In cybersecurity, SOAR stands for security orchestration, automation, and response. It includes any software or tool that enables companies to collect and analyze cybersecurity-related data.
SOAR systems allow organizations to use various tools and functionality to capitalize on all of their cybersecurity-related data for better incident response.
The main components of a SOAR system are:
Orchestration
Security orchestration accelerates and improves incident response by integrating and analyzing data from various technologies and security tools. Orchestration also involves coordinating different cybersecurity technologies to help organizations deal with complex cybersecurity incidents. A SOAR tool can, for example, collate network security IT operational data by using data from network monitoring tools as a baseline for firewall rules.
Automation
One of the key functions of any SOAR tool is automation, which eliminates the very time-consuming need to manually detect and respond to security incidents. SOAR systems can, for example, automatically triage certain types of events and allow security teams to define standardized, automated procedures such as decision-making workflows; health checks; enforcement and containment; and auditing.
Response
SOAR platforms collect data from other security tools, such as security information and event management (SIEM) systems and threat intelligence feeds. They prioritize security events and send key information about the security incident to security staff.
Case management
Case management is a fundamental component of any SOAR platform. Case management capabilities give security analysts access to individual case records so that they can dynamically analyze and interact with any data related to any given incident and use that analysis to improve and iterate on their security response processes.
Dashboard
A SOAR tool’s dashboard provides an overview of everything that’s happening in relation to numbers 1, 2, 3, 4, and above—i.e., all security-related data and activity, including notable events and their severity, playbooks, connections with other security tools, workloads, and even a summary of return on investment from automated activities. Typically, you can filter a SOAR dashboard by time period, data source, or user. Widgets can be toggled on or off or rearranged according to your specifications. In short, it’s your central hub for monitoring everything your SOAR system is doing and how well it’s doing it.
SOAR systems browse and collect data from a variety of sources, and then use a combination of human and machine learning to analyze this data to detect potential threats and prioritize incident response plans and actions. Usually, companies automate the SOAR system so that it can most efficiently support cybersecurity.
SOAR systems pull and analyze data from a number of different sources, including:
SOAR systems enable more effective and efficient incident response via two primary benefits:
Both SOAR and SIEM deal with data around security threats and enable much better security incident responses.
However, SIEM aggregates and correlates data from multiple security systems to generate alerts, while SOAR acts as the remediation and response engine to those alerts.
To use a car analogy, SIEM is the fuel for the car’s engine and the engine itself is SOAR because it uses the fuel to provide the result and the action and to make everything run automatically.
Whatever SOAR tool you get, it should be able to:
Of course, there are more bells and whistles that can be a part of a SOAR system, but consider the list above the must-haves for any SOAR tool.
Phishing emails are a major threat not only to individuals but also to enterprise security teams, as some of them are crafted well enough to perform high-profile data breaches. With a SOAR system in place, companies can not only fend off phishing attacks but also prevent them from happening in the future.
A SOAR tool examines suspected malicious emails by extracting and analyzing various artifacts, including header information, email addresses, URLs, and attachments. It then triages the threat to determine if it’s a threat at all, and if so, how serious of a threat it is.
If the SOAR tool determines that the email is malicious, it will:
Of course, SOAR systems can’t guarantee that they will catch and block every phishing email. If one does get through, case management features allow security teams to investigate what happened and why and use that knowledge to improve their SOAR systems’ threat detection moving forward.
SOAR systems reduce investigation and response time from hours to minutes. They also greatly reduce organizational risk by using only the highest-quality threat data to streamline security operations. Ultimately, they allow for more strategic allocation of human analysts and human intelligence, enabling companies to maximize their internal resources while minimizing external threats.
ピュア・ストレージ製品および認定についてのご質問・ご相談を承っております。ご連絡をお待ちしております。
ライブデモのご用命を承っております。ピュアがいかにしてデータを成果に変えるお手伝いができるかをご説明します。
電話: 03-4563-7443
メディア: pr-japan@purestorage.com
ピュア・ストレージ・ジャパン株式会社
〒100-0014 東京都千代田区永田町 2 丁目 10-3 東急キャピトルタワー 12 階
03-4563-7443(総合案内)