What Is SOAR (Security Orchestration, Automation and Response) In Cybersecurity?

QA image

What is Security Automation?

Automation has been defined by Gartner as the capability of software and systems to execute functions on their own, typically to affect other systems and applications. Security automation completes tasks without human intervention.

QA image

What is Security Orchestration?

Orchestration is the coordination of software, systems, and people to complete a workflow. Orchestration can include, but is not limited to, automated steps. Orchestration involves multiple technologies working together via integration.

QA image

What is the Difference Between Automation and Orchestration?

While you will sometimes see the two terms used interchangeably, security automation is generally thought of as a subset of security orchestration. Automation is one of the methods by which a workflow can be orchestrated. Orchestration generally refers to more complex sequences of manual and automated actions, whereas automation generally refers to a single action or simple sequence.

QA image

What is Incident Response?

Incident response is the process of assessing and resolving potential security events. Incident response tools provide methods for effective resolution, such as prebuilt playbooks, ticketing, and even security automation. Incident response platforms were one of the precursors to SOAR, with many industry leaders evolving their incident response platforms into SOAR platforms with the addition of extensive integration and orchestration capabilities.

QA image

What is a SOAR Platform?

DEFINITION: A SOAR (security orchestration, automation, and response) platform collects or ingests data from a variety of sources—SIEM, EDR, cloud, email, etc.—and then orchestrates tailored responses using playbooks that combines security tool integrations, automated workflows, and human input.

The elements of SOAR, according to Gartner

A SOAR platform is the quarterback of your security strategy and architecture. It analyzes incoming information and draws on available knowledge or intelligence, orchestrating plays to achieve the best outcome. More specifically, SOAR houses and supports the integrations, automations, playbooks, case management, and reporting used by Security Operation Center (SOC) and Computer Security Incident Response Teams (CSIRT) teams.

What are the Types of SOAR Platforms?

1

Product-Oriented SOAR

Gartner defines SOAR as solutions that combine incident response, orchestration, and automation, and threat intelligence management capabilities in a single platform. However, some orchestration and automation capabilities are emerging in other security technologies, such as EDR, SIEM, and email protection. Gartner calls this product-oriented SOAR, because the SOAR capabilities are specific to the function of a single product.

2

Broad-Based SOAR

But most enterprise and MSSP security teams require broad-based SOAR. Especially teams that prioritize a best-of-breed approach, find themselves with many tools, or whose companies are acquiring new security teams (e.g. through M&A), Broad-based SOAR solutions automate and orchestrate across hundreds of tools to provide flexibility, open integrations, and non-security use case potential.

Even companies who rely on a minimal number of vendors are advised to choose broad-based SOAR, because it allows them to maintain a suite-based tech stack while still making it easy to connect to other tools.

3

Next-Generation SOAR

Next-generation SOAR is a type of broad-based SOAR that goes further by addressing some of the shortfalls seen in legacy SOAR solutions, such as the reliance on clunky integrations and burdensome user coding for playbooks. Smart SOAR addresses these issues, allowing users to field any playbook with little to no coding, and connecting to any vendor- or custom-built tools through REST API. Smart SOAR also brings to bear extensive MITRE ATT&CK-based capabilities for enhanced analysis, response, and hunting, as well as support for full-lifecycle security operations. Smart SOAR playbooks are designed to “close the loop”, combining enrichment automation with complex incident response orchestration to disrupt threats.

QA image

How Are SOAR and XDR Different?

While they work toward similar goals, there are significant differences between how XDR and SOAR function. XDR is almost always an assembly of a single vendor’s tools. This enables intra-operability, but limits the options of security teams who are too busy to rip-and-replace—or simply prefer point solutions. Conversely, SOAR platforms integrate with as many different tools as possible, typically hundreds of tools with support for additional custom integrations.

