What SOAR Brings To The Table For A SOC Admin

Share and earn Cybytes
Facebook Twitter LinkedIn Email

What SOAR Brings To The Table For A SOC Admin

Last year, Gartner announced a new kind of cybersecurity technology category called Security Operations, Analytics, and Reporting, which in turn generated the acronym in ‘SOAR’ and in a sense, SOAR really can help your CSOC feel like it has wings.  

You may have heard people call it SOAPA (security operations analytics platform architecture) instead of SOAR, perhaps because they are trying to punish us with yet more cybersecurity acronyms but pay them no mind, Gartner calls it SOAR and so shall we.

SOAR is a security reporting and operations platform that uses (machine readable and stateful) data from a wide range of different sources to provide management, analysis and reporting capabilities in support of CSOC  analysts. SOAR platforms apply decision making logic, combined with context, to provide formalized workflows and enable the informed prioritization (triage) of remediation tasks. SOAR platforms provide the actionable intelligence that a CSOC team needs to stay on top of their workflow.

What’s The Difference Between SOAR and SIEM

SIEM has been around for a while now and during that time it has evolved from being a security event correlation tool to a security analytics system.  Traditionally SIEM is the practice of aggregating your security logs and events, to give you visibility into what is happening in your organization from a security perspective. Evolution of the tools we use is a continuous process and while the alerts of suspicious behavior are necessary, the real goal is to act as quickly and effectively as possible to that alert.

While a traditional SIEM will let you know something is going down on your networks, SOAR platforms enable you to act on that information.  SOAR gathers together and consolidates all of the data from your security applications and threat intelligence feeds, but goes a step further than SIEM by enabling you to automate your responses and coordinate automated security tasks across your connected applications and processes.

SOAR enables you to aggregate third-party threat intelligence from multiple sources while giving you the ability to develop playbooks consisting of quality, actionable activities in response to any threats.  

What Does SOAR Bring To The Table For A SOC Admin?

“Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit.” -William Pollard

What is most remarkable about this 19th-century quote is that it succinctly describes a problem that most modern will CSOC teams face at some point. Very often CSOC analysts can become overwhelmed by the sheer amount of alerts and information they have available to them, often spread across different systems.  A large part of your average CSOC analysts time is spent sifting through the information in order to organize and present it in a way that is conducive to decision making. This is where SOAR comes in and seeks to unburden CSOC analysts from these tasks, freeing them up to focus on higher priority work and delivering a measurable return on investment over a relatively short period of time.

It’s worth mentioning that the best SOAR platforms are those that can show that can demonstrate they are delivering an ROI and typically you should expect to see a clear 10%+ saving on your teams time. I spoke to Joseph Loomis, Founder & CTO of CyberSponse and asked him what additional capabilities you would expect to find in a modern SOAR platform. Joe said that an Enterprise SOAR Platform will incorporate and integrate the following sets of capabilities:

  • Threat Intelligence – SOAR into any number of threat intelligence platforms and sources to enable analysts to quickly compare potential threats against known threats.
  • Case Management Based Incident Response – Analysts collect, process and analyze security data, but they need to be able to leverage that in order to prioritize alerts and respond to threats as quickly as possible. The incident response capabilities of a SOAR platform are critical to this.
  • Vulnerability Management – Part of a SOC analysts job is knowing which alerts need to be prioritized and managed, these decisions are typically driven by vulnerability management capabilities of a SOAR platform and based on live data.
  • Endpoint Detection & Response – After prioritizing security alerts, security analysts then want to dig deeper into incidents by investigating and monitoring endpoint behavior, making endpoint detection and response (EDR) a critical part of any SOAR platform.
  • Playbook Management – Because SOAR platforms are geared towards incident response, an essential part of SOAR is the ability to create and manage playbooks that align with your incident response policies and streamline your incident response processes.

SOAR – An Essential SOC Component

The constantly growing threat of cyberattack, as well as the administrative burden involved in data security management,  is putting pressure on SOC’s who simply cannot afford a data breach or the associated operational disruption and reputational damage.  

SOAR provides SOCs with a different approach to the provision of security, one that is unrestricted by manual processes and which leverages automation, predictive analytics and (increasingly) AI to help identify and respond to unauthorized intruders before they manage to get a foothold in their networks. SOAR promises to deliver a way of reducing attacker dwell times (time it takes to detect a threat after the initial compromise) as well as detection and remediation (containing the threat once it has been identified) times.

By integrating automation, incident management, orchestration processes, with visualization and reporting beneath a single pane of glass, SOAR provides a fast and accurate way to process large volumes of alert and log data and help analysts identify and respond to attacks that may already be underway, acting as a force multiplier for SOC teams and enabling them to become exponentially more efficient in the way they deal with their workflows.

Post provided to you by @InfosecScribe

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?