With security teams drowning under anywhere from 10,000 to a million security alerts per day, any approach that eases their workload while improving security and productivity is welcome. Security orchestration, automation, and response (SOAR) platforms help security teams drastically streamline their security operations. Surveys say that by 2028, the market size for SOAR will have doubled from the 2021 size.
Why is SOAR so popular? In this article, you’ll get an in-depth understanding of the problems that SOAR security solves and its many benefits.
What Is SOAR?
SOAR security is a cybersecurity approach that heavily uses automation. A SOAR tool helps security teams manage security incidents, vulnerabilities, and threats efficiently and correctly using automation.
In doing so, SOAR security offers three key capabilities:
- Orchestration
- Automation
- Response
We’ll explain these in detail shortly. But to truly appreciate the benefits of SOAR security, it helps to consider how security teams have traditionally managed incident response and threat detection.
How Security Teams Manually Manage Incidents and Threats
Let’s start by introducing some basic concepts:
- Vulnerabilities are weaknesses in your IT infrastructure that can be exploited to carry out cyberattacks.
- A threat is somebody or something that can potentially exploit a vulnerability. Security teams aim to close vulnerabilities before a cyber threat exploits them.
- An incident is an event that negatively affects the organization’s security posture (i.e., the current state of overall security), like a cyberattack or equipment failure.
In these situations, security teams have to activate a suitable incident response to contain any damage. If it’s an active threat, the incident response includes threat mitigation to remove the threat.
How have security teams done all this manually and what aspects are involved? Let’s find out.
1. Playbooks
Playbooks are the most important concept to understand. A playbook documents all the steps to detect, investigate, contain, and recover from an incident or vulnerability, along with all necessary prerequisites and decision-making involved in the sequence.
Security professionals in an organization carefully design these playbooks by consulting with IT and security experts. When a security incident occurs, they’re in a race against time to respond quickly under stress. By following playbooks, security analysts can start responding immediately, even mechanically, without wasting time thinking about the right steps.
Here is an example security playbook to respond to potential malware, shown as an activity chart:
Such visualizations of playbooks are used by analysts to understand and visually remember the big picture.
2. Systems and Tools Involved in Playbooks
Even in the rather simple example playbook above, notice a large number of IT and security systems involved:
- Malware database
- Sandboxing tool
- Malware scanners
- Security information and event management (SIEM) system
- Endpoint security system
- Firewall software
- Data backup and recovery tools
A security analyst has to know how to use all these systems and how to configure them properly in the correct sequence.
3. Playbooks Are Complex
A typical playbook is not just a chart but a document with very detailed, often complicated, steps. For example, notice the level of complexity in these excerpts from a Microsoft malware playbook:
- One of the prerequisites tells the analyst to review detailed Azure AD permissions.
- One of the many investigation steps is to “review your tenant for potential keyCredential property information disclosure as outlined in CVE-2021-42306.”
- A remediation step advises to “perform a Microsoft Graph call using GET ~/application/{id} where id passed is the application object ID.”
What stands out here is the technical complexity. Security analysts are expected to:
- Understand all these complex steps across all their IT assets
- Keep all necessary tools ready and functioning
- Become proficient in all the commands and tool workflows needed to carry out the steps
- Execute every step correctly in a stressful environment
4. Time and Stress
Security incident response can be stressful. When starting a response, a security analyst has limited knowledge about the incident or the damage. The best strategy is to assume worst-case outcomes and act fast.
Plus, many cyberattacks are launched during weekends and holidays when security and IT teams are likely to be running skeleton crews with less experienced employees. This adds to the stress and time constraints on executing these complex playbooks.
5. Coordination Aspect
A playbook’s steps may involve coordination with other organizations and employees. Technical coordination with IT and operations teams is necessary for remediation. Organizational coordination with risk, legal, and media teams may be needed in case of major incidents with business impacts.
