Security Orchestration and Automation
SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations. The term, which was coined by the research firm Gartner, can be applied to compatible products and services that help define, prioritize, standardize and automate incident response functions.
SOAR solutions are gaining visibility and real-world use driven by early adoption to improve security operations centers. Security and risk management leaders should start to evaluate how these solutions can support and optimize their broader security operations capabilities.
Security orchestration, automation and response (SOAR) defines as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These can be orchestrated via integrations with other technologies and automated to achieve a desired outcome and greater visibility. Additional capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes.
Most SOAR tools are still strongest in their original "home offerings", which are security incident and response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs). Currently, the most common use case for SOAR by an organization is to define incident analysis and response procedures in a digital workflow format — such as plays in a security operations playbook. Additionally, these tools facilitate the use and operationalization of threat intelligence in security operations, which enhances the ability to predict, prevent, detect and respond to the prevailing threat landscape that a company faces.
To understand the evolving SOAR market, it is necessary to define the specific terms used — namely, orchestration and automation — in the context of security operations:
- Aggregation: The ability to aggregate/ingest data across sources. This may take the form of alerts, signals or other inputs from other technologies such as an alert from a SIEM tool or an email sent to a group mailbox. Other data that is ingested may include user information from an identity and access management (IAM) tool or threat intelligence from multiple sources.
- Enrichment: Whether after incident identification or during data collection and processing, SOAR solutions can help integrate external threat intelligence, perform internal contextual lookups or run processes to gather further data according to defined actions.
- Orchestration: The complexity of combining resources involves coordination of workflows with manual and automated steps, involving many components and affecting information systems and often humans as well.
- Automation: This concept involves the capability of software and systems to execute functions on their own, typically to affect other information systems and applications.
- Response: Manual or automated response provides canned resolution to programmatically defined activities. This includes activities from a basic level — ticket creation in an IT service desk application — to more advanced activities like applying some form of response via another security control, like blocking an IP address by changing a firewall rule. This functionality is the most impactful but also applies to the most complex use cases.
Buyers are expressing demand for SOAR for several reasons:
- Staff shortages: Due to staff shortages in security operations, clients describe a growing need to automate repeatable tasks, streamline workflows and orchestrate security tasks resulting in operational scale. For instance, if you have a team, SOAR can give them more reach — but this is not a tool to get instead of a team. Also, organizations need the ability to demonstrate to management the organization’s ability to reduce the impact of inevitable incidents.
- Continued evolution of threats and increases in volume: As organizations consider threats that destroy data and can result in disclosure of intellectual property and monetary extortion, they require rapid, consistent, continuous and more frequent responses with fewer manual steps.
- Improving alert triage quality and speed: Security monitoring systems (such as SIEMs) are known to cost a significant amount to run and generate a high number of alerts, including many found to be “false positives” or simply not relevant after additional investigation. Security and risk management leaders then treat alert triage in a very manual way, which is subject to mistakes by the analysts. This leaves real incidents ignored. SOAR helps improve the signal-to-noise ratio by automating the repeatable, mundane aspects of incident investigation. This creates a positive situation where analysts can spend more time investigating and responding to an event instead of spending most of their time collecting all the data required to perform the investigation.
- Need for a centralized view of threat intelligence: A large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly, conversion of intelligence into action.
- Reducing time to respond, contain and remediate: Organizations are dealing with increasingly aggressive threats, such as ransomware, where rapid response of only minutes at best is required in order to stand a chance of containing the threat that is spread laterally in your environment. This scenario forces organizations to reduce the time they take to respond to those incidents, typically by delegating more tasks to machines. Reducing the response time, including incident containment and remediation, is one of the most effective ways to control the impact of security incidents. Like a brush fire, the sooner you can get to it, the smaller it is, and therefore the easier it is to put out.
- Reducing unnecessary, routine work for the analysts: SOC analysts are often working with multiple tools. They are looking at a stream of row and column SIEM console alerts, threat intelligence (TI) service portals for information about the entities involved, and endpoint detection and response (EDR) for context on what is happening on the affected endpoint. They may even be using workflow tools to control the triage and investigation processes.
The SOAR market is still an emerging market and it is forecast to grow up to $550 million in the five-year (2018-2023) time frame. Many organizations implement SOAR tools with use cases primarily focused on making their SOC analysts more efficient such that they can process more incidents while having more time to apply human analysis and drive response actions much quicker. Historically, they were not aware of the existence of these types of solutions. There are now more clients aware of SOAR solutions, which is fueling further adoption. This awareness is broadening; even SOAR vendors claim to have less work evangelizing about the technology and more conversations about their capabilities and differentiators. However, improving detection and response activities is just one of several opportunities for the use of SOAR tools to support security operations activities.
Since SOAR is often used as an umbrella term that covers security operations, security incident response and threat intelligence, many vendors are driving their existing solutions in the fight for market leadership.
Suppliers Security Orchestration and Automation
F.A.Q about Security Orchestration and Automation
What is SOAR?
Coined by research company Gartner, Security Orchestration, Automation and Response (SOAR) is a term used to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).
SOAR technologies enable organizations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. This assists human and machine-led analysis, as well as the standardization and automation of threat detection and remediation.
What are the activities of SOAR?
SOAR supports multiple activities for security operations decision making such as, but not limited to, the following:
- Prioritizing security operations activities: Use of a SOAR solution requires organizations to consider questions about their processes. Which are most critical? Which ones consume the most staff time and resources? Which ones would benefit from automation? Where do we have gaps in our documented procedures? The preparation and planning for SOAR, and its ongoing use, help organizations prioritize and manage where orchestration and automation should be applied and where it can help improve response. This response can then lead to improvements in security operations and showing a demonstrable impact on business operations (e.g., faster time to detect and respond to threats that could impact business operations and optimization of security operations staff and budget).
- Formalizing triage and incident response: Security operations teams must be consistent in their responses to incident and threats. They must also follow best practices, provide an audit trail and be measurable against business objectives.
- Automating response: Speed is of the essence in today’s threat landscape. Attacks are increasing in speed (e.g., ransomware is now being automated to spread with worm functionality), but security operations are not automated. Having the ability to automate response action offers SOC teams the ability to quickly isolate/contain security incidents. Some responses can be fully automated, but at this time many SOAR users still inject a human to make the final decision. However, even this reduces the mean time to respond for the organization compared to being fully dependent on “human power.”
Security and risk management leaders overseeing security operations should:
- Prepare for their SOAR implementations by having a starting set of defined processes and workflows that can be implemented. Out-of-the-box plays and integrations are a starting point but can rarely be implemented without some customizations.
- Plan for the implementation and the ongoing operation and administration of SOAR tools by using a mix of professional services and internal resources.
- Put a contingency plan in place in the event the SOAR tool is acquired by another vendor. Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.
- The SOAR technology market aims to converge security orchestration and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP) capabilities into single solutions.
- Early adopters of SOAR technologies have been organizations and managed security service providers with mature security operations centers (SOCs) that understood the benefits of incorporating SOAR capabilities into their operations. However, use cases implemented by early adopters have not evolved over the last 12 months and are stuck in a rut, limiting the long-term potential for SOAR in security operations.
- SOAR solutions are not “plug-and-play.” Even though solutions have a library of out-of-the-box use cases and integrations, buyers are reporting multiweek professional services engagements to implement their initial use cases, as every organization’s processes and technologies deployed are different.
- Orchestration and automation are starting to be localized in point security technologies, usually in the form of predefined, automated workflows. This is not the same as a full-featured SOAR solution.