As per Gartner definition, SOAR is the set of technologies that allow enterprises to collect security threats’ alerts and data from multiple sources, and then perform incident analysis and remediation process by using both human skills and machine power together to help in defining, prioritizing, and driving standardized incident response activities in accordance with a standard workflow. The SOAR tools enable companies to describe incident analysis and response procedures, also known as “Plays” in a Security Operations Playbook, in a digital workflow format.
Introduction to Security Orchestration, Automation and Response
As cybersecurity threats are growing by leaps and bounds, organizations are facing great difficulties in improving their security posture. In fact, the workplace is changing constantly and technical innovations in IT infrastructure facilitates a business to grow tremendously. However, protecting these manifold developments is a daunting task. For example, organizations have to face various challenges in hiring, training and retaining security professionals. According to “The State of SOAR Report, 2018, “average of eight (8) months were required to train new security analysts and, despite this, a quarter of the workforce was likely to leave within 2 years.” To thwart this issue, SOAR tools are the best solution as they can fill the personnel gap and make existing employees’ job easier and more productive. To understand the SOAR altogether, we need to comprehend its building blocks that are described below.
- Orchestration: It is the act of integrating different technologies, both security specific and non-security specific so that they can work together in a way to ease coordination. More importantly, orchestration involves manpower such as analysts to act as an additional support to automated tools that alone are not enough to detect intrusions.
- Automation: Generally, automation is the act of executing the human-related tasks via machines. However, in the context of SOAR, automation mainly focus on human enhancement, rather than a human Automation of repeatable and low-level tasks works hand in glove with human decision making in order to accelerate incident investigations.
- Incident Management and Response: SOAR fosters a comprehensive and end-to-end management of incidents by security teams.
- Dashboards and Reporting: This feature provides visualization and capabilities for seeing, correlating, triaging, documenting, and measuring incidents.
The Evolution of SOAR
According to a Stan Engelbrecht, Director of Cybersecurity Practice at D3 Security, Gartner coined the term Security Orchestration, Automation, and Response (SOAR) in 2017 to explain the emerging categories of platforms born of the Incident Response (IR), security automation, case management, and numerous other security tools.
SOAR has gained incredible momentum in the cybersecurity realm due to its most effective solutions nowadays. As a matter of fact, SOAR reduces barriers by implementing and making the platforms more accessible to more security teams, even in the sectors that are poor in terms of adopting new technologies, such as government, retail, and healthcare.
SOAR tools are more demanding in 2018 due to their ability to deal with larger incidents and more serious investigations. Nowadays, security incidents are very complex and it is a Gordian Knot for IR teams to manually coordinate across reporting silos and workflow, especially in enterprises that impose strict compliance requirements. Moreover, in-depth SOAR features deliver long-term systematic enhancements, rather than just short-term alert triage. Therefore, organizations are keenly looking for SOAR to enhance their security posture.
Convergence of SOAR Tools:
In 2015, SOAR tools were classified as Security Incident Response (SIR), Threat and Vulnerability Management (TVM), and Security Operations Automation (SOA). However, from 2017 to 2018, these SOAR tools have been converged into more efficient tools that include:
- Security Automation and Orchestration (SAO)
- Threat Intelligence Platform (TIP)
- Security Incident Response Platform (SIRP)
Nowadays, cybersecurity threats are emerging exponentially. Cyber pests are developing sophisticated attacks, state-sponsored hacking is also being taken place, but unfortunately, there is a scarcity of qualified cybersecurity professionals and modern techniques to defend in the face of these nefarious attacks. However, SOAR platform can be an optimism for enterprise organizations and security teams to enhance their cybersecurity posture. More importantly, SOAR platform can be integrated with your existing SIEM solution to deploy a multilayer security.