SOAR is a cloud-based service designed to help organizations automate some of their manual processes, such as monitoring, alerting, investigation, remediation, reporting, and compliance. It provides real-time visibility into your network and endpoint detection across all devices and applications.
SOAR platforms are a collection of security software solutions that can be used for browsing and collecting data from a variety of sources.
The term was originally created by Gartner, who defined the three capabilities of a SOAR platform - threat and vulnerability management, security incident response, and security operations automation. SOAR allows companies to collect threat-related data from a range of sources and automate the responses to the threat.
Security operations automation (Automation) relates to the technologies that enable automation and orchestration within operations, while threat and vulnerability management (Orchestration) covers technologies that help amend cyber threats. The data is analyzed using a combination of human and machine learning in order to comprehend and prioritize incident response actions.
Security operations can be a constant challenge for any organization. It’s important for speed and efficiency, but it can be difficult to ensure that everything works together smoothly. Analysts are frequently overwhelmed by the volume of alerts from disparate systems. It can take time and effort to obtain and correlate the necessary data to identify potential threats. Remediating those threats requires coordination between different teams within an organization.
SOAR helps alleviate some of the challenges associated with big data by assisting humans and machines alike in analyzing large amounts of data, reducing alert fatigue, and automating detection and response processes.
Gartner defines the security and information event management (SIEM) market by the customer’s need to analyze event data in real time for early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance.
SIEM products first emerged in 2005, initially driven by compliance reporting and aggregating log data generated by applications, endpoints, and network devices.
While some SIEMs provide both security information management (SIM) and security event management (SEM), they offer limited incident response and visualization capabilities. SIEM's analyze event data from preventive technologies, like anti-virus software, IDSs, and firewalls, making it difficult to detect sophisticated attacks from sources not correlated. Threat analysis was often difficult and time-consuming as well, driven by manual processes and analysis.
Next-gen SIEM technologies added support for big data analytics and real-time event detection, as well as machine learning and behavioral analysis plug-ins to create baseline models for normal user and device behavior patterns. This helped make it easier to identify security issues sooner to reduce the window in which organizations were vulnerable to attack.
Despite advances, the sheer volume of alerts from SIEM platforms still overload security teams today, often embracing additional tools to reduce false positives and help automate responses.
The goal for security tools is to see, link, and deal with incidents in one place. Unfortunately, collecting and correlating data from all of these disparate tools can be extremely noisy.
Understanding what's happening within your own internal network requires automation and orchestration. But what about the threats outside your network? External context is needed to correlate and enrich network data with threat intelligence, to help defend against potential threats.
SOAR solutions need technology like a threat intelligence platform (TIP) that automatically gathers, normalizes, and correlates data with multiple threat intelligence sources so that a single feed can be produced. This threat intel capability needs to be an integral part of the automation process to ensure a SOAR platform is using the data effectively to execute the right response actions.
As Gartner points out, the main obstacle to the adoption of SOAR security continues to be the lack, or low maturity, of processes and procedures within SOC teams. This is why it is vital to gain expert advice when planning to implement SOAR.
Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, 21 September 2020