View More guides on Security Orchestration Automation and Response
What are SOAR Tools?
Posted on: October 21, 2020
Security orchestration, automation, and response (SOAR) is a collective of tools in a single solution that is designed to automate, scale, and make security operations teams more efficient. Prior to SOAR, three primary tools made up the solution: Security incident response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs). Amidst all three platforms, SOAR is not a one-to-one replacement, but more so a connector, bringing automation into the fold.
According to the 2020 Gartner Market Guide for SOAR, “SOAR tools are mostly used for incident response and the workflow, automation, and orchestration of workflows, or the combination of the two. Threat intelligence management in SOAR tools is increasingly becoming native functionality in SOAR tools outside those that were initiated primarily as TIPs; however, it is still not the main driver for buyers.”
Although SOAR tools are advancing, and many security orchestration vendors are acquiring or building them, there are several components that security operation teams should seek out.
Common SOAR Tools
There are numerous tools that go into a full SOAR solution, with the most common capabilities listed below:
Incident Management or Case Management
With SOAR, incident response (IR) teams can manage the triage, investigation, and actioning of incidents and cases using automation.
Workflows and Processes
The workflows and processes in SOAR platforms are automated to follow a tiered system based on manual or triggered actions. This in particular reduces frequent manual and repetitive tasks.
Like most IR solutions, having the ability to document on a closed resolution makes it easier to track down relevant details and context in the event a similar situation occurs. SOAR incident knowledge bases are designed to streamline processes and increase collaboration.
SOAR as a solution is made up of various tools, which means integration between them is key. By having a solution that plays well with others, SOC and IR teams can break down collaboration silos, reduce engineering time, and function as a bridge between on-premise and cloud technology.
SOAR Playbooks are a series of steps and actions that leverage cyber fusion to correlate various threats and incidents and deliver an automated response. Cyber fusion empowers disparate internal security teams such as threat hunting, vulnerability management, threat intelligence, security operations center (SOC), and others to collaborate to deliver an effective incident response. Further, incident response playbooks leverage real-time threat intelligence and security orchestration, automation, and response (SOAR) technologies to propel security operations.
Threat Intelligence Aggregation, Curation, and Distribution
Another key benefit of having a SOAR platform is gaining the ability to aggregate, curate, and distribute threat intelligence. By having a single dashboard that provides a home for incoming and outgoing threat intel, teams become more efficient. Now, with a single 360-view, intel is deduplicated, enriched, and made accessible to security management for decision making and actioning.
SOAR platforms allow for threat data enrichment from premium or open-source feeds with real-time correlation, deduplication, and analysis. This process results in high-fidelity results, cutting down on alert fatigue through graduated indicator deprecation.
Dashboards and Visualizations
Dashboards allow SOC and IR teams to manage multiple related incidents/threats from a single place. They can then leverage relevant threat intelligence ingestion, streamlined workflow automation, and sophisticated campaign management to reduce noise and false alarms. Some SOAR platforms also allow for custom dashboards that include visualizations featuring reports and charts that can track team productivity and performance.
Why SOAR Tools are Needed and Their Benefits
SOAR tools are the collective components that make up the full solution. In the past, these are individual tools such as those used by SOC or IR teams but are now designed to create a more robust offering. In some cases, this can be to retain the same vendor’s software set so that consistency in results can be prioritized, in others, it’s to ensure automation can be most effective, and in others to connect on-premise to cloud tools.
The benefits are vast, but ultimately SOAR is designed to make security teams more efficient through automation, improve communication around threats, increase visibility and decrease time to detect threats, and free analysts to work on higher priorities. Rather than experience alert fatigue, analysts and IR teams gain access to machine-speed intelligence for high-fidelity results. Depending on the solution or tools that make up the SOAR solution, most of these benefits should be quickly realized.