SOAR is the name for a relatively new kind of security platform that coordinates information produced by a wide range of security tools and automate much of their analysis and protective responses.
SOAR, which stands for security orchestration, automation, and response, is a term coined by Gartner in 2015 and since embraced by the industry as companies grapple with increasing security threats, a tight labor market, and an increasing flood of information they need to parse about the state of the systems and networks they're trying to protect.
Ideally, SOAR platforms are meant to help you make better use of the resources—including both technical tools and employees—that you already have. In practice, there can be quirks, especially when it comes to getting ready to move to a SOAR paradigm, but overall these offerings hold promise for making sense of all the security-related data modern enterprises need to analyse.
SIEM vs. SOAR
Based on this description, you may be wondering what the difference is between SOAR platforms and SIEM (security information and event management) software. SIEM software does collect and analyse information from various logs and tools, but it doesn't necessarily take the active steps that SOAR platforms make possible.
In fact, SOAR offerings often use SIEM software as one of its inputs. To fully understand how SOAR goes beyond SIEM, we need to dig into what SOAR tools aim to do and how they work.
What is the purpose of SOAR?
The story of contemporary IT security, at its heart, is that in order to lock down your systems, you need to collect, process, and analyse an enormous amount of data from an ever-multiplying set of tools, and, when needed, turn that analysis into action against the threats you detect. All this requires increasing amounts of human effort and intelligence, which is the most valuable (and expensive) resource in IT security.
FireEye, itself a SOAR vendor, lists five main SOAR benefits:
- Combat budget restraints
- Improve time management and productivity
- Effectively manage incidents
- Encourage collaboration
Each of these benefits represents one way to chip away at the IT security problem of "too much data, not enough time for humans to deal with it." SOAR platforms use AI, automation, and collaborative tools to take repetitive, lower-level tasks off of your security staff's plates and make sure the tasks that do need human attention get to the right people and get resolved as quickly as possible.
As the name says, SOAR uses three main techniques to achieve this: orchestration, automation, and response.
Orchestration. SOAR platforms coordinate the input and operation of the many, many security tools you may have deployed on your networks.
Although vendors are always eager to sell you integrated suites of their own products, most SOAR platforms boast of the ability to take data in from numerous third-party tools, either via pre-built connector apps that should be available for the most common apps, or via the APIs many tools support.
Thus, SOAR platforms can provide a "single pane of glass" interface where security pros can see relevant information from across tools correlated together, and issue commands on how to proceed.
Automation. SOAR platforms aim to perform much of the analytical grunt work involved in processing all that data, with AI combing through vulnerability scans and logs to surface potential threats.
In addition, relatively menial tasks that often occupy much of the security staff's days can be largely automated by creation of playbooks—prewritten scripts that outline actions that can be run on a schedule or invoked with a single click.
Thanks to those connectors and APIs we mentioned earlier, SOAR offerings can go beyond taking in data and also configure and send commands to your tools as needed. Some tasks may be run entirely automatically, but more may be consolidated so that a staffer can escalate an alert, get data from logs, or create trouble tickets populated with the appropriate data, all much more quickly than they would if required to operate all the tools separately.
Response. The visibility SOAR platforms provide into all the data from your tools allows your analysts to quickly plan, manage, monitor, and report on the actions they'll take to respond to threats.
SOAR platforms generally integrate with case management and reporting tools as well to ensure that information about any attacks is kept on hand for future reference. Most also work with threat intelligence services so you can easily hear what other security pros are dealing with and share your own experiences with the community.
5 tips to get ready for SOAR
A SOAR platform is not something you just buy off the shelf and install; it requires customisation for your environment, which is why you'll want to research what sort of vendor support comes with any offerings you consider. But you'll also need to prepare your own security operations to accommodate the new workflows and capabilities you'll gain with a SOAR solution. Here, security pros with experience in this field offer their advice on how to approach this transition.
Make sure in-house skills align with the selected platform. "Each SOAR solution takes a slightly different approach, with some tailored for highly skilled analysts and others for users of all ability levels," says Veronica Miller, a cyber security expert at VPNoverview. For instance, some SOAR offerings require the ability to write scripting code in Perl, Python, or Ruby in order to integrate security tools and create playbooks.
"Be sure to inquire about whether your preferred platform includes both a graphical user interface and a module for writing scripts, such as an integrated development environment," says Miller.
"The GUI can help non-coders take advantage of the SOAR solution's strengths right away, maybe by simple drag-and-drop features, while the IDE allows coders to do more advanced customisation if necessary."
Make sure your tools have the API connectors you need. As noted, while some SOAR platforms have built-in pre-written connectors for popular tools, these aren't universal—and you probably have some home-brewed tools you'll want to integrate as well.
That's where API connectors come in, and Jason Mitchell, CTO at Smart Billions, says that making a catalog of tools that need to use them is an important step. "Look at the mechanisms that would be used to conduct audits, alerts, and corrective measures within the systems, and ensure that all API connectors you find are usable or developable, and that they perform the specific actions you want performed," he says.
You may find that you need to build these API connectors yourself; most vendors offer integration frameworks that allow you to do so. "You can also build daemons that improve SecOps on a constructive basis," Mitchell adds. "There are no restrictions on the types of daemons you can make, such as new IoCs in threat intelligence platforms or higher-risk SIEM warnings."
Map out your incident response processes before you automate them. Because automation is one of the big value propositions of SOAR platforms, many shops that implement them rush into the automation process. But that can be a big mistake. "Although automation has the potential to significantly improve procedures, it also has the potential to exacerbate a problem," says Timothy Robinson, CEO of InVPN. "Automation added to an inefficient process would magnify the inefficiency."
Take the opportunity the transition to SOAR offers to analyse and rationalise your processes before you create playbooks based on them.
"For better visualisation and coordination, draw representative diagrams on paper or on a whiteboard," advises Robinson. He also adds that many vendors include prewritten playbooks, which you might find to be an improvement on your current processes. "This can be a fantastic way to get your team started, and you can refine it as you learn what works best for your SOC."
Ease into the automation. One thing you may want to think about as you analyse your existing processes is whether or not they should be automated right off the bat—or ever.
"Even the most difficult and malicious cases require hands-on, critical thinking that only a security analyst can provide," says Steve Scott, CTO at Spreadsheet Planet. "As a result, every SOAR implementation is always about finding the right mix of machine-driven and analyst-driven activities for your specific SOC.
"Identify processes that are prime candidates for automation and introduce SOAR in those areas first if you're just getting started. From there, you will decide how to proceed with the automation portion of your journey."
Be ready for your SOAR implementation to evolve. Remember that your journey with SOAR really is a journey: you'll be learning as you go how to best tune it for your needs, and what works and what doesn't.
"It's impossible to get all right on the first try," says Eric McGee, Senior Network Engineer at TRGDatacenters. "Even if you put a lot of time and effort into creating a specific incident response playbook, there's a fair chance it won't be flawless."
And, of course, you know that the threat landscape is always changing—and your SOAR playbooks will need constant tweaking to meet new challenges.
"Cyber threat methods, strategies, and procedures change over time," McGee says. "As a result, you must adapt and implement changes as required.
"Analysts must continue to track, review, and refine processes after they have been codified using a SOAR solution to ensure that each playbook continues to work at optimal effectiveness and performance. Continuous development can be aided by SOAR solutions that allow you to run tests and warning simulations on your playbooks."
If all goes well, your SOAR platform will have improved your SOC's efficiency and give your analysts the time they need to think strategically like this instead of just fighting fires all day.