Security Orchestration, Automation and Response (SOAR) has been getting a lot of attention recently. I thought it would be good to take a moment and discuss what it is and why it is important to the industry.
Gartner was the first to formally define SOAR: “SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies—where incident analysis and triage can be performed by leveraging a combination of human and machine power—help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.”
Basically, Gartner is saying that you first need to get all the security logs into one place, like a SIEM. Then, once there, you can create “digital workflows” in an effort to respond to incidents. While a SIEM is critical to any organization’s cybersecurity program (because this is what gets all your security events in one place for analysis), it is reactive by nature. In fact, a SIEM doesn’t respond, it tells you what needs to be responded to. This has been a critical gap that has been filled in by IT professionals and service providers. They take alerts, incidents and notifications that come out of the SIEM and then take action based on what they find.
However, there are two main problems with this. First, the response is typically not fast enough. Second, often the IT resources or service providers don’t always have the expertise to respond properly. Speed to resolution is often measured in hours or days when many attacks can now compromise a system and spread throughout a network within minutes. The last thing people want is a notification that tells them their systems are all encrypted with Ransomware without giving them any chance to respond. The only thing worse is not getting notified at all, not that you wouldn’t find out soon enough. So while SIEM is critical, it only solves half the problem. We need faster and more reliable response methods.
SOAR is an approach to Security Orchestration (meaning getting the systems to talk to one another) so that actions can be taken in an Automated way for Response. Unfortunately, this is easier said than done. Most networks are very desperate in terms of network hardware and software and the variety of vendors and technologies that are used. Getting systems to “talk” to one another is a major challenge that some SOAR technology vendors are making some headway in. An additional hurdle is giving access to third party service providers.
Even with systems “talking”, you then need playbooks for each action you want to take under the various scenarios. These playbooks need to be written for your specific environment. Automated actions that work great for one company may be a disaster for another. Some of these actions may be fully automated Others may need to be seen by human eyes before action is taken. But if you are adding people back into the mix, aren’t you defeating the goal of quick response? Yes! And yet, that is where we are today. Anyone who believes that SOAR will cut out the need for expert analyst review is living in a fantasy world. That doesn’t mean SOAR doesn’t provide real value here and now. It can, when used properly (which I will talk about in another post).
Kevin Prince, Founder and CEO, StratoZen
Security 2020 author Kevin Prince is the founder and CEO of StratoZen, providing managed threat detection, response, and compliance solutions to organizations around the globe. With years of cybersecurity experience under his belt, Kevin is also the former CTO of Compushare (now Finastra) and Perimeter eSecurity (now BAE Systems). Before founding StratoZen, Kevin also founded Red Cliff Solutions, a financial services MSSP and served as a former trainer to FDIC, NCUA and FFIEC auditors.