Security Orchestration, Automation, and Response (SOAR) platforms are attracting a lot of attention from many organizations, from enterprises to government agencies and even those on the upper end of Small-to-Mid-Sized Businesses (SMBs). The reason for this is clear: the cybersecurity landscape continues to evolve and get more complex in order to combat the corresponding rise in frequency and complexity of attacks.
SOAR platforms can be the capstone application for Security Operations Centers (SOCs). Most organizations have a plethora of security tools already, such as Endpoint Protection/Detection & Response (EPDR), Next Gen Firewalls (NGFWs), Network Detection & Response (NDR), Secure Web Gateways (SWGs), Email Gateways, Identity and Access Management (IAM) systems, and so forth. SOC analysts have to interact with each of these systems in the course of daily management, investigations, and incident response. SOARs are designed to centralize many of the SOC analyst common and repetitive tasks, thereby decreasing the chance of errors and promoting efficiency.
From SIEM to SOAR
Security Incident and Event Management (SIEM) tools have been on the scene for more than 15 years. SIEMs are the central repositories that hold security log data from all the upstream security tools. SIEMs can catch the data but have historically had difficulties with enterprise-wide orchestration and generating false positives. SOAR solutions have filled some of the functional gaps, adding orchestration, automation of enrichment and investigations, and providing the capability of simplifying incident responses.
Many SOAR products originated from specialized startups addressing the gaps in SIEM tools. Some SIEM solutions have upgraded and added SOAR type functions to their platforms; other SIEM and security stack vendors have acquired SOAR specialist companies to augment their offerings in that way. In some cases, Cyber Threat Intelligence (CTI) management platforms have grown toward full SOAR capabilities. CTI management is a core feature of most SOAR tools, so this market development makes sense.
Orchestration and Automation
With a myriad of deployed security products in most SOCs, the lack of orchestration makes analysts’ work more arduous and time-consuming. Consider the following scenario. An analyst is alerted by EPDR via SOAR that registry entries have been added to a user’s workstation. These registry entries don’t match the baseline for deployed software within the organization; however, malware was not immediately detected. SOAR queries CTI and finds that these registry entries match newly discovered Indicators of Compromise (IoCs). SOAR can then automate a full scan on the affected machine and execute an enterprise-wide search for the same IoCs on all nodes.
Playbooks are the constructs that allow for default and customizable orchestration, automation, and response tasks. In the example above, the SOAR platform can profile the registry changes and query CTI sources to find out if others have encountered this type of event. SOAR can add the relevant CTI to the ticket for the analyst as it is opened and updated. Follow-up tasks such as the scans and multi-machine searches can be scripted in. Most SOAR solutions ship with dozens to hundreds of playbooks that address many of the common tasks that SOC analysts have to perform. Most SOAR playbooks are quite customizable, allowing customers to decide what level of automation they want to implement. Many organizations that use SOAR choose to automate preliminary investigation tasks and package response actions such that complex tasks can be reduced to a single analyst action. Another pertinent example would be allowing an analyst to remotely terminate network sessions to suspicious IP addresses while initiating scans and collecting file-level forensic evidence.
Since SOAR must interact with various security data sources and downstream tools, integrations are the key. Integrations are typically packaged connectors that utilize APIs to pull information from and remotely command downstream security tools such as EPDR, NDR, NGFWs, etc. SOAR capabilities are constrained by the actions exposed by integrated tool APIs. When selecting a SOAR for your SOC, it is imperative to choose the vendor that has integrations for the tools you already have.
SOCs, SOC-as-a-Service, and MSSPs
Large organizations with mature security architectures and SOCs already in place can achieve a reasonably short time-to-value with SOAR implementations. Organizations that have SOCs but want to utilize outside help for SOAR functions, or those that want additional expertise may opt to use SOAR services delivered by Managed Security Service Providers (MSSPs). Companies that do not have SOCs can still benefit from SOAR features if they engage SOC-as-a-Service solution providers. Many SOCaaS providers utilize SOAR products from the major vendors as a way to reduce the Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) for security incidents for their customers.
SOAR and related research and events at KuppingerCole
KuppingerCole has published research (listed below) on SOAR.
We are also hosting a KC Live Event on “SOARing Towards an Enhanced SecOps Strategy” on March 25, 2021.