What is SOAR and Why is it Important?

| By: Kevin Prince

Security Orchestration, Automation and Response (SOAR) has been getting a lot of attention recently. I thought it would be good to take a moment and discuss what it is and why it is important to the industry. 

SOAR Security Definition

Gartner was the first to formally define SOAR: “SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies—where incident analysis and triage can be performed by leveraging a combination of human and machine power—help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.”  

Basically, Gartner is saying that you first need to get all the security logs into one place, like a SIEM. Then, once there, you can create “digital workflows” in an effort to respond to incidents. While a SIEM is critical to any organization’s cybersecurity program (because this is what gets all your security events in one place for analysis), it is reactive by nature. In fact, a SIEM doesn’t respond, it tells you what needs to be responded to. This has been a critical gap that has been filled in by IT professionals and service providers. They take alerts, incidents and notifications that come out of the SIEM and then take action based on what they find.

However, there are two main problems with this. First, the response is typically not fast enough. Second, often the IT resources or service providers don’t always have the expertise to respond properly. Speed to resolution is often measured in hours or days when many attacks can now compromise a system and spread throughout a network within minutes. The last thing people want is a notification that tells them their systems are all encrypted with Ransomware without giving them any chance to respond. The only thing worse is not getting notified at all, not that you wouldn’t find out soon enough. So while SIEM is critical, it only solves half the problem. We need faster and more reliable response methods.

SOAR is an approach to Security Orchestration (meaning getting the systems to talk to one another) so that actions can be taken in an Automated way for Response. Unfortunately, this is easier said than done. Most networks are very desperate in terms of network hardware and software and the variety of vendors and technologies that are used. Getting systems to “talk” to one another is a major challenge that some SOAR technology vendors are making some headway in. An additional hurdle is giving access to third-party service providers.

Even with systems “talking”, you then need playbooks for each action you want to take under the various scenarios. These playbooks need to be written for your specific environment. Automated actions that work great for one company may be a disaster for another. Some of these actions may be fully automated Others may need to be seen by human eyes before action is taken. But if you are adding people back into the mix, aren’t you defeating the goal of quick response? Yes! And yet, that is where we are today. Anyone who believes that SOAR will cut out the need for expert analyst review is living in a fantasy world. That doesn’t mean SOAR doesn’t provide real value here and now. It can, when used properly (which I will talk about in another post).