Security Orchestration Automation and Response (SOAR) Basics: Definition, Material, and Best Practice

Security Orchestration Automation and Response (SOAR) is an innovative method of incident response (IR) and post-incident recovery using automated security processes and protocols. The SOAR concept was introduced by Gartner, who proposed a system to reduce the workload of IR and SOC teams, to bridge the gap between MTTD (Man Time to Detect) and MTTR (Man Time to Respond) and to provide companies with low cost and automated response to events. And mitigation equipment. In this article, we are going to talk about the key tick marks of SOAR, prophylactic and responsive cybersecurity, best practices and of course the advantages and disadvantages of adopting SOAR-type method for a few real life examples. Enjoy!

What is security orchestration automation and response?

To begin with, let’s quote Gartner On this one. Thus, according to the Peer Insights section of Security Orchestration Automation and Response Solutions, SOAR is a technology that

(…) which enables organizations to take input from a variety of sources (mostly from security information and event management) [SIEM] System) and implement workflows aligned with processes and procedures. These can be sorted through integration with other technologies and can be done automatically to achieve desired results and greater visibility. Additional powers include suit and event management features; Threat intelligence, dashboard and ability to handle reporting; And analysis that can be applied across a variety of functions. SOAR tools significantly improve security operations activities such as threat detection and response by providing machine-driven assistance to human analysts to improve the efficiency and compatibility of humans and processes.

Sounds like a mouthful, doesn’t it? Don’t worry. I’ll break it for you. Let’s start with the data collection bits. SOAR allows data to be collected from multiple sources. For example, if your company already runs a SIEM, the newly implemented system will collect and consolidate data from that source.

The same thing applies 3^rd Party, open source or proprietary data collection tools. Why bother with SOAR if you have SIEM? Mostly because SOAR systems are designed to automatically fetch data and feed it into a single dashboard. Of these, data comes in all shapes and sizes: network traffic data, host-level data, threat intelligence (e.g., TTPs, IOAs, IOCs), DNS, and more. Having all your eggs in one basket makes your job easier and more efficient, doesn’t it?

So far, we have established that SOAR plays a key role in data collection and aggregation; This is one of the things that such a system can do. IR (Incident Response), Getting Accurate Data Quickly is crucial – can distinguish between a blip in the event notification area and a lame data breach. Of course, everything I’ve said so far makes SOAR another fancy name for SIEM. Here’s where it gets interesting; Based on field-collected information, a SOAR system allows you to set up various security-based automations. In other words, breastfeeding your event response system. Here’s a quick example – imagine a phishing email popping up in an inbox

What is the best course of action? Common sense indicates that the mail will be segregated, sent to the SOC for further investigation, sorted, analyzed, documented and acted upon based on the data collected. What if I told you that you could do all this work without moving a finger? Yes, you guessed it; The answer is “Security Orchestration Automation and Response”. The owner of a system can elaborate on a case (sensitive) scenario that indicates a solution for how to respond to each event stage.

For example, in a SOAR-type environment, the phishing email will be automatically isolated during delivery and the machine will be isolated to prevent network LM (i.e., lateral movement). The user can also perform quarantine actions automatically (e.g., delete suspicious attachments, blacklist the sender’s IP, prevent executables from running, and block any blocked URLs). This is an application of SOAR; Much more than where it came from.

Now here’s the big question: Why should I hire and finance a full SOC team when I can implement a SOAR system? SOAR is a great resource for any company looking for something extra in terms of security, but it should and should never be used as an alternative. SOAR is designed to deal with low-level events (e.g., phishing attempts, volumetric attacks, viruses, common Trojans) and, of course, leveraged most data collection and interpretation. So, if you hit something more serious, you will still need that team.

Advantages and disadvantages, and components

Now that we’ve covered some of the basics, let’s talk about SOAR elements and some yey or nays.

There are five main components to a security orchestration automation and response system.

• Data input and processing. As you can guess, the first (and most) important SOAR component is one that helps us retrieve and centralize information. This data comes from virtually every corner of your company: machine, IoT or mobile device, email, IM-type comms, network ‘caterer’, user profile, etc. Of course, at this point, the administrator should set some data – collection boundaries – what to collect, when to collect, how much to collect, where to dump that collection, what to analyze, how to analyze, and the list just goes. .
• Workflow. Automation is at its best – every imaginable SOAR-type process can go into a workflow and, therefore, become automated which means less time spent on repetitive or minor tasks.
• Event Management (IM). This is where the fun begins; Incident management elements are used to determine the response to events and the flow of event recovery. In technical lingo, these are called “playbooks” and are used to deal with every possible situation.
• Threats Intelligence. Because no SOAR or SIEM should be without threat intelligence – why bother treating a condition if you don’t know the underlying cause?
• Information sharing. An extra eye is always welcome, especially when you are dealing with malware. SOAR solutions typically include certain types of data sharing systems that allow members to review available information.

Now that we’ve covered the elements, let’s look at the pros and cons.

Advantages:

• Increase visibility.
• Ability to automate workflow.
• Ability to script and auto-respond.
• Less time is spent on monotonous work.
• Great for companies that can’t afford an in-house SOC team.
• The information is displayed in one place.

Cons

• SOAR solutions are difficult to establish.
• Finding the baseline metrics is challenging.
• Works only for low-level events.
• The results still need to be measured by a human team.

Best Practices, Tips and Separation Thoughts

SOAR is an incredibly flexible threat identification and mitigation tool that is bound to make a strong statement in the years to come. This wraps up my article on Security Orchestration Automation and Response. But before I go, here are a few things you should keep in mind before deploying SOAR.

1. Baseline and value. To get an identification and response baseline, you will need some value. In fact, everything in SOAR revolves around the standard: the script, the playbook, the method, and even the code itself. These values ​​should be set before the solution can be implemented. Chat with the CIO and IT admins before the jump and keep a clear and concise convention.
2. Data hygiene. Don’t let that information simply pile out. Keep purification methods and determine what to discard and what to keep.
3. Human handler. Although the whole idea behind Security Orchestration Automation and Response is to reduce (or isolate) reliance on the human factor, it is always a good idea to have someone review the data and adapt it to the workflow and playbook from time to time.
4. SOAR + SOC. Sounds like an overkill, especially when you consider the financial aspects, you can run a SOAR and work a SOC team for your company. Heimdal ™ Security’s Extended Detection and Response (XDR) Centralized Monitoring and Event Response Hub brings you the ability to detect, respond and mitigate like an in-house SOC team.

If you liked this article, follow us LinkedIn, Twitter, Facebook, YouTubeAnd Instagram For more cyber security news and topics.