What Is SOAR?

In cybersecurity, SOAR stands for security orchestration, automation, and response. It includes any software or tool that enables companies to collect and analyze cybersecurity-related data.

What is SOAR and how does it work?

SOAR systems allow organizations to use various tools and functionality to capitalize on all of their cybersecurity-related data for better incident response.

The main components of a SOAR system are:

Orchestration

Security orchestration accelerates and improves incident response by integrating and analyzing data from various technologies and security tools. Orchestration also involves coordinating different cybersecurity technologies to help organizations deal with complex cybersecurity incidents. A SOAR tool can, for example, collate network security IT operational data by using data from network monitoring tools as a baseline for firewall rules.

Automation

One of the key functions of any SOAR tool is automation, which eliminates the very time-consuming need to manually detect and respond to security incidents. SOAR systems can, for example, automatically triage certain types of events and allow security teams to define standardized, automated procedures such as decision-making workflows; health checks; enforcement and containment; and auditing.

Response

SOAR platforms collect data from other security tools, such as security information and event management (SIEM) systems and threat intelligence feeds. They prioritize security events and send key information about the security incident to security staff.

Case management

Case management is a fundamental component of any SOAR platform. Case management capabilities give security analysts access to individual case records so that they can dynamically analyze and interact with any data related to any given incident and use that analysis to improve and iterate on their security response processes.

Dashboard

A SOAR tool’s dashboard provides an overview of everything that’s happening in relation to numbers 1, 2, 3, 4, and above—i.e., all security-related data and activity, including notable events and their severity, playbooks, connections with other security tools, workloads, and even a summary of return on investment from automated activities. Typically, you can filter a SOAR dashboard by time period, data source, or user. Widgets can be toggled on or off or rearranged according to your specifications. In short, it’s your central hub for monitoring everything your SOAR system is doing and how well it’s doing it.

How does a SOAR solution identify threats?

SOAR systems browse and collect data from a variety of sources, and then use a combination of human and machine learning to analyze this data to detect potential threats and prioritize incident response plans and actions. Usually, companies automate the SOAR system so that it can most efficiently support cybersecurity.

SOAR data sources

SOAR systems pull and analyze data from a number of different sources, including:

• Vulnerability scanners, which are computer programs designed to assess security weaknesses in computers, networks, or applications.
• Endpoint protection software, which protects an organization's endpoints, such as servers and personal computers, from malware infections, cyberattacks, and other threats.
• Firewalls, which are network security systems that monitor and control incoming and outgoing network traffic based on predetermined security rules.
• Intrusion detection and intrusion prevention systems, which are network security tools that continuously monitor networks for malicious activity and take action to prevent it.
• Security information and event management (SIEM) platforms, which aggregate log data, security alerts, and events into a centralized platform to conduct real-time analysis for security monitoring and alerts.
• External threat intelligence feeds, which include any actionable threat data collected from third-party vendors to enhance cyber threat response and awareness.

Main benefits of SOAR

SOAR systems enable more effective and efficient incident response via two primary benefits:

• Faster incident response: SOAR helps companies reduce mean time to detect (MTTD) and mean time to restore (MTTR) by reducing the amount of time it takes for security alerts to be qualified and remediated from months or weeks to minutes. SOAR also enables incident response automation via procedures known as playbooks. The actions from this automation include blocking IP addresses on a firewall or IDS system, suspending user accounts, and quarantining infected endpoints from a network.
• Better cybersecurity intelligence: Because SOAR systems can aggregate and analyze data from so many different sources, they enhance the context for all types of cybersecurity threats and reduce false alarms to help security teams work faster rather than harder.

SOAR vs. SIEM

Both SOAR and SIEM deal with data around security threats and enable much better security incident responses.

However, SIEM aggregates and correlates data from multiple security systems to generate alerts, while SOAR acts as the remediation and response engine to those alerts.

To use a car analogy, SIEM is the fuel for the car’s engine and the engine itself is SOAR because it uses the fuel to provide the result and the action and to make everything run automatically.

What to look for in a SOAR tool

Whatever SOAR tool you get, it should be able to:

• Ingest and analyze data and alerts from various security systems.
• Craft and automate workflows that help companies identify, prioritize, investigate, and respond to cybersecurity threats and alerts.
• Easily integrate with other tools to improve operations.
• Perform post-incident analysis to improve response processes and incident response efficiency.
• Automate most security operations to eliminate redundancies and enable security teams to concentrate on the tasks that require more human participation.

Of course, there are more bells and whistles that can be a part of a SOAR system, but consider the list above the must-haves for any SOAR tool.

Real-world SOAR example: Phishing response

Phishing emails are a major threat not only to individuals but also to enterprise security teams, as some of them are crafted well enough to perform high-profile data breaches. With a SOAR system in place, companies can not only fend off phishing attacks but also prevent them from happening in the future.

A SOAR tool examines suspected malicious emails by extracting and analyzing various artifacts, including header information, email addresses, URLs, and attachments. It then triages the threat to determine if it’s a threat at all, and if so, how serious of a threat it is.

If the SOAR tool determines that the email is malicious, it will:

• Block it and any other instances in other mailboxes.
• Prevent executables related to the email from running.
• Block source IP addresses or URLs.
• Quarantine the affected user’s workstation if needed.

Of course, SOAR systems can’t guarantee that they will catch and block every phishing email. If one does get through, case management features allow security teams to investigate what happened and why and use that knowledge to improve their SOAR systems’ threat detection moving forward.

SOAR: The Bottom Line

SOAR systems reduce investigation and response time from hours to minutes. They also greatly reduce organizational risk by using only the highest-quality threat data to streamline security operations. Ultimately, they allow for more strategic allocation of human analysts and human intelligence, enabling companies to maximize their internal resources while minimizing external threats.