Another difference is the capacity for incident response. SOAR platforms focus on this area, with use-case-based playbooks that orchestrate response actions across the environment, assign tasks to personnel, and incorporate user inputs to augment automated actions. XDR solutions typically lack this ability, instead automating single actions in response to analysis of incoming data. This is the reason why many XDR vendors maintain separate SOAR solutions in their offerings.

Read: XDR & Smart SOAR: Everything You Need to Know

QA image

What makes SOAR so important for cybersecurity teams?

  • Automation and orchestration are vital to your security strategy. They give you the means to rapidly validate and disrupt threats while strengthening your security posture.
  • SOAR brings significant efficiency benefits, including time-savings from automated enrichment and response, elimination of data silos, and reduction of false positives.
  • There are different types of SOAR platforms, and the one you choose should reflect the level of agility, openness, and comprehensiveness your security operations require.
  • Advanced SOAR platforms go beyond enrichment and simple use-cases to enable incident response playbooks that guide responders and hunt teams through Tier-2 and Tier-3 security activities.
  • SOAR integrates with security products and threat intelligence platforms to orchestrate and automate SecOps, incident response, and threat hunting workflows across various functional teams.

It’s hard to find a security product that enhances your team’s capabilities and reduces response times as effectively as SOAR (security orchestration, automation and response).

Yes, security operations and incident response teams have been using security tool integrations and response playbooks for years. But without powerful SOAR software, a SOC or CSIRT team will be unable to manage all their playbooks, SOPs, integrations, threat intelligence, cases, and reporting, while keeping up with the increasingly voluminous and sophisticated threats.

However, when equipped with the right solution for SOAR, security teams can drive better alerting, enrichment, response, and investigations. Put simply, the right SOAR solution will make your team vastly more efficient and will help you to rapidly validate and disrupt threats.

Solving Cybersecurity Challenges with SOAR

Why Do Companies Need SOAR?

Secure Network

Lack of Security Analysts

The cybersecurity skills gap isn’t going away any time soon, which leaves the average SOC understaffed, especially in highly skilled positions. The efficiencies brought by SOAR tools help security teams do more with less. Automating repetitive and time consuming tasks frees up analysts for more important work. Playbooks codify best practices, enabling less experienced analysts to perform at a higher level.

Alert Icon

Alert Overwhelm

Many SOCs face hundreds of security alerts every day, meaning that they have to leave most alerts uninvestigated. SOAR tools perform automated triage and risk scoring through threat intelligence enrichment. This means that some alerts get auto-closed by the SOAR tool, but no alert goes unexamined. The most serious alerts are delivered straight to the top of the analyst’s queue, already contextualized with valuable information that enables quick assessment.

Secure Messaging

Too Many Security Tools

The average SOC has close to a dozen tools. Tools build up over time as needs evolve, and because they’re expensive and labor-intensive to replace, the tools in a SOC were generally not implemented with an overall plan in mind. So SOCs end up with tools that don’t talk to each other, creating data silos and forcing analysts to constantly switch between interfaces. SOAR integrates with the entire stack, connecting all your tools, aggregating data, and orchestrating actions.

Kill chain

Evolving Cyber Threats

The next-generation of threats requires the next-generation tools. It’s no longer enough to assume that your firewall is keeping your company’s data safe. The attack surface has grown and attackers have become more sophisticated, often supported by hostile governments and massively lucrative criminal organizations. SOAR tools provide the speed, agility, and advanced capabilities needed to fight back against sophisticated attackers.

What Are Common SOAR Use Cases?

Checked Icon

Phishing

Assessing potential phishing incidents is one of the most essential SOAR use cases in cybersecurity because (1) most major breaches still begin with social engineering, and (2) large organizations deal with a very high volume of genuine or suspected phishing attempts. SOAR tools reduce the required manual steps for phishing response to just a few clicks, enabling you to efficiently assess every potential phishing incident. A SOAR playbook will parse out the elements of a suspicious email, check malicious attachments in an integrated sandbox, and orchestrate the appropriate response.

