Security Orchestration, Automation and Response (SOAR)

Advance Your Career in Cybersecurity.

100% Online Master’s Degree in Informatics

 

Lead the fight against cyber threats—and explore exciting new career options in cybersecurity. The 100% online Master of Science in Informatics program at San José State University provides the skills you need to advance your career in this critically important—and growing—field. 

 

Humans beings cannot always be relied on to respond to security issues, that’s why we use automated solutions. Dave Cartwright, CISSP, explains.

People can be pretty unreliable when it comes to responding to security issues. We have holidays, we sleep, we get sick, we’re usually really busy and trying to do many things at once – which means that the chances of us spotting an issue and reacting quickly are very limited. That’s why we use automated solutions, and why Security Orchestration, Automation and Response (SOAR) tools are so valuable.

But what is SOAR, and why is it so useful? Simple: it collects alerts from devices all around the organization’s network, collates them centrally, relates alerts to each other, notifies us of suspicious things we need to worry about, and does something about them into the bargain.

If you’re reading this and thinking: “Hang about, isn’t that what SIEM does?”, you’d have a valid question. SIEM (Security information and Event Management) does pretty much all the above – it also collates event information centrally and works with it to generate alerts to unwanted activity – but the bit we mentioned earlier that SOAR does and SIEM doesn’t do is the “does something about them” element.

First of all, SOAR not only alerts you but also uses statistical analysis (generally labelled as Machine Learning – ML – or Artificial Intelligence – AI) to prioritize what it’s seeing so the humans who aren’t sick, vacationing, sleeping or distracted know what they should be concerned with addressing first.

Second, SOAR doesn’t stop at the alerting stage but can carry out a variety of activities in an attempt to stop the attack in its tracks: blocking ports or setting firewall rules, for example. It does this by way of what the SOAR industry calls a “playbook” – basically a sequence of actions that is kicked off automatically in the event that certain conditions are met. Because it’s automated you don’t have to wait for someone to spot an alert in the SIEM and initiate a response – it just gets on with it. Security vendor Rapid has an excellent example in which it reckons the automated response of a SOAR can bring responses down from over an hour to just a couple of minutes; another example says SOAR reduces the time from half an hour to just a few seconds. Everyone’s mileage will vary, of course, but the fact remains that an automated approach will inevitably be quicker than a manual one.

We mentioned earlier that SOAR does much of what a SIEM does, but with the extra automated action-taking parts. It should be no surprise, then, that we see the vendors whom we’ve always thought of as SIEM companies offering SOAR features on top of their solutions – LogRhythm and Splunk to name just a couple. And even the vendors of network security kit such as Cisco and Fortinet have reacted to the fact that SOAR is a rapidly growing market*, either by building their own SOAR kit or partnering with companies that already have products in the market.

Will SOAR solve all our security problems? No, of course not – no single technology or product will ever do that. If you have SIEM technology already then you’re unlikely to see much reduction in the Mean Time To Detect (MTTD) for spotting security issues, but on the other hand the automated actions element will definitely reduce our Mean Time To Respond (MTTR). Most critically, though, there’s more to implementing SOAR than just installing it, defining response criteria and playbooks, and letting it loose. That’s because we’re letting technology take automated actions – which means that in the event of a security breach, there’s a good chance that the SOAR will break some business system or other by taking the actions in the playbook.

You’ll therefore need to spend significant time and effort working with people around the business – particularly senior management and the Board – to explain what the SOAR will do, why the organization needs to implement it, and most importantly, get senior management buy-in for the proposed automated actions (which means approval in writing, preferably approved and minuted in a formal executive or Board meeting) and ensure any changes go through a rigorous, formal approval process with sign-off by an appropriate authority. Covering your backsides in this respect is essential, because some of the senior management will sign up to something when all is well but then when the SOAR kicks in with a response and the heat is on they’ll come stomping down insisting that you turn everything back on.

SOAR is a great piece of kit. It’s not necessarily idiotically expensive (though of course it certainly can be) but to make the most of it you need to socialize it with the business, define the playbooks rigorously, manage it diligently and review behavior regularly.

* One piece of research has the SOAR market at US$1.16 billion in 2021 but growing about 15% a year to US$3.19 billion by 2028.