Malware, ransomware, phishing, data exfiltration–the list of threats facing SMBs and enterprises seems to grow more daunting every year. Data breaches are up. Attacks are becoming stealthier. IT organizations invest in firewalls and other defenses, but still attacks manage to get through. And many continue to get through undetected for months on end.
To help IT organizations respond to these threats, innovative vendors have created a new type of security system, now commonly known as SOAR. The acronym, coined by Gartner, originally stood for Security Operations, Analytics, and Reporting, but has now been redefined as Security Orchestration, Automation, and Response.
What is a SOAR system? And how should an IT organization go about evaluating one?
Here’s a quick overview of the technology and some distinguishing characteristics among products.
SOAR systems do three main things:
- Data collection and enrichment
Through integration using APIs or screen-scraping, a SOAR system collects alerts from the ever-growing collection of security tools deployed in an SMB or enterprise. In addition to collecting alerts, a SOAR system might also automate preliminary analysis of alerts, such as checking to see if specific URLs or IPs are on blacklists. This data collection and data enrichment saves security analysis time.
Once data has been collected and enriched, it’s presented to security analysts for review. The analysts study the alerts, perhaps conduct some investigations on their own, and make a determination about what kind of response, if any, is required. Analysts often base their analysis on “playbooks,” which record a series of steps and decisions to be taken in response to specific situations. Playbooks used to be primarily in the form of written document, but in some SOAR systems, they can be documented online, sometimes enhanced with scripts written in Python.
- Orchestrated responses
Another time-saving feature of SOAR systems is their ability to orchestrate responses to specific types of threats. If an analyst determines that a situation requires a response, the SOAR system can use its integration with security tools to perform a series of steps, such as closing ports, deleting files, and so on. Instead of analysts having to log in and out of tools individually, the SOAR system can coordinate responses, accelerating threat remediation and ensuring that all prescribed steps are performed.
From this list, some key features to look for become obvious:
Since one of the primary benefits of SOARs is the centralization of alerts and other threat data, a key characteristic for evaluating SOAR systems is breadth of integration. Does a system integrate with a broad range of security tools, including the tools your organization uses? If it doesn’t integrate with a tool now, can the integration be developed easily and reliably?
Quality of data enrichment
Once data is collected, how well is it correlated and enriched? How much rote research does the system do on its own, sparing analysts the time and trouble of doing this research themselves?
Not requiring programming skills
Few security analysts have extensive training as software programmers. By requiring analysts to program remediation steps or playbooks themselves in Python, some SOAR systems create a new operational hurdle for SOCs attempting to automate their daily work.
SOAR vs. Intelligent Security Automation
One of the most important criteria for evaluating SOAR systems is the degree to which they require analysts to manually inspect data and make decisions—often under stressful conditions—about whether action is required and, if so, what that action entails.
SOAR systems automate the data collection and data enrichment leading up to analysis. They also automate the various steps required to remediate a threat identified through analysis. But they do not automate the analysis itself. And they cannot refine their operations overtime, automatically taking advantage of results that could be analyzed using artificial intelligence techniques such as machine learning.
A new generation of security systems – you can think of it as “SOAR plus,” if you like – provides all the automation and orchestration of SOAR, but adds automated decision analysis between the data collection and enrichment stage and the threat remediation step.
An Intelligent Security Automation system automates the analysis performed by security analysts, obviating the need for analysts to investigate most alerts at all. The system performs this analysis by automating the analytical steps in the playbook associated with an alert—but without requiring analysts to learn programming.
In addition, the system applies Machine Learning to refine its analysis over time. It also accepts direction from analysts, so that their growing expertise can be used to fine-tune the analysis and remediation of threats.
How much of a difference does Intelligent Security Automation make in the daily work of security analysts? In many SOCs, it turns out to make the SOC ten times more effective than they were when working with a more conventional SOAR system.
Automating the hard part—the scrutiny, comparison, and decision-making that goes into threat analysis—turns out to make a big difference in accelerating threat remediation and ensuring that threats are responded to promptly and consistently.