 

Checked Icon

Ransomware

SOAR tools help companies investigate suspected ransomware incidents, confirm true positives, and take the appropriate steps to minimize the impact. The initial threat point for ransomware attacks is typically phishing, for which SOAR tools offer streamlined response. When potential ransomware is detected by an EDR or other tool, the SOAR tool will run a playbook to triage the ransomware, locate any other instances of the malicious file, and quarantine the affected hosts.

Checked Icon

Endpoint Incident Response

Without a unified dashboard to connect endpoint alerts to SOAR capabilities, security teams are stuck in disjointed response processes that lack important context, necessitate constant switching between screens, limit investigative ability, and prevent proper tracking and reporting. When a potentially compromised endpoint is detected in an EDR, a SOAR tool can determine the risk level and orchestrate a response, such as detonating the suspicious file in a sandbox, querying endpoints for other instances of the file, and taking remediation actions such as removing the file, blocking the hash, and quarantining endpoints.

Checked Icon

Vulnerability Management

Without a system for assessing and remediating vulnerabilities, security teams are left trying to make sense of each vulnerability scan and determine the appropriate ad hoc response process. SOAR turns vulnerability scans into automated response workflows. When an integrated tool runs a scan across endpoints and detects a vulnerability, the SOAR tool reads and parses the scan report and generates an incident response playbook.

Checked Icon

Cryptojacking

Cryptojacking — hijacking a machine to run cryptomining scripts—is a common attack against enterprise cloud environments, such as AWS EC2 instances. Cryptomining scripts can potentially be detected by Amazon GuardDuty or an application performance monitoring tool like Datadog APM, but neither tool has the ability to fully investigate and remediate the threat on its own. Cryptojacking alerts can be escalated to SOAR for investigation and response, including actions like domain analysis and EC2 instance analysis.

What Are the Key Benefits of SOAR?

Improved MTTD and MTTR

The longer a security incident goes undetected, the more damage it does. So it’s no surprise that one of the primary advantages of SOAR is how it drastically shortens the time it takes to detect and respond to incidents. This is achieved in a few ways, primarily automated enrichment of events, orchestrated actions across tools, and automated (or mostly automated) response playbooks.

False Positive Reduction

Without SOAR, Tier 1 cybersecurity analysts can easily spend the majority of their time investigating alerts that turn out to pose no actual risk. With SOAR’s automated threat intelligence enrichment, risk scoring, and sandbox integrations, false positives can be quickly identified—and in many cases automatically resolved by the system.

Operational Efficiency

SOAR is all about efficiency. Automation, for obvious reasons, increases efficiency, but there are many other ways in which SOAR tools help SOCs move faster while using less resources. Integrating tools through a single interface reduces time wasted on screen-switching, navigating data silos, and copying and pasting data between systems. Playbooks keep incident responders on track, following proven best practices. Collaboration features help enforce SLAs and reduce duplicated work. Reporting and metrics—particularly because so much security data is aggregated by the SOAR tool—provide insight into bottlenecks, inefficiencies, and other areas for improvement.

Staff Onboarding and Retention

It’s time and resource-intensive to recruit, hire, and train security personnel, so when you do, you want to give them reasons to stick around. Too many analysts, particularly in junior positions, get burnt out handling a high volume of unimportant alerts every day, with little opportunity to apply and develop their skills. SOAR eliminates a ton of busywork and repetitive tasks, enabling analysts at all tiers to stay focused on real threats and meaningful projects. By establishing proven workflows in playbooks and simplifying complex toolsets to a single interface, SOAR also helps new hires get up to speed quickly and provide value to the team beyond their level of experience.

How Does SOAR Work with Other Tools?

  • SIEM + SOAR
    SIEM Image

    There is a common misconception that if you have a SIEM (Security information and event management), you don’t need SOAR. This couldn’t be further from the truth. In fact, vendor-agnostic SOAR generally does the best job of complementing SIEM, by improving investigation and response capabilities through a wide range of integrations and a broad number of use cases. While a SIEM stores large amounts of log and network data, it lacks the playbooks and automations necessary for rapid incident response, user-friendly integrations, and generation of important SOC metrics. Once remediation has been achieved, SOAR can update or close records in the SIEM, ensuring completeness of data.

