SOAR (security orchestration, automation and response) is a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events without human assistance. The goal of using a SOAR platform is to improve the efficiency of physical and digital security operations. Show
What is SOAR?SOAR platforms have three main components: security orchestration, security automation and security response. Security orchestrationSecurity orchestration connects and integrates disparate internal and external tools via built-in or custom integrations and application programming interfaces (APIs). Connected systems may include vulnerability scanners, endpoint protection products, end-user behavior analytics, firewalls, intrusion detection and intrusion prevention systems (IDSes/IPSes), and security information and event management (SIEM) platforms, as well as external threat intelligence feeds. With all the data gathered comes a better chance at detecting threats, along with more thorough context and improved collaboration. The tradeoff, however, is more alerts and more data to ingest and analyze. Where security orchestration consolidates data to initiate response functions, security automation takes action. Security automationSecurity automation, fed by the data and alerts collected from security orchestration, ingests and analyzes data and creates repeated, automated processes to replace manual processes. Tasks previously performed by analysts, such as vulnerability scanning, log analysis, ticket checking and auditing capabilities, can be standardized and automatically executed by SOAR platforms. Using artificial intelligence (AI) and machine learning to decipher and adapt insights from analysts, SOAR automation can make recommendations and automate future responses. Alternately, automation can elevate threats if human intervention is needed. Playbooks are essential to SOAR success. Prebuilt or customized playbooks are predefined automated actions. Multiple SOAR playbooks can be connected to complete complex actions. For example, if a malicious Uniform Resource Locator (URL) is found in an employee email and identified during a scan, a playbook can be instituted that blocks the email, alerts the employee of the potential phishing attempt and blocklists the Internet Protocol (IP) address of the sender. SOAR tools can also trigger follow-up investigative actions by security teams if necessary. In terms of the phishing example, follow-up could include searching other employee inboxes for similar emails and blocking them and their IP addresses, if found. Security responseSecurity response offers a single view for analysts into the planning, managing, monitoring and reporting of actions carried out once a threat is detected. It also includes post-incident response activities, such as case management, reporting and threat intelligence sharing. Benefits of SOARSOAR platforms offer many benefits for enterprise security operations (SecOps) teams, including the following:
SOAR challengesSOAR is not a silver bullet technology, nor is it a standalone system. SOAR platforms should be part of a defense-in-depth security strategy, especially as they require the input of other security systems to successfully detect threats. SOAR is not a replacement for other security tools, but rather is a complementary technology. SOAR platforms are also not a replacement for human analysts, but instead augment their skills and workflows for more effective incident detection and response. Some other potential drawbacks of SOAR include the following:
Important SOAR capabilitiesThe term, coined by Gartner in 2015, initially stood for security operations, analytics and reporting. It was later updated to its current form in 2017, with Gartner defining SOAR's three main capabilities as the following:
Gartner expanded the definition further, refining SOAR's technology convergence to the following:
SOAR vs. SIEMWhile SOAR and SIEM platforms both aggregate data from multiple sources, the terms are not interchangeable. SIEM systems collect data, identify deviations, rank threats and generate alerts. SOAR systems also handle these tasks, but they have additional capabilities. First, SOAR platforms integrate with a wider range of internal and external applications, both security and nonsecurity. Second, whereas SIEM systems only alert security analysts of a potential event, SOAR platforms use automation, AI and machine learning to provide greater context and automated responses to those threats. Many companies use SOAR services to augment in-house SIEM software. In the future, SIEM vendors are expected to add SOAR capabilities to their services, which means the market for these two product lines will merge. Many SIEM vendors offer SOAR capabilities in their SIEM products. Other products, such as email security gateways, endpoint detection and response (EDR), network detection and response (NDR) and extended detection and response (XDR), are also adopting SOAR capabilities. SOAR vendorsGartner's 2020 SOAR market guide provides a list of representative vendors and their products, including the following:
This was last updated in March 2021 Continue Reading About SOAR (security orchestration, automation and response)
Dig Deeper on Security operations and management
What is the relationship between SIEM and soar quizlet?Security Orchestration, Automation, Response (SOAR) is a category of products designed to reduce the need for human assistance during incident response. It receives incidents from various systems (not just SIEM) and executes automated actions as incident response functions. SOAR complements SIEM.
How is soar different from SIEM quizlet?1) A way to identify and prioritize alerts. 2) SOAR triage is used in addition to the triage performed by the SIEM platform. 3) Solves the issue of what is considered critical.
Which of the following tools can be used to view and modify DNS server information in Linux?The dig command in Linux is used to gather DNS information. It stands for Domain Information Groper, and it collects data about Domain Name Servers.
Which SIEM component is responsible for gathering all event logs from configured devices?Data aggregation
This component of a SIEM solution is responsible for collecting log data generated by multiple sources within a corporate network, such as servers, databases, applications, firewalls, routers, cloud systems, and more.
|