1 Introduction / Executive Summary
SOAR, (Security Orchestration, Automation and Response) is the latest in a line of security buzzwords to hit the market. Though SOAR may have only emerged in the last decade, it has become an essential tool for many enterprises, SMBs (Small & Medium Businesses) can take advantage of SOAR functionality provided by both MSSPs (Managed Security Service Providers) and also some SOAR vendors if they don’t want to run it themselves.
But what does it mean for organizations? - In an organization that has a SOC (Security Operation Centre) staffed by security analysts, then there will likely be two common themes; they are struggling with a high volume of security alerts, coupled with a shortage of skilled cybersecurity talent.
Organizations are struggling with a high volume of security alerts coupled with a shortage of skilled cybersecurity talent.
If you then add that the typical mean time to detect a security incident can be in the region of six months, at estimates of an average cost of $4M-$9M for a security incident or data breach, then the costs can be quite high. It is no wonder that organizations are looking at cost-effective ways of improving the situation.
SOAR, coined back in 2015, initially stood for “Security Operations, Analytics and Reporting”; however, the now generally accepted term “Security Orchestration, Automation and Response” better reflects how the supporting family of tools are used within and organization, including:
- Vulnerability management (VM) tools that detect vulnerabilities and manage remediation.
- Threat detection tools that monitor networks, cloud services, endpoints, and access to data to detect anomalies that potentially indicate an issue in need of further investigation.
- Technologies that manage security incident response that an organization will enact in the event of a suspect or actual security incident; these are often referred to as “Playbooks”.
- Tools that support automation and orchestration of processes and reporting within a SOC.
- Ticketing tools that manage the investigation by the relevant staff to investigate, report on, and, where required, remediate any problems identified.
A modern SOAR system aims to provide a unified approach, gluing together what is often a disparate set of tools and processes into a cohesive approach to managing the vast influx of alerts, threats, and other data feeds, which it then prioritizes.
SOAR will also augment tools such as Security Information & Event Management (SIEM) which centralizes log collection to help detect, analyze, and respond to security threats, as well as Extended Detection and Response (XDR) which aims to respond to unify Endpoint Protection Detection & Response (EPDR) and Network Detection & Response (NDR) tools to mitigate potential threats in near-real-time.