is seeing vulnerable factory floor control networks increasingly exploited by hackers.
SOAR platforms can automatically detect and examine the sources of those types of attacks. For example, they could detect and examine a suspected phishing email, look for copies elsewhere within the network, quarantine or delete them, and block IP addresses and URLs to prevent these malicious emails from landing in someone else’s inbox.
In addition, SOAR platforms can also contain threats before confidential data is released to attackers, reducing response times from hours to minutes.
2. Threat hunting: Security teams spend hours each day dealing with a deluge of alerts, which doesn’t usually leave time for threat hunting, investigating and strategizing long-term improvements. With automation, many of the previously encountered malicious threats are addressed instantly, leaving security teams time to engage in projects that improve overall security across the network.
In the financial services industry, for example, it’s reported that firms experience roughly 2,000 attacks per minute, with breaches and sensitive data theft tripling over the last five years. With automation, many of those attacks could be addressed immediately, creating necessary bandwidth for security analysts to correct vulnerabilities and making it harder for hackers to access confidential information.
3. Penetration testing: Nearly 40 percent of companies don’t conduct penetration testing consistently or at all, according to eSecurity Planet’s 2019 State of IT Security survey. SOAR platforms can automate activities such as asset discovery scans, classification activities, and target prioritization, making it possible for security teams to operationalize their penetration testing efforts.
4. Improving overall vulnerability management: A SOAR solution can ensure that the security team triages and adequately manages risk introduced by new vulnerabilities discovered within your environment. As a result, they are able to be proactive, automatically gathering more information on weak points, and investigating them thoroughly, while also putting safeguards into place to avoid breaches or other attacks.
What is the difference between automation and orchestration?
Security automation is all about simplifying and making your security operations run more efficiently, while security orchestration connects all of your different security tools so that they feed into one another.
Security automation and security orchestration are terms that are often used interchangeably, but the two platforms actually serve very different roles. Among other things, security automation reduces the time it takes to detect and respond to repetitive incidents and false positives, so alerts don’t linger unaddressed for ages. It also frees security analysts’ time to focus on strategic tasks, like investigative research. However, security automation is limited in that each playbook addresses a known scenario with a prescribed course of action.
Security orchestration, on the other hand, allows you to share information easily and enables multiple tools to respond to incidents as a group, even when the data is spread across a large network and multiple systems or devices. Security orchestration uses multiple automated tasks to execute a complete, complex process or workflow.
In summary, security automation deals with an array of single tasks, while security orchestration connects and speeds up the process from beginning to end. They work best in concert — and security groups can maximize their efficiency and productivity when they adopt both.
How are SOAR and SIEM different?
While most SOAR solutions are deployed alongside security information and event management (SIEM), they aren’t the same thing.
SIEM is a security management system that offers full visibility into activity within your environment, empowering you to identify threats in real time. It collects, parses and categorizes security-relevant data from a wide range of sources — in seconds — then analyzes that data to provide insights, specifically on unusual behavior, so you can act accordingly.
Like SOAR, it does the work that would be impossible to do manually. Also, like SOAR, SIEM aggregates event data across disparate sources within your network infrastructure, including servers, systems, devices and applications, from perimeter to end user. Unlike a SOAR platform, a SIEM solution serves as your security data repository and provides an efficient means to search, correlate and analyze all data available.
Why is SOAR important?
Your security team is probably drowning in a proverbial sea of alerts, many of which are false positives and repeats of previously observed alerts. The average security team is dealing with upward of 175,000 alerts per week. Hidden in all that noise are very real threats, many of which go completely unaddressed if security analysts are manually handling each one.
That’s where SOAR can make a huge difference, alleviating many of those repetitive, mundane actions so your security team can focus on more important work.
SOAR enables you to:
- Integrate security, IT operations and threat intelligence tools. You can connect all your different security solutions — even tools from different vendors — to achieve a more comprehensive level of data collection and analysis. Security teams can stop juggling a variety of different consoles and tools.
- View everything in one place. Your security team gains access to a single console that provides all the information it needs to investigate and remediate incidents. Security teams can go to one place to access the information they need.
- Speed incident response. SOARs are proven to reduce mean time to detect (MTTD) and mean time to respond (MTTR). Because many actions are automated, a large percentage of incidents can be dealt with immediately and automatically.
- Prevent time-consuming actions. SOAR drastically reduces false positives, repetitive tasks and manual processes that eat up security analysts’ time.
- Access better intelligence. SOAR solutions aggregate and validate data from threat intelligence platforms, firewalls, intrusion detection systems, SIEM and other technologies, offering your security team greater insight and context. This makes it easier to resolve issues and improve practices. Analysts are better able to conduct deeper and broader investigations when problems arise.
- Improve reporting and communication. With all security operations activities aggregated in one place and displayed in intuitive dashboards, stakeholders can receive all the information they need, including clear metrics that help them identify how to make improvements to workflows and reduce response times.
