What is SOAR?

SOAR stands for Security Orchestration, Automation, and Response.

SOAR defined

SOAR is a cloud-based service designed to help organizations automate some of their manual processes, such as monitoring, alerting, investigation, remediation, reporting, and compliance. It provides real-time visibility into your network and endpoint detection across all devices and applications.

SOAR platforms are a collection of security software solutions that can be used for browsing and collecting data from a variety of sources.

The term was originally created by Gartner, who defined the three capabilities of a SOAR platform - threat and vulnerability management, security incident response, and security operations automation. SOAR allows companies to collect threat-related data from a range of sources and automate the responses to the threat.

Security operations automation (Automation) relates to the technologies that enable automation and orchestration within operations, while threat and vulnerability management (Orchestration) covers technologies that help amend cyber threats. The data is analyzed using a combination of human and machine learning in order to comprehend and prioritize incident response actions.

"SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies where incident analysis and triage can be performed by leveraging a combination of human and machine power help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format."

Gartner definition of SOAR

Key benefits of SOAR

Security operations can be a constant challenge for any organization. It’s important for speed and efficiency, but it can be difficult to ensure that everything works together smoothly. Analysts are frequently overwhelmed by the volume of alerts from disparate systems. It can take time and effort to obtain and correlate the necessary data to identify potential threats. Remediating those threats requires coordination between different teams within an organization.

SOAR helps alleviate some of the challenges associated with big data by assisting humans and machines alike in analyzing large amounts of data, reducing alert fatigue, and automating detection and response processes.

SOAR vs SIEM vs. XDR– what’s the difference?

Gartner defines the security and information event management (SIEM) market by the customer’s need to analyze event data in real time for early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance.

SIEM products first emerged in 2005, initially driven by compliance reporting and aggregating log data generated by applications, endpoints, and network devices.

While some SIEMs provide both security information management (SIM) and security event management (SEM), they offer limited incident response and visualization capabilities. SIEM's analyze event data from preventive technologies, like anti-virus software, IDSs, and firewalls, making it difficult to detect sophisticated attacks from sources not correlated. Threat analysis was often difficult and time-consuming as well, driven by manual processes and analysis.

Next-gen SIEM technologies added support for big data analytics and real-time event detection, as well as machine learning and behavioral analysis plug-ins to create baseline models for normal user and device behavior patterns. This helped make it easier to identify security issues sooner to reduce the window in which organizations were vulnerable to attack.

Despite advances, the sheer volume of alerts from SIEM platforms still overload security teams today, often embracing additional tools to reduce false positives and help automate responses.

Enter SOAR

Gartner defines security orchestration, automation, and response (SOAR) as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures.

First emerging in 2015, SOAR (Security Operations Analytics Resource) tools were designed to help address the SIEWF challenge of alert/event fatigue and the global talent shortfall in security operations for organizations to effectively deploy a SIEM solution. Their main objective was to enrich event data by providing additional context for each incident (e.g., location, time, type), which would allow them to better identify critical incidents and automate responses to these events. The goal was to improve security by speeding up remediation and escalating threats only when human intervention was needed.

SOAR tools use a variety of different types of data to help identify threats and prevent attacks against organizations, requiring integration with other security tools and a reliance on manual processes such as defining playbooks, custom alert levels, and incident response measures.

Keeping visibility across an entire network continues to be a challenge for security teams because modern IT infrastructure and applications continue to grow. Additionally, relying on siloed security solutions from SIEM and SOAR platform vendors can result in alerts based on incomplete or badly correlated information, which may cause unnecessary disruptions to systems and users.

Enter XDR

According to analyst firm Gartner, Extended Detection and Response (XDR) is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

In an effort to improve threat detection and incident response time, security vendors are developing new technologies called “XDR” (extended dynamic reporting). XDR’s goal is to help organizations detect attacks by correlating their security data and alerting them when an anomaly occurs. XDR combines a range of investigative tools and behavioral analytics with an emphasis on advanced threat detection and customized responses for better defense against cybercrime.

While the latest generation of SIEM tools may offer XDR capabilities, they – like SOAR platforms – are often add-ons and plugins that require configuring and tuning. But XDR doesn't have the logging, retention, and compliance features of SIEMs, which means it's important to find one that integrates with existing security controls or offers an open architecture.

Organizations may decide between deploying multiple sets of products or one consolidated product suite for their security operations needs. Regardless of which path they take, they'll require some integration, configuration, and fine-tuning to detect and respond to security incidents effectively and efficiently.

SOAR + Threat Intelligence

The goal for security tools is to see, link, and deal with incidents in one place. Unfortunately, collecting and correlating data from all of these disparate tools can be extremely noisy.

Understanding what's happening within your own internal network requires automation and orchestration. But what about the threats outside your network? External context is needed to correlate and enrich network data with threat intelligence, to help defend against potential threats.

SOAR solutions need technology like a threat intelligence platform (TIP) that automatically gathers, normalizes, and correlates data with multiple threat intelligence sources so that a single feed can be produced. This threat intel capability needs to be an integral part of the automation process to ensure a SOAR platform is using the data effectively to execute the right response actions.

SOAR challenges

As Gartner points out, the main obstacle to the adoption of SOAR security continues to be the lack, or low maturity, of processes and procedures within SOC teams. This is why it is vital to gain expert advice when planning to implement SOAR.

Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, 21 September 2020