Malware, ransomware, phishing, data exfiltration–the list of threats facing SMBs and enterprises seems to grow more daunting every year. Data breaches are up. Attacks are becoming stealthier. IT organizations invest in firewalls and other defenses, but still attacks manage to get through. And many continue to get through undetected for months on end.

To help IT organizations respond to these threats, innovative vendors have created a new type of security system, now commonly known as SOAR. The acronym, coined by Gartner, originally stood for Security Operations, Analytics, and Reporting, but has now been redefined as Security Orchestration, Automation, and Response.

What is a SOAR system? And how should an IT organization go about evaluating one?

Here’s a quick overview of the technology and some distinguishing characteristics among products.

SOAR Functionality

SOAR systems do three main things:

  • Data collection and enrichmentThrough integration using APIs or screen-scraping, a SOAR system collects alerts from the ever-growing collection of security tools deployed in an SMB or enterprise. In addition to collecting alerts, a SOAR system might also automate preliminary analysis of alerts, such as checking to see if specific URLs or IPs are on blacklists. This data collection and data enrichment saves security analysis time.
  • AnalysisOnce data has been collected and enriched, it’s presented to security analysts for review. The analysts study the alerts, perhaps conduct some investigations on their own, and make a determination about what kind of response, if any, is required. Analysts often base their analysis on “playbooks,” which record a series of steps and decisions to be taken in response to specific situations. Playbooks used to be primarily in the form of written document, but in some SOAR systems, they can be documented online, sometimes enhanced with scripts written in Python.
  • Orchestrated responsesAnother time-saving feature of SOAR systems is their ability to orchestrate responses to specific types of threats. If an analyst determines that a situation requires a response, the SOAR system can use its integration with security tools to perform a series of steps, such as closing ports, deleting files, and so on. Instead of analysts having to log in and out of tools individually, the SOAR system can coordinate responses, accelerating threat remediation and ensuring that all prescribed steps are performed.

From this list, some key features to look for become obvious:

  • Integration
    Since one of the primary benefits of SOARs is the centralization of alerts and other threat data, a key characteristic for evaluating SOAR systems is breadth of integration. Does a system integrate with a broad range of security tools, including the tools your organization uses? If it doesn’t integrate with a tool now, can the integration be developed easily and reliably?

  • Quality of data enrichment
    Once data is collected, how well is it correlated and enriched? How much rote research does the system do on its own, sparing analysts the time and trouble of doing this research themselves?

  • Not requiring programming skills
    Few security analysts have extensive training as software programmers. By requiring analysts to program remediation steps or playbooks themselves in Python, some SOAR systems create a new operational hurdle for SOCs attempting to automate their daily work.

SOAR vs. Intelligent Security Automation

One of the most important criteria for evaluating SOAR systems is the degree to which they require analysts to manually inspect data and make decisions—often under stressful conditions—about whether action is required and, if so, what that action entails.

SOAR systems automate the data collection and data enrichment leading up to analysis. They also automate the various steps required to remediate a threat identified through analysis. But they do not automate the analysis itself. And they cannot refine their operations overtime, automatically taking advantage of results that could be analyzed using artificial intelligence techniques such as machine learning.

A new generation of security systems – you can think of it as “SOAR plus,” if you like – provides all the automation and orchestration of SOAR, but adds automated decision analysis between the data collection and enrichment stage and the threat remediation step.

An Intelligent Security Automation system automates the analysis performed by security analysts, obviating the need for analysts to investigate most alerts at all. The system performs this analysis by automating the analytical steps in the playbook associated with an alert—but without requiring analysts to learn programming.

In addition, the system applies Machine Learning to refine its analysis over time. It also accepts direction from analysts, so that their growing expertise can be used to fine-tune the analysis and remediation of threats.

How much of a difference does Intelligent Security Automation make in the daily work of security analysts? In many SOCs, it turns out to make the SOC ten times more effective than they were when working with a more conventional SOAR system.

Automating the hard part—the scrutiny, comparison, and decision-making that goes into threat analysis—turns out to make a big difference in accelerating threat remediation and ensuring that threats are responded to promptly and consistently.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More