SOAR: Doing More with Less

Friday, April 26, 2019

Michele Zambelli

404b3b611dd8d2186d07c3a74d2fb4da

Security orchestration, automation and response model has many benefits, including some that are unintended

Security teams in every industry and vertical are facing a common set of challenges. Namely, defending against an endless stream of cyberattacks, having too many security tools to manage, dealing with overwhelming workloads, and having a shortage of skilled security analysts. Most enterprises try to solve these challenges the old-fashioned way — by adding more tools and hoping they deliver on their promises.

Progressive enterprises are adopting a new approach, called Security Orchestration, Automation and Respons (SOAR) that focuses on making existing technologies work together to align and automate processes. SOAR also frees security teams to focus on mitigating active threats instead of wasting time investigating false positives, and performing routine tasks manually.

What is SOAR?

SOAR enables security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) to work faster and more efficiently.

Security Orchestration connects disparate security systems as well as complex workflows into a single entity, for enhanced visibility and to automate response actions. Orchestration can be accomplished between security tools via integration using APIs to coordinate data alert streams into workflows.

Automation, meanwhile, executes multiple processes or workflows without the need for human intervention. It can drastically reduce the time it takes to execute operational workflows, and enables the creation of repeatable processes and tasks.

Instead of performing repetitive, low level manual actions, security analysts can concentrate on investigating verified threats that require human analysis.

Some SOAR approaches even use machine learning to recommend actions based on the responses used in previous incidents.

Three elements make up a successful SOAR implementation:

Collaboration - is essential for creating efficient communication flows and knowledge transfer across security teams.

Incident Management  - ideally, a single platform will process all inputs from security tools providing decision-makers with full visibility into the incident management process.

Dashboards and Reporting - provide a comprehensive view of an enterprise’s security infrastructure as well as detailed information for any incident, event, or case.

Implementing SOAR

One of the primary benefits of SOAR is its flexibility. It can be used to unify operations across an enterprise’s entire security ecosystem, or as a vertical solution integrated within an existing product.

For example, one of the most popular product categories for this kind of vertical implementation is Security Information and Event Management (SIEM). Primarily because SOAR within a SIEM can have broad applicability across a wide range of processes. In contrast, when SOAR is implemented within other product areas, such as Threat Intelligence, it tends to have a more limited scope.

Initially, SOAR was designed for use by SOCs. However, as the approach matured and proved its benefits, other groups have adopted it including managed security services providers (MSSP) and computer security incident response teams (CSIRT). More recently, financial fraud and physical security team have also turned to SOAR.

Top Five SOAR Benefits

Arguably, the most powerful benefit of SOAR is its ability to integrate with just about any security process or tool already in use — and to enhance the performance and usefulness of each. Tight integration improves the efficiency of security teams to detect and remediate threats and attacks. It provides a single ‘pane of glass’ into asset databases, helpdesk systems, configuration management systems, and other IT management tools.

SOAR arms security teams with the ability and intelligence to react faster and more decisively to a threat or attack by unifying information from multiple tools and creating a single version of the truth.

Security teams waste an inordinate amount of time and energy dealing with false positives, since there are so many of them generated each day. SOAR automates the triage and assessment of low-level alerts, freeing staff to focus their attention where it is really needed.

Security staff spend way too much time on menial tasks such as updating firewall rules, adding new users to the network, and removing those who have left the company. SOAR virtually eliminates such time-consuming, repetitive functions.

Although cutting costs is rarely a driving factor for adopting SOAR, it often delivers this additional benefit by improving efficiencies and staff productivity.

Unifying and making existing security tools work together, rather than in silos, delivers greater visibility into threats. Implementing an SOAR model can provide the glue to make this security intelligence actionable using repeatable processes for faster incident response that does not require adding more resources.

About the Author: Michele Zambelli has more than 15 years of experience in security auditing, forensics investigations and incident response. He is CTO at DFLabs, where he is responsible for the long-term technology vision of its security orchestration, automation and response platform, managing R&D and coordinating worldwide teams.

Possibly Related Articles:
65809
Infosec Island Enterprise Security
SIEM MSSP CSIRT SOC SOAR
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.