Malware, ransomware, phishing, data exfiltration–the list of threats facing SMBs and enterprises seems to grow more daunting every year. Data breaches are up. Attacks are becoming stealthier. IT organizations invest in firewalls and other defenses, but still attacks manage to get through. And many continue to get through undetected for months on end.

To help IT organizations respond to these threats, innovative vendors have created a new type of security system, now commonly known as SOAR. The acronym, coined by Gartner, originally stood for Security Operations, Analytics, and Reporting, but has now been redefined as Security Orchestration, Automation, and Response.

What is a SOAR system? And how should an IT organization go about evaluating one?

Here’s a quick overview of the technology and some distinguishing characteristics among products.

SOAR Functionality

SOAR systems do three main things:

  • Data collection and enrichmentThrough integration using APIs or screen-scraping, a SOAR system collects alerts from the ever-growing collection of security tools deployed in an SMB or enterprise. In addition to collecting alerts, a SOAR system might also automate preliminary analysis of alerts, such as checking to see if specific URLs or IPs are on blacklists. This data collection and data enrichment saves security analysis time.
  • AnalysisOnce data has been collected and enriched, it’s presented to security analysts for review. The analysts study the alerts, perhaps conduct some investigations on their own, and make a determination about what kind of response, if any, is required. Analysts often base their analysis on “playbooks,” which record a series of steps and decisions to be taken in response to specific situations. Playbooks used to be primarily in the form of written document, but in some SOAR systems, they can be documented online, sometimes enhanced with scripts written in Python.
  • Orchestrated responsesAnother time-saving feature of SOAR systems is their ability to orchestrate responses to specific types of threats. If an analyst determines that a situation requires a response, the SOAR system can use its integration with security tools to perform a series of steps, such as closing ports, deleting files, and so on. Instead of analysts having to log in and out of tools individually, the SOAR system can coordinate responses, accelerating threat remediation and ensuring that all prescribed steps are performed.

From this list, some key features to look for become obvious:

  • Integration
    Since one of the primary benefits of SOARs is the centralization of alerts and other threat data, a key characteristic for evaluating SOAR systems is breadth of integration. Does a system integrate with a broad range of security tools, including the tools your organization uses? If it doesn’t integrate with a tool now, can the integration be developed easily and reliably?

  • Quality of data enrichment
    Once data is collected, how well is it correlated and enriched? How much rote research does the system do on its own, sparing analysts the time and trouble of doing this research themselves?

  • Not requiring programming skills
    Few security analysts have extensive training as software programmers. By requiring analysts to program remediation steps or playbooks themselves in Python, some SOAR systems create a new operational hurdle for SOCs attempting to automate their daily work.

SOAR vs. Intelligent Security Automation

One of the most important criteria for evaluating SOAR systems is the degree to which they require analysts to manually inspect data and make decisions—often under stressful conditions—about whether action is required and, if so, what that action entails.

SOAR systems automate the data collection and data enrichment leading up to analysis. They also automate the various steps required to remediate a threat identified through analysis. But they do not automate the analysis itself. And they cannot refine their operations overtime, automatically taking advantage of results that could be analyzed using artificial intelligence techniques such as machine learning.

A new generation of security systems – you can think of it as “SOAR plus,” if you like – provides all the automation and orchestration of SOAR, but adds automated decision analysis between the data collection and enrichment stage and the threat remediation step.

An Intelligent Security Automation system automates the analysis performed by security analysts, obviating the need for analysts to investigate most alerts at all. The system performs this analysis by automating the analytical steps in the playbook associated with an alert—but without requiring analysts to learn programming.

In addition, the system applies Machine Learning to refine its analysis over time. It also accepts direction from analysts, so that their growing expertise can be used to fine-tune the analysis and remediation of threats.

How much of a difference does Intelligent Security Automation make in the daily work of security analysts? In many SOCs, it turns out to make the SOC ten times more effective than they were when working with a more conventional SOAR system.

Automating the hard part—the scrutiny, comparison, and decision-making that goes into threat analysis—turns out to make a big difference in accelerating threat remediation and ensuring that threats are responded to promptly and consistently.


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More