Much Ado About SOAR, What Is It Exactly?
by Jonathan Zhang
Several security operations centers (SOCs) and businesses are now employing security orchestration, automation, and response (SOAR) tools to upgrade their cybersecurity. They have caused so much buzz in the technology world lately that many are wondering if they are worth all the hype.
What Is SOAR?
SOAR tools refer to a collection of programs that allows users to gather the necessary information about security threats that originate from many different sources. These are capable of addressing low-level security incidents without the need for human intervention. They aid human- and machine-directed analysis, standardization, and automation to enable threat detection and remediation.
In essence, SOAR tools’ primary goal is to refine the physical and digital efficiency of security operations. Gartner, the research firm responsible for coining the terminology, identified the tools’ three most important components—a threat intelligence platform (TIP), a security incident response platform (SIRP), and security operations orchestration and automation capability.
For companies that don’t perform penetration testing consistently or at all (even if it’s now considered a necessity), SOAR platforms can be used for the automation of various activities — among which asset discovery scans, classification, and target prioritization. Doing so enables security teams to better operationalize related efforts.
Are SOAR Tools Enhanced SIEM Solutions?
Security information and event management (SIEM) solutions contextualize all event-related data gathered by security systems. By identifying, categorizing, and analyzing events, SIEM tools make sense of the data collected through the use of machine learning (ML), dedicated sensors, and specialized analytics software. SIEM tools accomplish this task by examining log data for patterns that may indicate the occurrence of a cyber attack. The information is then correlated to an event to verify if it is suspicious before issuing an alert.
On its own, a SIEM solution requires regular fine-tuning to remain capable of differentiating between normal and anomalous activities. This requirement thus poses an issue among security experts who believe they may be wasting precious time on updating the solution rather than going through the continuous influx of data to systems.
SOAR tools, on the other hand, can readily assist security teams when responding to alerts at machine speed. In that sense, SOAR tools can be considered enhanced versions of SIEM solutions.
Can SOAR Tools Be Further Enhanced?
SOAR tools can, however, further be improved with the integration of a broad range of internal and external applications that would allow them to perform more comprehensive data gathering, case management, workflow, and analytics. Using domain intelligence tools, for instance, can allow them to carry out in-depth checks on a domain’s reputation against an exhaustive set of data sources. By doing that, SOAR tools can potentially automate parts of an organization’s incident response workflow.
As has been said, SOAR tools require reliable sources of threat intelligence. By integrating domain research and monitoring tools into them, SOCs can enhance potentially identify threat sources before attacks can even ensue. By comparing known indicators of compromise (IoCs) from multiple sources with internal traffic data, for instance, security experts can already block access to said threat sources. In short, improved SOAR tools could allow SOCs to function at an intelligence-driven level. They can contextualize events and arrive at well-informed decisions before a threat can enter their network. This approach accelerates incident response, giving them more time for more tasks.
SIEM solutions and SOAR tools can both improve the productivity of any security team, including penetration testers. SIEM solutions produce alerts that SOAR tools then automatically handle without human intervention. To date, several companies and SOCs utilize SOAR tools to amplify their SIEM solutions. It is no longer surprising for SIEM solution vendors to add SOAR tools to their list of offerings. It probably won’t be long before these products are combined into one. As the security landscape continually changes, so should solutions after all. But those who wish to stay on top of threats should keep in mind that solutions and tools are only as effective as the threat data, including domain intelligence, they analyze.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the Whois XML API family, a trusted intelligence vendor by over 50,000 clients.