How SOAR Security Solves These Problems
The SOAR security approach addresses all these problems using three key capabilities:
1. Orchestration
Just like a conductor in a musical orchestra, a SOAR coordinates actions across different software systems to achieve the desired security posture. SOAR does this in the correct sequence while avoiding operational disruptions and maintaining a robust security posture.
Orchestration helps:
- Execute steps across different software systems to simplify the process. For example, when a SIEM event from an intrusion detection system points to a possible intrusion, SOAR will query global IP blocklists to check if the intruding IP address is a rogue actor. It will then update the firewall configuration to block that IP.
- Coordinate steps between IT, operations, and security teams by opening tickets and notifying those teams.
- Promptly notify and coordinate with other teams via automation over popular communication channels like Slack or email.
2. Security Automation
SOAR security comes with powerful built-in task execution and security detection capabilities to automate all the steps in a playbook. Such automated playbooks are also called runbooks. Further, they support scripting to enable security analysts to code custom steps.
3. Response
SOAR platforms support automated responses and recovery with minimal human intervention. These steps involve communicating with other systems through their application programming interfaces (APIs) or reconfiguring them. They may also involve coordinating with other teams.
SOAR tools support checking the state of IT assets to verify that remediation and recovery resulted in desired outcomes.
13 Benefits of SOAR Security
The three key capabilities of SOAR translate into an impressive set of benefits and supported use cases:
1. Real-Time Robust Incident Response
SOAR enables your security operations center (SOC) to automatically investigate all security alerts and robustly respond to incidents in real-time.
2. Vulnerability Management
SOAR automates several vulnerability management tasks like:
- Fetching the latest vulnerability information from global databases
- Scanning software and systems for vulnerabilities in their versions
- Patching operating systems and software
3. Threat Intelligence
SOAR automatically fetches threat intelligence, like the indicators of compromise, from global threat databases and adds that information to the incident. Such data enrichment enables security analysts to quickly triage the source and target of an incident.
4. Runbook Creation and Reuse
SOAR platforms help your SOC to maintain a vast, searchable library of reusable runbooks for any kind of incident. Pre-defined runbooks created by security experts can be downloaded and customized. Security teams can quickly search for a runbook based on an incident’s symptoms and execute it without any hassles.
5. Efficient and Time-Saving
The response time after an incident is a critical factor to minimize damage. SOAR tools can execute the kind of complex, time-consuming steps you saw earlier quickly and correctly. They improve metrics like the mean time to detect and mean time to respond (MTTR) to an incident.
6. Streamline Repetitive Tasks
Tasks like attachment scanning and log reviewing have to be done several times a day. SOAR is excellent at automating such repetitive security chores that are nonetheless critical for your security posture.
7. Reduce Alert Fatigue
SIEM tools are notorious for generating hundreds of false alarms, leading to alert fatigue among security teams. SOAR automates the investigation of alarms and alerts analysts only for genuine incidents.
8. Integrates With a Variety of Security Systems
Good SOAR solutions have an extensive set of plugins to integrate with a wide variety of security systems. This is necessary because cybersecurity involves specialized tools for different use cases. Surveys say larger enterprises use as many as 76 security tools on average.
9. Runbook Tracking
Good SOAR tools enable security teams to observe runbooks that have been started, track their progress, and store the results of steps. They help analysts ensure that the incident response is robust and also help with post-incident forensic analysis.
10. Security Dashboards
Good SOAR solutions support visualizing the security posture of the organization at any time by showing incident metrics and other security metrics on dashboards.
11. Case Management
SOAR solutions support opening, sharing, and tracking security incidents so that management and senior security employees can get an idea of the organization’s security posture at any time.
12. Error Handling and Retries
When infrastructure is under a cyberattack, network, availability, and latency errors are to be expected. SOAR solutions provide good error handling and retrying features to enable security teams to mount robust incident responses even while under attack.
13. Integrates with Popular Communication Tools
SOAR solutions integrate with popular communication tools like Slack, Discord, PagerDuty, and others. For example, employees can raise security tickets by simply typing special instructions in Slack, and security analysts can also notify employees or modify cases on the platform.
.svg)
