What is Soar?
November 13th, 2019
WHAT IS SOAR AND HOW DOES IT IMPROVE THREAT DETECTION AND REMEDIATION?
Organizations today must take advantage of critical business applications to drive growth. However, the threat landscape is constantly changing, with sophisticated, new cyberattacks launching with growing frequency across network, cloud and software-as-a-service environments. Organizations need to protect themselves against the risks of financial and brand damage as well as theft of assets.
Traditionally, organizations have deployed multiple single-purpose security systems to address specific types of threats. As each tool must scan the infra separately, intelligence gathered step is not shared with subsequent steps, creating gaps in protection. Further, these tools often only raise alarms rather than prevent attacks, leaving the SOC team overwhelmed with alerts and unable to respond quickly to critical incidents. To deal with this problem, organizations look for more security personnel and security tools as a last resort. Training and retaining these IT practitioners is also a challenging task.
SOAR has become a vital part of the SOC to improve the effectiveness of the cyber security operations.
What is SOAR?
Coined by research company Gartner, Security Orchestration, Automation and Response (SOAR) is a security operations and incident response approach used today to improve the efficiency, effectiveness and consistency of security operations.
To understand better what this means, let’s look separately at its components:
Cyber Security incidents are now more complex and extreme than they were before. Moreover, organizations are ineffective and inefficient in their ability to respond to these incidents.
Orchestration is the activity of organizing the different critical safety tools and technologies used within the technology stack (usually multiple vendors) to efficiently combine and communicate with each other in order to establish real, enforceable, observable and efficient incident response processes and workflows. People and processes also need to be properly orchestrated to ensure maximum efficiency.
It is a time-consuming and challenging process to manually detect and respond to cyber-incidents. There are hundreds of repetitive actions that need to be automated during the incident response phase. For example, analysts cannot manually manage the overwhelming security warnings received each day. If all of these alerts are not properly addressed, a new incident is likely to occur.
Automation is the machine driven approach of managing tasks and operations efficiently without the need for direct human intervention, reducing the time taken by automating routine tasks and applying machine learning to appropriate tasks. Automation usually takes place using playbooks and run books (the former containing sequential tasks and the latter containing predetermined actions based on decisions) to reduce or eliminate the mundane acts that need to be carried out.
Once an alert has been confirmed, the approach to addressing and managing the security incident, including triage, containment, remediation and more. Today, many actions are carried out automatically, such as quarantining files and disabling access to compromised accounts, to name a few, so incidents that once posed a real threat can be resolved quickly.
Dashboard and Reporting: SOAR’s dashboard and reporting capabilities generate reports for different stakeholders such as analysts, the Chief Information Security Officer (CISO), SOC managers and other SOAR-related security experts. The goal is to gain better intelligence of security and to learn lessons from by doing retrospective analysis.
Is SOAR different from SIEM? Do we need SOAR if we have SIEM?
To be able to differentiate between normal and unusual behaviour, a typical SIEM needs regular tuning and update, which will be done by a SOC engineer. Even after the SIEM is fine-tuned, the alert response is going to be a manual process. From reviewing and investigating the alert to determine if the alert is a false positive, to actually mitigating the issue if the alert was legitimate, is done manually. This is where SOAR comes to play. While the SIEM analyses the logs and detects the potential threats and generates alerts, SOAR takes the alerts to the next level by responding to it, triaging the issue, and applying the mitigation steps. SOAR can hence add significant value to the already existing SIEM.
The Conjunction of SIEM and SOAR
AT& T Cybersecurity being one of the best in the market has the answer for this. USM Anywhere’s out-of-the-box security orchestration features help you respond to incidents quickly and efficiently. However, when it comes to the automation of incident response actions, many teams are cautious since traditional automated response solutions have not offered the granularity of control required to ensure success in each organization’s unique environment.
USM Anywhere makes it simple to create customized, granular security orchestration rules that automate the incident response actions that make the most sense for, and that align to the particular infrastructure of, your organization.
If certain activity is significant to your organization, you can tap into the extensive event logs USM Anywhere collects from a wide variety of data sources to set up an appropriate automated response action.
For example, you can set up an orchestration rule in USM Anywhere to protect a critical server from brute force attacks by automating the process to action your firewall to block the IP addresses of the attacking servers.
If malware has taken control of a system or communication is detected to a known malicious host, using an automated orchestrated response you can automatically shut it down or isolate the system to avoid cross-contamination to other systems.
- Digitalization without Cyber Security
- The story of university data attacks
- What is Soar?
- When Protection Fails, Forensics can still win the game
- Drones are capable to capture your communications!
- 2019 The Year of Cyber Crime
- Email Security Gateways
- Introduction to SIEM
- Insider Threat
- A beginner’s guide to Blockchain
- NoSQL – High-performance, non relational database ...
- Leveraging Cloud for Disaster Recovery
- Application Performance Monitoring
- Cognitive Security AI Driven Cyber Security
- Introduction to Container Services
- Insider Threat Detection
- Build Secure and Governed Microservices with Kafka Streams
- Add and Manage photos in Outlook messages and contacts ...
- Security on a Budget
- About CodeTwo Email Signatures for Office 365
- Googles presence in China
- Check Point Software acquires Dome9 to beef up multi-cl ...
- Exploring the benefits and challenges of hyper converge ...
- Next Generation cloud backup and data protection for Of ...
- Backup for Office 365 with Code Two
- Email Security
- Cisco Issues Security Patch
- British Airways Hacked
- AutoML Vision
- Day 2 Keynote: Bringing the Cloud to You
- CI/CD in a Serverless World
- Keynote Google
- Google Cloud Next 2018 in Under 12 Minutes
- UAE Crowned as the most Digital Friendly Country
- Ransomware continues to prey on the UAE
- Chrome for all
- Machine Learning for a Future-Facing ZTS Revolution
- The Dawn of the Cloud
- Will Cryptocurrency Replace Conventional Currency
- Internet of Thing Under Attack
- Cloud Native Computing Transforming IT Infrastructure
- Cyber Security with Artificial Intelligence
- Understanding Cybersecurity at the Corporate level
- Cryptojacking on the rise
- Google discontinues Google Search Appliance (GSA)
- Secure cloud entry points with Google Chrome Enterprise
- Cloud Infrastructure to drive UAE Cloud Computing Market
- AI to contribute $320 billion USD to Middle East GDP by 2030
- Well begun for well being
- A Spin around the Space
- Oracle opens first innovation hub with a focus on AI
- AI to bring a world of opportunities to Dubai
- The BitCoin Revolution
- Annihilating to a Green Thought
- The Intelligent Move
- Looking Right at the Face of Facebook and Google