- SOAR 101
As a relatively new category of security tools, there are lots of misconceptions around Security Orchestration, Automation, and Response (SOAR). Some of this confusion is around what types of SOCs will benefit most from SOAR. It is understandable to think that a SOC that already has numerous security tools is unlikely to produce minimal improvements by adding one more. But in fact, a SOAR platform like D3 is even more effective in SOCs with lots of existing tools. This is because SOAR doesn’t create complexity by adding another tool into the mix, it reduces complexity by integrating with existing tools to form a centralized hub for security operations.
In this article, we’ll cover a few common software solutions that might appear to have overlap with SOAR functionality and explore how SOAR is different and how it can complement the other tools in a mature SOC.
Question: “We already have a SIEM to aggregate and monitor security alerts. Isn’t that basically what SOAR does?”
Answer: SIEM and SOAR aren’t at all redundant, despite some superficial similarities. In fact, SOAR is the perfect complement to a SIEM, extending the SIEM’s powerful capabilities to effectively analyze, investigate, and respond to alerts. A SIEM is a perfect alert source, with its ability to aggregate and detect anomalous activity. Having a platform like D3 SOAR to escalate notable alerts gives security teams with a SIEM the ability to add features to their workflows, including:
IT Ticketing System
Question: “We use an IT Ticketing System to track open incidents and assign them to security folks for response. Do we really need a SOAR platform just to formalize our incident response procedures?”
Answer: We actually wrote a blog on this topic a few years ago that still gets a lot of traffic, suggesting that the differences between IT ticketing and incident response (the blog was written before the term “SOAR” was widely used) is something many people still wonder about.
Much has changed since we wrote that blog. Our platform can do a lot more than it could back then, especially in terms of orchestration and automation. But the reasons you shouldn’t rely on an IT ticketing system for incident response are still just as true. IT ticketing systems lack the security and confidentiality—specifically in terms of access controls—that are needed for compliant and risk-free handling of sensitive security data. These systems also rely on manual execution, lacking automation or even pre-built playbooks, which makes them unable to keep up with the speed of serious attacks.
For organizations that currently rely on IT ticketing systems like Jira and ServiceNow, D3 can integrate with those tools to preserve existing workflows while supplementing them with the capabilities of SOAR.
Threat Intelligence Platform
Question: “We already use multiple threat intelligence platforms to get the information we need to assess threats. Isn’t that one of the main reasons people buy SOAR?”
Answer: Threat intelligence is a valuable tool, but without a way to put it into context, security teams can be left trying to make sense of an overwhelming deluge of data. A SOAR platform like D3 structures that data and integrates it into your security operations.
With SOAR, you can automate threat intelligence lookups to enrich alerts with reputation data, risk scores, and more. D3 parses out the elements to search and provides the results to analysts by the time they begin working on the incident. Analysts can also manually gather threat intelligence from the D3 SOAR interface, without screen-switching or copying and pasting hashes.
Endpoint Detection and Response
Question: “We have an EDR tool to monitor our endpoints and respond when there’s an issue. What more can a SOAR platform do to protect my endpoints?”
Answer: You can monitor your endpoints and manually take security actions using EDR, but SOAR allows you to take in alerts, query endpoints, and orchestrate immediate changes across all endpoints at once. D3 SOAR can ingest endpoint alerts based on predetermined rules, along with the hash of any suspicious files. The alert can then be enriched with contextual data, and the file can be grabbed and detonated in a sandbox for analysis. D3 can then search across other endpoints for the malicious file and orchestrate actions such as to block the hash, kill a process, or quarantine the affected endpoints.
The Complete Security Operations Platform
Large SOCs often have more than a dozen security tools from various vendors, so making them work together in a common language is no small task. D3 SOAR supports this unification of security operations while offering other unique capabilities—many of which we haven’t even mentioned here. One of the ways D3 is pushing SOAR forward is with ATTACKBOT, which has taken the entire MITRE ATT&CK matrix and embedded it into the core of the D3 platform for intelligent correlation of events and techniques, real-time trend reporting, and kill-chain based playbooks.
You can learn about this and more by scheduling a one-on-one demo with one of our cybersecurity experts today.