Introduction to SOAR

As the world rushes towards complete digitalization, cyberattacks are increasing at an equal speed. According to Cyber Security Ventures, the global cost of cybercrime is projected to reach $10.5 trillion annually by 2025. Cyberattacks are accelerating in both number and sophistication, and cybercriminals are always in a pursuit to apply new attack techniques to infiltrate the most protected networks.

Organizations of all sizes and across all industries use many security solutions and tools to protect their IT systems from cyberattacks. Firewalls, IDS/IPS, antivirus and antimalware, and DLP are examples of such solutions. The increased number and complexities of the security solutions deployed in a single IT environment resulted in generating a large log data volume. Analyzing these logs is a daunting task and requires intensive human time and effort. To solve this problem, the SIEM solution was invented.

I already discussed the concept of Security Information And Event Management (SIEM) in two recent articles. The first one, "What is SIEM," introduced the idea and work of SIEM, while the second article, "Best SIEM Tools in 2021," covered the most popular three SIEM solutions. Maybe you wonder why I begin my article talking about SIEM? This is because many security professionals still use the name Security Orchestration, Automation, and Response (SOAR) and SIEM interchangeably. Let us first remember the purpose of SIEM solutions.

What is SIEM?

A SIEM solution is an essential element of the data security ecosystem: they gather log data from different security solutions such as firewalls and IDS/IPS, then analyze that data to discover abnormal behavior that can signify a potential cyberattack. SIEM solution will collect all log data in one central place to enable the security team to analyze them and decide actions accordingly.

The main shortcut of the SIEM solution lies in the final step of the SIEM process. For instance, after collecting and analyzing all log data, the security team must tweak the SIEM software. They need to update the rules and alerts and make sure normal behaviors are not launching error alerts similar to the suspicious ones. Managing these tasks continually requires an extensive amount of time, and that may not always be available.

When configured and managed by an expert team, a SIEM solution will offer imperative capabilities to organization incident and response efforts. However, the main question arises, "how can a security team respond to a large number of security alerts generated from the SIEM solution?". Here comes the role of SOAR.

What is SOAR?

SOAR is a collection of software tools used to browse a wide range of data sources and gather: security threats, alerts, and data. Then, the SOAR solution will use human ability combined with a machine-learning algorithm to detect suspicious activities and respond accordingly.

Before SOAR, a security engineer must review, update, and standardize a set of activities into a digital workflow to define the required incident response procedures. This process is time-consuming and requires human efforts, and is prone to errors. SOAR solves this problem by defining a standardized response to security incidents.

Security Orchestration, Automation, and Response

A SOAR solution offers the following three security tasks:

Security Orchestration

SOAR integrates different security tools and technologies from other suppliers to enable automated incident response. This makes SOAR able to receive and analyze alerts from more sources and not just SIEM, such as:

• Threat intelligence platforms
• Incident response platforms
• Intrusion detection and prevention systems (IDPS)

By getting threat intelligence from different vendors, an organization's ability to secure data will significantly enhance, although this will increase the number of false security alerts.

Security Automation

SOAR performs automatic execution of different security-related tasks such as vulnerability scanning and searching for logs; this is done without human interference. The information is automatically gathered from intrusion detection systems and SIEM solutions.

Security Response

Now that orchestration is getting and analyzing alerts from across your IT environment, SOAR automation capability helps define standardized incident response to various threats based on predefined policy rules and threat behavior use-cases. For example, a default action can be determined based on a potential vulnerability to prevent attacks. Another example is isolating devices or disconnecting them to mitigate possible attacks. SOAR integration with an Intrusion Prevention System or Next-Generation Firewall could enable automatic blocking of suspicious traffic. Or, suspicious (anomalous) user behavior could be automatically mitigated by integrating SOAR with the enterprise identity management capabilities.

Why organizations need SOAR?

Organizations are struggling to combat cyberattacks all day. The Security Operation Center (SOC) team is flooded with many security alerts from various sources. The need to protect sensitive data and to meet regulatory compliance requirements such as the PCI DSS and GDPR has forced organizations to deploy different security solutions and appliances from different vendors.

Having many security solutions from multiple vendors makes checking each security log file time-consuming and subject to human error. In such a case, a security team will end up fighting cyber attacks manually because the deployed security tools are not integrated and do not work in harmony. Using SOAR, the security team will define the proper incident handling procedures and let SOAR do the job automatically. This increases efficiency and allows security administrators to focus on other essential tasks that require human intervention.

Summary

A SOAR solution combined with SIEM will allow the security team to automate a great deal of the security-related work volume they encounter during their daily work. SOAR facilitates automating repetitive security tasks and allows spending human time and efforts on critical and sophisticated threats facing an organization.