cio_SOAR. (2020, October 30). [Illustration]. The Enterprisers Project. https://enterprisersproject.com/article/2020/10/what-is-soar-security-orchestration-automation-and-response
With the number of cyberattacks dramatically increasing within the last few years, Security Teams and Security Operations Centers (SOCs) alike are facing a complex threat landscape. According to a study conducted by International Data Corporation (IDC), Cyberattacks are the fifth top-rated risk. As the industry continues growing, also cyberattacks continue to grow, IoT cyberattacks alone are expected to double by 2025. Dark Reading has stated that the average SOC receives over 10,000 alerts per day from different monitoring and detecting tools. Due to the sheer number of alerts, many often false positives, less than 10 percent of these alerts result in being investigated.
A solution for this challenge was proposed by Gartner in 2017, Security Orchestration, Automation, and Response (SOAR) platforms are integrated solutions for any organization's security team, designed to power automation through orchestration. In this article, we are going to do a breakdown of the tool, compare SOAR with other platforms, go over some downsides and offer a conclusion.
Breaking down SOAR tool
SOAR platforms can be broken down into three different elements: Security Orchestration, Security Automation, and Security Response. The first element, security orchestration, consists of the synchronization of an assortment of different internal and external tools. The platform connects and integrates the tools using application programming interfaces (APIs) and then gathers data such as logs and event data from the internal tools, and data from external sources like thread intelligence feed, endpoint security software, and other third-party sources. Then, the data is unified to enable interpolation among the security tools.
The second element, with Security Automation, the platform will take all data gathered from the previous element (orchestration) and as the name implies, automate many processes, using pre-configured playbooks, that have predefined actions to be taken depending on the situation, like what alarm is triggered, or what threat is detected. Some of the automated tasks are vulnerability scanning, log analysis, ticket checking, and auditing capabilities. By the automation, it is possible that the Security team can focus on important alerts, covering more ground, while everyday monotonous and tedious tasks are efficiently completed by SOAR.
Finally, the last element is Security Response. SOAR platform can assist analysts by performing some actions such as case management, reporting, and threat intelligence sharing. Moreover, SOAR would also provide a guide on the responses to take and maintain a process consistency across security operations. SOAR provides a faster response time to threats as it is an automatic tool and can provide instantaneous solutions without the need for any human intervention. The response time also decreases as every tool can be found within the same platform, there is no need to move back and forth between multiple tools. SOAR platform also automates processes to generate reports, liberating security teams from this task, providing them with more efficient data management, giving them the opportunity of improving continuously.
One of these things is not like the other
SOAR is often compared with another already existing highly functional tool called Security Information and Event Management (SIEM). Although they are similar, as they share many components, they have some key differences.
To begin with, the first difference is the set of tools that are integrated into both systems. SIEM will ingest various log and event data from traditional infrastructure component sources such as Firewalls, network appliances, and intrusion detection systems. SOAR will ingest the same data and also data from external emerging threat intelligence feeds, endpoint security software, and other third-party sources, providing the analyst with a bigger picture to act against any emerging threat.
About automation and response, the log and event data digested by SIEM is analyzed by the platform to find any pattern that could indicate a cyberattack, if it is found an alarm would be usually triggered. On the other hand, SOAR would do this process but also go a step further. Depending on the attack, SOAR would follow actions predefined by the playbook to help solve the attack, such as case management, reporting, and threat intelligence sharing. Some examples are to open tickets, send alerts by email, block suspicious email senders, add attackers to a blocklist, and follow up investigations. Again, the automation will allow security teams to focus on more skill-required tasks.
The bottom line
Although the SOAR system is a very complete and functional platform, it is important to note that coordination is highly important, SOAR is not a completely automated service. SOAR will need the security team to have a clear use case, solid foundations, skills, and operating model requirements, it will also need ongoing maintenance to work properly. It is also important to know the expectations the security teams have on the platform and find the appropriate use case for what they are trying to solve.
Something also important to note is that for security teams that work in small organizations, and only are required to do basic procedures and processes, the SOAR platform may not be the best option, as it would not fit their necessities.
In conclusion, SOAR is a tool that if is implemented correctly, is highly beneficial to many security teams, as it provides them the time and resources to focus on the most critical alerts. SOAR platforms consist of Orchestration by the integration of different tools and unification of the data, Automation of many low-skilled, monotonous, and repetitious tasks, and a fast Response. Although SOAR offers more processes compared to other similar tools like SIEM, as the integration of external tools and the automation of the processes that will generate a faster response, SOAR was not created to be a replacement for SIEM, on the contrary, SIEM is a tool integrated to SOAR, thus, SOAR will have the same benefits as SIEM.
Something to note is that SOAR is not an easy platform to use, so it will require planning and maintenance, and may not fit every security team depending on the actions to be performed. Nevertheless, with the increasing number of threats and the low number of Security professionals, SOAR may be the answer to improve security, productivity, and efficiency.
Author
Elisa Sosa
Junior Security Engineer
References
Angela Horneman and Justin R. (2021, March 1). Benefits and challenges of soar platforms. SEI Blog. Retrieved November 19, 2021, from https://insights.sei.cmu.edu/blog/benefits-and-challenges-of-soar-platforms/.
The growth in connected IOT devices is expected to generate 79.4ZB of data in 2025, according to a new IDC forecast. The Growth in Connected IoT Devices is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast | Business Wire. (2019, June 18). Retrieved November 19, 2021, from https://www.businesswire.com/news/home/20190618005012/en/The-Growth-in-Connected-IoT-Devices-is-Expected-to-Generate-79.4ZB-of-Data-in-2025-According-to-a-New-IDC-Forecast.
What is Soar? security definition. FireEye. (n.d.). Retrieved November 19, 2021, from https://www.fireeye.com/products/helix/what-is-soar.html.
Islam, C., Babar, M. A., & Nepal, S. (2020, September). Architecture-centric support for integrating security tools in a security orchestration platform. In European Conference on Software Architecture (pp. 165-181). Springer, Cham.
Shea, S. (2021, March 29). What is SOAR (security orchestration, automation, and response)? A definition from whatis.com. SearchSecurity. Retrieved November 19, 2021, from https://searchsecurity.techtarget.com/definition/SOAR.
Brewer, R. (2019). Could SOAR save skills-short SOCs?. Computer Fraud & Security, 2019(10), 8-11.
Kirtley, E. (n.d.). What is Soar vs Siem: Security Solutions explained: ... Swimlane. Retrieved December 1, 2021, from https://swimlane.com/blog/siem-soar.
Froehlich, A. (2021, March 15). Soar vs. Siem: What's the difference? SearchSecurity. Retrieved December 1, 2021, from https://www.techtarget.com/searchsecurity/answer/SOAR-vs-SIEM-Whats-the-difference#:~:text=on%20the%20block.-,When%20looking%20at%20SOAR%20vs.,in%20all%20that%20and%20more.
What are the pros and cons of soar? Trustwave. (2020, September 1). Retrieved December 1, 2021, from https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/what-are-the-pros-and-cons-of-soar/.