Site icon Blog | Cyber Security News & Training | Einnosec

SOAR What are you looking for? Part I

The e-InnoSec team recently completed a 6-part series as a guide for organizations to leverage GDPR preparation for CCPA. The Malware/Ransomware 4-part series was focused on helping organizations protect themselves from Malware/Ransomware. The current series Social Engineering published first part last week and the series is in progress.

This week we decided to look at the SOAR (Security Orchestration, Automation, and response). The term is coined by Gartner, SOAR is a term used to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).

The e-InnoSec team recently completed a 6-part series as a guide for organizations to leverage GDPR preparation for CCPA. The Malware/Ransomware 4-part series was focused on helping organizations protect themselves from Malware/Ransomware. The current series Social Engineering published first part last week and the series is in progress.

This week we decided to look at the SOAR (Security Orchestration, Automation, and response). The term is coined by Gartner, SOAR is a term used to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).

SOAR approach aims at increased efficiency, efficacy and consistency within security operations and incident response. Three components:

Security Orchestration aims at the seamless integration and communication between various security tools to establish repeatable, enforceable, measurable, and effective incident response processes and workflows. These technologies support the remediation of vulnerabilities. They provide the formalized workflow, reporting and collaboration capabilities

Security Incident Response technologies support how an organization plans, manages, tracks, and coordinates the response to a security incident. The aim is to address and manage the security incident once an alert has been confirmed, including triage, containment, and remediation.

Security Operations Automation technologies support the automation and orchestration of workflows, processes, policy execution, and reporting. The automation makes use of playbooks (linear task) and runbooks (decision-based conditional actions) to reduce or eliminate the routines.

SIEM VS SOAR

A SIEM solution works by collecting and aggregating and then identifying, categorizing, and analyzing incidents and events. It identifies patterns and correlates event information between devices to identify potentially anonymous activity and issues alerts. SIEM needs regular updates and tuning; once the SIEM is properly tuned, responding to the alerts generated by a SIEM is a manual process. SIEM normally consists of blocking activity, triggering vulnerability scans, gathering additional information, and similar rudimentary actions.

SOAR is like robotic process automation used in digital transformation for process automation but it’s for security operations. SOAR is designed to help security teams manage and respond to endless alarms as well as address the routines in an automated way. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow, and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.

SOAR is complementary to SIEM. To respond to a large number of alerts per day with limited resource, SOAR will work with SIEM solution to manage the incident response process to each alert, automating and orchestrating the routine task. With the help of integration, SOAR can automate complex incident response workflows and facilitate a flexible defense. With the help of multiple playbooks and runbooks as well as capability to automate each step in a playbook SOAR can respond to specific threats in a fully automated way or set up for one-click execution directly from within the platform.

How SOAR works?

A SOAR platform can automatically respond to security alerts, with all the tools and technologies needed seamlessly orchestrated together. The most appropriate response steps and actions are then executed through the triggering of various playbooks and runbooks to suit different threats. The aim is an auto-response to all alerts while freeing up valuable analyst time to work on higher priority or complex tasks, such as threat analytics.

According to Gartner’s SOAR market guide, “by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.” The reason for this dramatic increase is the fact that security operations centers (SOCs) cannot keep up with today’s evolving threat landscape. They are understaffed, overworked, and constantly bombarded with alarms from various sources, including security information and event management (SIEM) systems.