What is Soar?

November 13th, 2019

WHAT IS SOAR AND HOW DOES IT IMPROVE THREAT DETECTION AND REMEDIATION?

Organizations today must take advantage of critical business applications to drive growth. However, the threat landscape is constantly changing, with sophisticated, new cyberattacks launching with growing frequency across network, cloud and software-as-a-service environments. Organizations need to protect themselves against the risks of financial and brand damage as well as theft of assets.

Traditionally, organizations have deployed multiple single-purpose security systems to address specific types of threats. As each tool must scan the infra separately, intelligence gathered step is not shared with subsequent steps, creating gaps in protection. Further, these tools often only raise alarms rather than prevent attacks, leaving the SOC team overwhelmed with alerts and unable to respond quickly to critical incidents. To deal with this problem, organizations look for more security personnel and security tools as a last resort. Training and retaining these IT practitioners is also a challenging task.

SOAR has become a vital part of the SOC to improve the effectiveness of the cyber security operations.

What is SOAR?

Coined by research company Gartner, Security Orchestration, Automation and Response (SOAR) is a security operations and incident response approach used today to improve the efficiency, effectiveness and consistency of security operations.

To understand better what this means, let’s look separately at its components:

Security Orchestration:

Cyber Security incidents are now more complex and extreme than they were before. Moreover, organizations are ineffective and inefficient in their ability to respond to these incidents.

Orchestration is the activity of organizing the different critical safety tools and technologies used within the technology stack (usually multiple vendors) to efficiently combine and communicate with each other in order to establish real, enforceable, observable and efficient incident response processes and workflows. People and processes also need to be properly orchestrated to ensure maximum efficiency.

Security Automation

It is a time-consuming and challenging process to manually detect and respond to cyber-incidents. There are hundreds of repetitive actions that need to be automated during the incident response phase. For example, analysts cannot manually manage the overwhelming security warnings received each day. If all of these alerts are not properly addressed, a new incident is likely to occur.

Automation is the machine driven approach of managing tasks and operations efficiently without the need for direct human intervention, reducing the time taken by automating routine tasks and applying machine learning to appropriate tasks. Automation usually takes place using playbooks and run books (the former containing sequential tasks and the latter containing predetermined actions based on decisions) to reduce or eliminate the mundane acts that need to be carried out.

Security Response

Once an alert has been confirmed, the approach to addressing and managing the security incident, including triage, containment, remediation and more. Today, many actions are carried out automatically, such as quarantining files and disabling access to compromised accounts, to name a few, so incidents that once posed a real threat can be resolved quickly.

Dashboard and Reporting: SOAR’s dashboard and reporting capabilities generate reports for different stakeholders such as analysts, the Chief Information Security Officer (CISO), SOC managers and other SOAR-related security experts. The goal is to gain better intelligence of security and to learn lessons from by doing retrospective analysis.

Is SOAR different from SIEM? Do we need SOAR if we have SIEM?

To be able to differentiate between normal and unusual behaviour, a typical SIEM needs regular tuning and update, which will be done by a SOC engineer. Even after the SIEM is fine-tuned, the alert response is going to be a manual process. From reviewing and investigating the alert to determine if the alert is a false positive, to actually mitigating the issue if the alert was legitimate, is done manually. This is where SOAR comes to play. While the SIEM analyses the logs and detects the potential threats and generates alerts, SOAR takes the alerts to the next level by responding to it, triaging the issue, and applying the mitigation steps. SOAR can hence add significant value to the already existing SIEM.

The Conjunction of SIEM and SOAR

AT& T Cybersecurity being one of the best in the market has the answer for this. USM Anywhere’s out-of-the-box security orchestration features help you respond to incidents quickly and efficiently. However, when it comes to the automation of incident response actions, many teams are cautious since traditional automated response solutions have not offered the granularity of control required to ensure success in each organization’s unique environment.

USM Anywhere makes it simple to create customized, granular security orchestration rules that automate the incident response actions that make the most sense for, and that align to the particular infrastructure of, your organization.

If certain activity is significant to your organization, you can tap into the extensive event logs USM Anywhere collects from a wide variety of data sources to set up an appropriate automated response action.
For example, you can set up an orchestration rule in USM Anywhere to protect a critical server from brute force attacks by automating the process to action your firewall to block the IP addresses of the attacking servers.
If malware has taken control of a system or communication is detected to a known malicious host, using an automated orchestrated response you can automatically shut it down or isolate the system to avoid cross-contamination to other systems.

Keep Your Organization Secure with a Unified Approach to Security Orchestration, Get in touch with mindfire

Follow Us
Other Articles