    Read: SIEM vs. SOAR: How they Differ and Why they Work Well Together

  • Threat Intelligence Platform + SOAR
    icon-2

    Threat intelligence is a key pillar of SOAR. Some SOAR tools have proprietary TIPs built in, and others can integrate with virtually any intelligence source. When a SOAR tool ingests an alert, the first step is usually to enrich the alert by checking the IOCs (file, IP address, URL, etc.) against integrated TIPs to evaluate risk.

  • Endpoint Protection + SOAR
    icon-3

    SOAR integrates with EDRs and other endpoint protection tools to investigate and enrich potential endpoint security incidents. A SOAR tool will orchestrate actions via the endpoint tool, such as extracting a suspected malicious file for analysis, removing the file from other endpoints, blocking the file hash, killing malicious processes, and quarantining endpoints.

  • ITSM + SOAR
    icon-4

    Organizations can use SOAR and ITSM to collaborate across teams and add automation and orchestration to ITSM tickets. ITSM can escalate tickets to SOAR, where they can be enriched with intelligence and investigated via an incident response playbook if necessary. Conversely, if an IT task is required during a SOAR workflow, the SOAR tool can generate an ITSM ticket from the playbook.

  • Firewall + SOAR
    icon-5

    When a threat is detected, you need to act quickly to block it. SOAR tools integrate with firewalls to orchestrate changes to firewall rules, block malicious IOCs, and update blacklists.

  • IT Services + SOAR
    icon-6

    The integration of IT services within your security workflows are critical for rapid response and collaboration. SOAR integrates with email senders, notification engines, collaboration spaces and other cloud communication platforms. Beyond communication and alerting, popular IT service integrations also include meeting management and video conferencing such as Zoom.

  • Email Protection + SOAR
    icon-7

    Many major incidents start with a simple phishing email. SOAR integrates with email tools to ingest reports of suspicious emails, pull those messages from the server, and parse out IOCs for investigation. If an email is found to be malicious, the SOAR tool can block the sender and remove all instances of the email from company mailboxes.

  • Identity Management + SOAR
    icon-8

    Identity is an important element of security incidents. SOAR tools integrate with identity management to enrich incidents with employee information, query login history to assess the impact of compromised credentials, and orchestrate response actions such as deactivating users and forcing password resets.

  • Vulnerability Management + SOAR
    icon-9

    SOAR turns the information from vulnerability scans into automated response workflows. SOAR tools ingest and parse vulnerability scan reports, orchestrate tasks to remediate vulnerabilities, and search across past reports during threat hunting.

icon-10
SOAR
Threat Intelligence Platform + SOAR

Threat intelligence is a key pillar of SOAR. Some SOAR tools have proprietary TIPs built in, and others can integrate with virtually any intelligence source. When a SOAR tool ingests an alert, the first step is usually to enrich the alert by checking the IOCs (file, IP address, URL, etc.) against integrated TIPs to evaluate risk.

How is MITRE ATT&CK Used For SOAR?

TTP Mapping

Some SOAR tools ingest TTP information from detection tools and map incoming alerts on the ATT&CK Matrix. This allows attacker behaviors to be another piece of the puzzle that the analyst is given when alerts are enriched and contextualized by the SOAR tool.

Kill Chain Investigations

By correlating alerts against the ATT&CK Matrix, SOAR tools enable investigators to build out the kill chain of attacks that comprise multiple alerts. The perspective of the kill chain enables investigators to assess how far an attack has progressed, and what the adversary is likely to do next.

Visibility into Trends

Tagging alerts with ATT&CK TTPs enables trend reporting on the occurrence of each adversary technique in the environment. This helps security teams understand their high-risk areas and what root causes need to be addressed.

