SOAR: What Are You Looking For? Part I

What is SOAR and what problem does it solve?

SOAR aims at increased efficiency, efficacy, and consistency within security operations and incident response. It was popularized as a Gartner term describing the convergence of security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).

What are the three core components of SOAR?

SOAR includes three primary components:

• Security Orchestration: Integrates and coordinates security tools to enable repeatable, enforceable, and measurable incident response workflows with reporting and collaboration.
• Security Incident Response: Supports planning, managing, tracking, and coordinating response once an alert is confirmed, including triage, containment, and remediation.
• Security Operations Automation: Automates workflows, policy execution, and reporting using playbooks (linear tasks) and runbooks (decision-based conditional actions) to reduce routine work.

How is SOAR different from SIEM?

A SIEM solution works by collecting and aggregating and then identifying, categorizing, and analyzing incidents and events. It identifies patterns and correlates event information between devices to identify potentially anonymous activity and issues alerts. SIEM needs regular updates and tuning; once the SIEM is properly tuned, responding to the alerts generated by a SIEM is a manual process. SIEM normally consists of blocking activity, triggering vulnerability scans, gathering additional information, and similar rudimentary actions.

SOAR is like robotic process automation used in digital transformation for process automation but it's for security operations. SOAR is designed to help security teams manage and respond to endless alarms as well as address the routines in an automated way. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow, and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.

SOAR is complementary to SIEM. To respond to a large number of alerts per day with limited resource, SOAR will work with SIEM solution to manage the incident response process to each alert, automating and orchestrating the routine task. With the help of integration, SOAR can automate complex incident response workflows and facilitate a flexible defense. With the help of multiple playbooks and runbooks as well as capability to automate each step in a playbook SOAR can respond to specific threats in a fully automated way or set up for one-click execution directly from within the platform.

How does SOAR work in practice?

A SOAR platform can automatically respond to security alerts, with all the tools and technologies needed seamlessly orchestrated together. The most appropriate response steps and actions are then executed through the triggering of various playbooks and runbooks to suit different threats. The aim is an auto-response to all alerts while freeing up valuable analyst time to work on higher priority or complex tasks, such as threat analytics.

According to Gartner's SOAR market guide, "by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today." The reason for this dramatic increase is the fact that security operations centers (SOCs) cannot keep up with today's evolving threat landscape. They are understaffed, overworked, and constantly bombarded with alarms from various sources, including security information and event management (SIEM) systems.

Key Takeaways

• SOAR improves SOC efficiency by orchestrating tools and automating routine response.
• Core SOAR capabilities combine orchestration, incident response management, and automation.
• SIEM and SOAR are complementary: SIEM detects and correlates; SOAR operationalizes and automates response.
• Playbooks and runbooks are central to consistent, scalable incident handling.