What is a SOAR?
Gartner® defines Security Orchestration, Automation and Response (SOAR) platforms as security orchestration , automation and response technologies. They allow organizations to collect data and alerts on security threats from different sources, where incident analysis and triage can be performed by combining the power of man and machine. This helps to define, prioritize and drive standardized incident response activities according to a standard workflow.
A SOAR allows an organization to collect data primarily for detecting cyber threats and responding to escalated security events without human intervention. The main purpose of using a SOAR platform is to improve the efficiency of security operations by adding a strong layer of automation.
How it works ?
SOAR platforms have three main components: orchestration, automation, and response.
The presence of separate environments and tools is one of the reasons why orchestration is necessary. There are so many environments, tools, devices, products and networks in the same organization that some of these elements are not always connected, or connectable, between them which leads to having dispersed information.
We can also notice the presence of an overload of the team responsible for security. These teams face a complexity of attacks and a multitude of tools that exacerbate this burden. Likewise, they receive a large number of alerts and incidents per day, to the point that there are not enough people to deal with them. This highlights the main reason for using orchestration.
Orchestration connects disparate tools through built-in or custom application programming interfaces (APIs). Connected systems may include vulnerability scanners, endpoint protection products (early launch anti malware), user behavior analysis products, firewalls, intrusion detection and prevention systems, SIEM platforms and, finally on our examples, external threat intelligence sources.
This data collection process allows for better information processing and inevitably better threat detection.
Automation enables analysis of the data received by the orchestration process. Tasks previously performed by analysts, such as vulnerability scanning, log analysis, ticket verification, and audit capabilities can be standardized and performed automatically by SOAR platforms. It can also be said that these processes will allow teams and analysts to focus on purely strategic value-added projects and free them from sometimes repetitive tasks.
A simple trick to find out if a task can be automated. Ask yourself these three questions:
- Is it included in a routine?
- Is it regularly time consuming?
- Is there a means of communication (API or other) between the tools allowing the execution of this task?
If the answer to these questions is ”yes”, then some automation can be applied to this task, but not necessarily without limits.
In order to better explain the automation process, we need to talk about playbooks. Pre-built or custom playbooks are sets of several automated actions that are essential to the operation of SOAR. With playbooks, security teams can process alerts, create automated responses for different types of incidents, and quickly resolve issues efficiently and consistently.
Moreover, they are very useful for automating repetitive and tedious tasks while freeing up analysts for more important tasks that require human intelligence and decision making.
Today, there are new and modern versions of the playbooks that have additional functionality allowing them to integrate human decision-making with automation for highly critical security situations.
We offer you an example of automation, an analysis of emails to identify phishing attempts:
Generally when a malicious URL is detected in an email to an employee and is identified during an analysis, we tend to put an action plan in place to block the email, notify the employee of the potential phishing attempt and blocking the IP address of the sending source.
With a SOAR, we could also trigger advanced investigative actions in order to have a broader field of action. Keeping this example, we could simply add automated actions consisting of searching for similar emails (via IOCs) in the inboxes of other employees, deleting them, and why not adding the outgoing servers to a blacklist. Another example, through automation, we could detect the arrival of a new email, capture the attachments and analyze them in a sandbox. These automated steps will be performed according to the playbook configuration.
Orchestration and automation work together to empower security teams. Whether defensive or offensive, the goal will be to be more efficient by focusing on analysis and decision-making rather than tedious and time-consuming manual tasks.
Advantage of SOAR and disadvantage
We made it clear in this article, SOAR will allow the team to focus on improving security rather than performing manual tasks. It will automate many repetitive tasks and provide standardized processes leading, no doubt, to improved performance of the cyber surveillance center.
SOAR enables increased resilience in the face of a growing threat environment and strengthens incident response. In our various experiences, we see a faster frequency of response and resolution of incidents, thanks to proactive handling of security alerts. This is also explained by the ability of SOAR solutions to integrate, rather easily, with a multitude of technologies.
Unfortunately, like all tools, SOAR does not work alone, without human intervention and without a certain intelligence. An analysis will remain essential for the proper processing of alerts or at least the proper application and configuration of playbooks.
The CONIX cyber surveillance center team obviously sees time saved in certain daily tasks such as triaging and analyzing security alerts.
Adam Fletcher, Managing Director of Blackstone, also agrees: “Automation with a SOAR allows us to process infected email alerts in about 40 seconds rather than 30 minutes or more.” Significant time savings in the face of evolving threats.
However, playbooks seem more suited, for the moment, to enterprise information systems following a certain “standard” in terms of tool and architecture. A strong involvement in the development of the latter is to be expected, in particular for highly communicative information systems or with specific information systems (industrial, on-board, etc.)