SOAR – Security Orchestration Automation and Response

SOAR Integration

As the name suggests, SOAR orchestrates all the devices from different vendorsĀ  you have in your network, to automates processes and responses to specific events and threats . We achieve this by connecting to those devices through APIs that product vendors supply. In a typical environment, SOAR can be integrated as displayed, where all the other systems send their logs and events to the SOAR solution. Note that the diagram shows only a subset of systems that SOAR can integrate with.

Difference between SIEM and SOAR:

A SIEM solution examines log data for patterns that could indicate a potential cyber attack. It connects to the vendor’s security intelligence feed and have rules which trigger alerts when specific events occur, conditions are met, threshold is reached or an anomaly happens.

In basic terms, a SIEM collects and analyses data it receives from different sources. These sources can be antivirus solutions, endpoints, servers, firewalls etc. SIEM recognizes issues by using rules, anomalies, and threat detection, and raises security alerts to inform SOC analysts about any events that matches those rules. SOAR on the other hand, receives data from all the sources (including SIEM), and uses playbooks to automate the entire process that an analyst would typically follow. That is, from start where alert is received and analysed, all the way up to generating alert, producing incident report, and closing the alert if needed. SOAR comprises of multiple playbooks which can be used in response to specific threats. The playbook allows automating each step, or configure one-click execution to allow human element in process.

What problems does SOAR addresses:

SOAR is a fairly new market, and it is growing very fast. SOAR focuses on addressing following challenges for SOC:

Alert Overload and Strategic Prioritzing:

Since day to day activities of SOC engineers can be overwhelmingly. It can even be times when SOC Analysts are completely drowning due to the amount of received alerts coming from all the directions. They might have to jump between systems to dig deeper into issues and analyse the root cause. SOAR can help here by automating typical tasks and relieve SOC engineers of mounting load , so they can concentrate on higher value tasks, where human interaction is necessary.

As we know, the suspected activities, malware protection, user behavioral analysis, endpoint alerts etc can cause a huge volume of alerts that keep increasing, causing security analysts to waste a lot of time going through the entire spectrum of alerts, to find the real threats and quickly go through non-priority tasks. This where SOAR comes in handy.

Workflow and Documentation Challenges:

Another issue is with the work-flow of each of incident type. Analysts must know in advance where to look for documentation for each of the incidents, in order to follow the proper procedure. This is a challenge for most organizations, where documentation is not usually optimal, all times. An already prepared playbook that iterates through same tasks and processes each time a specific event happens, saves a lot of time if analysts can leave it to SOAR to handle it. Once SOAR is tuned for a specific event or alert, and it would iterate through the same steps for that event, leaving no room for human errors, if no human interaction is configured .

Example of Using SOAR :

Orchestration refers to the ability to plug in to multiple vendors’ products using vendors provided application programming interfaces (API). It creates playbooks where the system runs through typical steps that a security analyst would perform, as a response.

A good example would be email phishing attack that targets multiple users. The analyst, without a SOAR solution, would have to dig into the case by checking sender’s domain, URLs in all those emails, email recipients etc. And when all this is analysed, an incident report for all these incidents might be required. SOAR can handle all of this from A-to-Z using playbooks, thus saving a lot of time for security analysts. Analysts can however be involved when a deeper analysis is required.

Common Misconceptions About SOAR:

  • It is not a requirement to have SIEM in order to operate a SOAR solution.
  • SOAR does not replace SIEM
  • SOAR and SIEM complement each other, providing even stronger defense against security threats

What Challenges SOAR Addresses:

It usually needs regular tuning to continually understand and differentiate between
normal and anomalous activity. The need for regular tuning leads to security analysts and engineers wasting precious time on making the tool work for them instead of focusing on high value tasks.

Other Benefits of Using SOAR:

Some of the other benefits of using SOAR are:

  • SOAR can receive alarm data from each integrated platform.
  • It gathers these alarms and data for further analysis.
  • SOAR allows us to research, assess and perform additional relevant investigations from within a single case, thus saving resources.
  • SOAR integrates with different vendor products providing highly automated, complex workflows for incident response, delivering faster outcomes and facilitating a sophisticated defense.