Security Orchestration Automation and Response (SOAR) system covers three major functions: response, orchestration and automation of IT security systems. Show An information system can quickly become extremely complex: various technologies interact with users with diversified objectives and skills. Ensuring operational security therefore requires being able to act on these different components at all levels (terminals, network, access control, etc.), in the most effective and efficient way possible. Over time, technologies have emerged to perform this function: these are SOAR. What is a SOAR used for?As its name suggests, a Security Orchestration Automation and Response system covers three major functions: response, orchestration, and automation of computer security systems. Along with SIEM and CTI, this is one of the three main functions of a SOC. ResponseThe first mission of a SOAR is to be able to transmit active instructions to other systems. This is particularly useful in an incident response context, when it is necessary to be able to quickly circumscribe the threat or reconfigure the information system in a degraded mode. For this, the SOAR must have a vast catalog of integrations, in order to :
Although there are some interoperability standards, none is truly dominant, and connecting sometimes legacy systems requires special expertise. OrchestrationThe second mission of a SOAR is to be able to orchestrate these actions, ie to control the sequence of them in such a way as to optimize the available resources to obtain the desired effect. Without this capacity, it would be up to an operator to trigger these different sequences manually, one after the other. While trying to respect the procedures in force in the organization. Nowadays, this orchestration capacity manifests itself under the form of playbooks, which are scripts describing sequences of responses and procedures. To be accessible to as many people as possible, these playbooks can generally be edited visually, sometimes without entering a single line of code: we speak of no-code or low-code SOAR. It should be noted that orchestration does not only concern incident response. But can also be useful in support of the investigation :
AutomationFinally, the last great function of a SOAR is to automate everything that can and should be. Indeed, in a large information system, it is not realistic for all actions to be carried out manually, even orchestrated by playbooks. This is even more important when reflex reactions are required, for example to contain the early stages of an intrusion attempt and neutralize threats before impact. Thus, the automation functions of a SOAR can range :
Automation is made necessary by the shortage of incident response experts, by the requirement for responsiveness. And by the complexity of the systems supervised. However, human action is still crucial: if it sometimes becomes possible to get rid of any human intervention, it is still very limited to basic responses. Liability and insurance issues further complicate the situation. If the production stoppage of an assembly line was triggered by an automatic mechanism:
If automation has made enormous progress, it remains illusory to completely do without human intervention. How does a SOAR work?A modern SOAR has two main aspects:
The interconnection must allow the SOAR:
This is called the taxonomy of security systems. This module corresponds to a deployment and maintenance phase of the security system. Orchestration is rather operations-oriented, since it is here that we will find case management. But first, you have to be able to access or configure playbooks. This module therefore provides a playbook editor and playbook libraries, sometimes collaborative, compatible with the taxonomy present in the information system. A playbook that would trigger the interruption of a process on a compromised terminal would be useless if no device steering mechanism is available, for example with an EDR… How to choose the right SOAR solution?The heart of a security operational platform (SecOps), a SOAR should:
However, as the hub of security operations, SOAR technologies are now routinely integrated into SOC platforms where they natively interface with SIEM and CTI-like functions. Thus, there are fewer and fewer relevant pure-player products, and those that remain mainly play the role of middleware. SOAR features are now must-haves for operational security solutions. This is the case on SEKOIA.IO. It is not possible to deploy our SOAR module, called Symphony, alone. It is provided systematically in all our products, from intelligence production with SEKOIA.IO TIP:
What is the main purpose of Soar?Security orchestration, automation and response (SOAR) technology helps coordinate, execute and automate tasks between various people and tools all within a single platform.
What is orchestration in Soar?SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team.
What are the advantages of SOAR systems?SOAR benefits
more strategic allocation for human analysts; process and operational efficiencies in alerts and triage; faster incident response and remediation; centralized and coordinated multivendor security tools and analytics; and.
What is a common use case for an implementation of Soar?Common SOAR use cases often involve incident response automation like managing phishing attempts and containing malware. SOAR platforms also expedite security processes like threat hunting and patching/remediation.
|