- Boost decision-making ability. Because SOAR platforms may offer features like pre-built playbooks, drag-and-drop functions to build playbooks from scratch and automated alert prioritization, SOAR platforms aim to be user-friendly, even for less experienced security analysts. Additionally, a SOAR tool can gather data and offer insights that make it easier for analysts to evaluate incidents and take the correct actions to remediate them.
How do you get the most value out of SOAR?
As with all security tools, the real value of SOAR is in how you use it. However, just as important are the steps you take before you deploy the tool. Follow these best practices to gain the most value from your SOAR platform investment:
1. Establish priorities. It’s best to first evaluate where automation can be effective, specifically for your organization, and then prioritize those needs. Consider the big picture, figure out which incidents occur most often, and which take the most time to investigate and resolve. Then define your use cases based on your industry and organizational goals, and create a list of how you will use SOAR. Involve stakeholders across your security operations team as you identify use cases, even if you don’t think you will implement them right away. Having these priorities in mind as you research vendors will help to ensure that the platform can serve you well in the long term.
2. Develop your playbooks. It’s important to document the steps, instructions and best practices for resolving incidents effectively, ensuring that your security team follows a consistent, repeatable process every time. As you establish a priority list for developing playbooks, start with those that will eliminate the repetitive tasks upon which the team wastes the most time.
3. Inventory your tools, apps and APIs. You need to ensure that the vendor you choose can support all of the tools you’re currently using. At the same time, assess how well those tools are working for you. Remember that a SOAR product is only as good as the information you’re feeding it, so consider whether you need to upgrade any other parts of your security infrastructure before deploying it.
4. Train staff. Not only do you need to train staff to effectively use your security automation software, you need to train them to address complex incidents the software can’t resolve. When alerts are flagged as needing human invention, your staff must have the expertise and confidence to tackle those issues.
5. Take advantage of newfound time. Automation makes security teams more productive and creates opportunities for them to do more for the organization. Plan how your analysts will focus on value-added tasks that benefit the organization — for example, conducting a deep investigation as to why you are constantly fighting off phishing attacks. What’s more, automation will create new roles within the organization — so use the newly available time to develop a continuous improvement model and train staff to design, implement and improve upon automation logic.
6. Don’t expect magic overnight. Rather than aiming to use every single SOAR capability from the start, it’s probably better to ease into it gently. Start simple by focusing on critical areas first and build sophistication over time, which will help you ease into the full potential of the platform with minimal growing pains.
How do you get started with SOAR?
If you’re ready to see how SOAR can improve your overall security operations, the next step is to look for the right SOAR tool. Here are the capabilities that you should look for:
- Easily digestible reports. You want to be able to visualize your event data and security operations tools together in a single, consolidated view. That big-picture view allows you to quickly understand what’s going on within the network, investigate issues and decide what to do next.
- Dashboard modification. You’ll want to display data in the format that best suits the needs of your organization.
- Automatic queueing and prioritizing of alerts. Essentially, you want to know what tasks are most important to work on immediately, without having to conduct extensive searching.
- Organized alert details. Data, such as IP addresses, domain names, file hashes, user names, email addresses, and other relevant data fields should be organized in a way that security analysts can immediately process.
- Flexible, easy playbook creation and management. Ideally, you want a platform that lets you build your playbooks without requiring any coding. Look for a solution that offers both built-in playbooks and options to customize and build your own, using the playbook editor of your choice. Additionally, you’ll want the ability to organize and group playbooks based on what works best for your organization.
- Integration with the tools you use to run your business. This includes security and infrastructure assets, such as firewalls, endpoint products, reputation services, sandboxes, directory services and SIEMs.
- Built-in guidance. Some platforms have intelligent assistants integrated into the interface, offering suggestions for investigating, containing, eliminating and even recovering from an incident. This feature is especially valuable for new security analysts.
- Scalability. Naturally, you need the platform to grow in its capabilities along with your organization.
The Bottom Line
SOAR can optimize your security operations
You have the opportunity to enable your security team to do the impossible: Keep up with the never-ending security alerts that plague a highly complex IT environment. Freeing your team from dealing with false positives, repetitive alerts and low-risk warnings, SOAR lets you pivot from a reactionary approach to a more proactive one. Rather than fighting fires, security analysts can put their talents and extensive training to better use, ultimately improving your organization’s overall security posture.
Learn more about SOAR and what it can do for your business:
- Execute actions in seconds, not hours
- The SOAR Buyer’s Guide
- The SIEM Buyer’s Guide
- Getting Started with Security Automation and Orchestration
- Five Security Automation Playbooks that Pack a Powerful Punch
- Using Automation to Defend Against the Emotet APT at McGraw-Hill Education
- Advancing Security Operations at Penn State University with Phantom Automation