Many organisations today want to harness the power of automation to rid themselves of redundant and tedious tasks. Triaging alerts into incidents or initiating the overly complex process of blocking a known threat actor on the perimeter, take a lot of time, and these tasks can easily be done by an automation solution that frees up security teams’ valuable resources.
Irrespective of how complex the SOC believes a process is, any manual task can become an SLA blocker. Similarly, communicating a single task between more than one team can take up too much time and too many resources. Moreover, it’s counterproductive, because the whole idea of having cyber security in place is to ensure that we either beat the attacker to it – in an ideal world – or at least reduce the risk to a minimum. The longer this process takes, the higher the risk.
Thankfully there is a solution to this problem, we just need to know where and how to use it. Security orchestration, automation, and response (SOAR) was not built to replace any existing cyber security solutions. It is there to enhance the controls and processes built around those technologies by enabling them to collaborate automatically. The idea behind this ingenious tool is to enable cyber security practitioners to only apply their minds once, and thereafter this becomes part of an orchestrated, automatic response. This enables the team to focus on new and emerging threats and not constantly have to circle back to the legacy threats that keep rearing their ugly heads. In turn, this improves SLAs and increases the proactiveness of the organisation’s controls.
The primary, focused component of today’s next-generation SOC is SOAR, because of its ability to automatically execute a process (workflow) as well as having the necessary integration into the various solutions attached to the process. This allows SOAR to make decisions based on playbooks, which essentially reduces the mean time to respond. This is key if we consider the process an analyst needs to follow during a single incident, and how much time is spent in terms of notifying the team of the event, logging a change to block a malicious host, or executing a scan. How much easier would it be for the SOC to simply generate a feedback report instead of having to manually execute the entire incident response process?
SOAR integrates with various solutions, as mentioned before, to enable a single point of collaboration, making it easy to follow through on a fully-fledged “automated” process.
SOAR is not a SIEM (security information and event management) even though SIEM technologies today attempt to build SOAR capabilities on top of their solution. Why do I say that? Many organisations employ SIEM for its log management capabilities, as much as for its baselining ability to enhance situational awareness. However, SOAR does not solve for SIEM capability, it is merely an enhancement to SIEM, allowing the SOC to evolve from a reactive stance to a pro-active one, by adding that responsiveness to the incident management process. SIEM still remains the foundation of information and security event consolidation and equips SOAR with enough context to be able to respond effectively.