Mitre Attack for Dummies

MITRE ATT&CK for Dummies

Discover how to put the MITRE ATT&CK Matrix to work in your security operation. Review use cases and tips designed to help you shift from ad hoc response to proactive countering of known, dangerous threats.

Evaluating and Operating SOAR

Why Do Companies Need SOAR?

Implementing SOAR is a major investment, so the evaluation process usually includes a proof of concept (PoC) project. PoCs will usually focus on a small number of key use cases, playbooks, and integrations, to give the prospective buyer a sense of how the SOAR platform will support their security operations.

The criteria by which potential buyers evaluate SOAR platforms include:

1

Integrations

SOAR platforms vary in the amount and quality of their integrations. Buyers should look for a broad set of out-of-the-box integrations, including high-quality integrations with the tools they use. High-quality integrations are directly supported and maintained by both vendors, with capabilities that go beyond what is available via public APIs.

2

Coding Burden

Leading SOAR platforms are moving towards alow-code/codeless model for playbooks and integrations. Some, however, still require substantial Python coding from users. SOAR buyers should assess their internal coding expertise and available resources and pick a SOAR platform that matches their needs.

3

Enrichment

How a SOAR platform enriches events is a core capability that users will leverage many times every day. Buyers should look what data sources different SOAR platforms use to enrich events, such as integrated or internal threat intelligence, TTP correlation, and historical incidents.

4

Incident Response

Even as SOAR evolves, the heart of the platform is still incident response. Different platforms take different approaches to incident response. Some are designed for quick, simple responses that often involve a single orchestrated action. Others support more complexity and depth. Buyers can compare IR capabilities to their needs and the skills of their users.

5

Threat Hunting

Beyond incident response, SOAR platforms also support threat hunting with automation and orchestration. Buyers can compare the threat hunting capabilities of the platforms they are assessing, such as turning ingested threat intelligence into automated hunts, IOA searches based on new incidents, and ongoing surveillance of important IOAs and TTPs.

6

Metrics and Reporting

SOAR platforms provide a wealth of data that can help organizations optimize their security operations. The metrics and reporting capabilities of different platforms should not be overlooked when selecting a SOAR tool.

How Do MSSPs Use SOAR?

SOAR is a highly valuable tool for MSSPs who want to improve their services and increase profits.

Revenue Opportunities for MSSPs

SOAR opens up high-value offerings that MSSPs can sell to clients, such as advanced playbooks and MITRE ATT&CK-based services. Playbooks, integrations, and automation also make it easier to onboard new clients and reduce time to revenue.

Revenue opportunities with SOAR

Operational Improvements for MSSPs

Just as it does for SOC teams, SOAR can help streamline MSSP operations, making them faster, less bogged down with unimportant tasks, and better able to evaluate incoming threats. Whether or not an MSSP has access to a client’s entire toolsets, security data can be aggregated in the SOAR tool and contextualized with data from across the client’s environment. SOAR playbooks allow for standardized workflows that can be applied in bulk across a client base or customized as necessary. SOAR also enables better reporting, which gives visibility to clients.

Operational Improvement

MDR Service Enablement

SOAR gives MSSPs the tools to do more than just handle alerts, with a full set of incident response tools. This has enabled many MSSPs to offer full-lifecycle, Tier 1-3 services that can handle security incidents from start to finish, instead of simply alerting the client’s team of threats. This means that MSSPs can compete with the MDR providers that have been rapidly gaining market share in the managed services space.

MDR Service

SOAR Case Studies

SOAR for Enterprise

SOAR for MSSP

Managed Services

How SOAR Helped an MSSP Increase Profits and Streamline Operations

This MSSP served 50 clients, but struggled to efficiently manage its tool set, which included multiple SIEMs for the internal SOC and CSIRT teams. With SOAR, the MSSP was integrate its tools, quickly implement more than 40 playbooks, and automate customized reporting for clients.

Smart SOAR for MSSPs

Get Started with D3 Security

One platform to stop alert overwhelm. Transform how your security team works, by focusing its resources on real threats.