October 12, 2018 Hormazd Romer
Malware, ransomware, phishing, data exfiltration–the list of threats facing SMBs and enterprises seems to grow more daunting every year. Data breaches are up. Attacks are becoming stealthier. IT organizations invest in firewalls and other defenses, but still attacks manage to get through. And many continue to get through undetected for months on end.
To help IT organizations respond to these threats, innovative vendors have created a new type of security system, now commonly known as SOAR. The acronym, coined by Gartner, originally stood for Security Operations, Analytics, and Reporting, but has now been redefined as Security Orchestration, Automation, and Response.
What is a SOAR system? And how should an IT organization go about evaluating one?
Here’s a quick overview of the technology and some distinguishing characteristics among products.
SOAR systems do three main things:
From this list, some key features to look for become obvious:
Integration
Since one of the primary benefits of SOARs is the centralization of alerts and other threat data, a key characteristic for evaluating SOAR systems is breadth of integration. Does a system integrate with a broad range of security tools, including the tools your organization uses? If it doesn’t integrate with a tool now, can the integration be developed easily and reliably?
Quality of data enrichment
Once data is collected, how well is it correlated and enriched? How much rote research does the system do on its own, sparing analysts the time and trouble of doing this research themselves?
Not requiring programming skills
Few security analysts have extensive training as software programmers. By requiring analysts to program remediation steps or playbooks themselves in Python, some SOAR systems create a new operational hurdle for SOCs attempting to automate their daily work.
One of the most important criteria for evaluating SOAR systems is the degree to which they require analysts to manually inspect data and make decisions—often under stressful conditions—about whether action is required and, if so, what that action entails.
SOAR systems automate the data collection and data enrichment leading up to analysis. They also automate the various steps required to remediate a threat identified through analysis. But they do not automate the analysis itself. And they cannot refine their operations overtime, automatically taking advantage of results that could be analyzed using artificial intelligence techniques such as machine learning.
A new generation of security systems – you can think of it as “SOAR plus,” if you like – provides all the automation and orchestration of SOAR, but adds automated decision analysis between the data collection and enrichment stage and the threat remediation step.
An Intelligent Security Automation system automates the analysis performed by security analysts, obviating the need for analysts to investigate most alerts at all. The system performs this analysis by automating the analytical steps in the playbook associated with an alert—but without requiring analysts to learn programming.
In addition, the system applies Machine Learning to refine its analysis over time. It also accepts direction from analysts, so that their growing expertise can be used to fine-tune the analysis and remediation of threats.
How much of a difference does Intelligent Security Automation make in the daily work of security analysts? In many SOCs, it turns out to make the SOC ten times more effective than they were when working with a more conventional SOAR system.
Automating the hard part—the scrutiny, comparison, and decision-making that goes into threat analysis—turns out to make a big difference in accelerating threat remediation and ensuring that threats are responded to promptly and consistently.
May 20, 2022 Willy Leichter
Demystifying the technology with case studies of AI security in action Many automation tools, such...
Learn MoreMay 17, 2022 Willy Leichter
While we’ve been talking about and imagining artificial intelligence for years, it only has...
Learn MoreMay 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreMay 9, 2022 Tessa Mishoe
Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...
Learn MoreMay 6, 2022 Kumar Saurabh
LogicHub’s unique decision automation technology can build clients the ultimate security playbook...
Learn MoreMay 3, 2022 Kumar Saurabh
Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...
Learn MoreApril 29, 2022 Tessa Mishoe
Introduction Within the realm of security, there are many different toolsets and opinions on what...
Learn MoreApril 27, 2022 Willy Leichter
SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...
Learn MoreApril 21, 2022 Willy Leichter
When updating your systems from a pure Security Information Event Management (SIEM), choosing the...
Learn MoreApril 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn More© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap
© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap