Security Orchestration Automation and Response (SOAR) Basics: Definition, Components, and Best Practices

Security Orchestration Automation and Response (SOAR) is a novel approach to incident response (IR) and post-incident recovery by using automated security processes and protocols. The SOAR concept was introduced by Gartner, who proposed a system aimed at reducing the workload of IR and SOC teams, bridging the MTTD (Mean Time to Detect) & MTTR (Mean Time to Respond) gaps, and providing companies with low-cost (and automatic) incident response and mitigation tools. In this article, we’re going to talk about what makes SOAR tick, the pros and cons of adopting a SOAR-type approach to prophylactic and reactive cybersecurity, best practices, and, of course, a couple of real-life examples. Enjoy!

What is Security Orchestration Automation and Response?

To begin with, let’s quote Gartner on this one. So, according to the Peer Insights section on Security Orchestration Automation and Response Solutions, SOAR is a technology that

(…) that enables organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These can be orchestrated via integrations with other technologies and automated to achieve the desired outcome and greater visibility. Additional capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes.

Sounds like a mouthful, doesn’t it? No worries. I’ll break it down for you. Let’s start with the information gathering bit. With SOAR, data can be collected from multiple sources. For instance, if your company’s already running a SIEM, the newly implemented system will collect and aggregate info from that source.

Same thing applies to 3^rd party, open-source or proprietary data-gathering tools. Why bother with SOAR when you have a SIEM? Mostly because SOAR systems are designed to automatically fetch data and feed it into a single dashboard. On of that, data comes in all shapes and sizes: network traffic data, host-level data, threat intelligence (e.g., TTPs, IOAs, IOCs), DNS, and so on. Having all your eggs in one basket does tend to make your job easier and more efficient, doesn’t it?

Till now, we’ve established that SOAR plays a key role in data collection and aggregation; this is just one of the things such a system can do. In IR (incident response), getting the right data fast is crucial – can make the difference between a blip in the event notification area and a crippling data breach. Of course, everything I talked about so far makes SOAR just another fancy name for SIEM. Here’s where it gets interesting; based on the field-gathered information, a SOAR system allows you to put various security-wise automation in place. In other words, weaning your event response system. Here’s a quick example – imagine that a phishing email pops up in an inbox.

What’s the best course of action? Common sense dictates that the mail be quarantined, send to SOC for further investigation, sequenced, analyzed, documented, and acted upon based on the gathered data. What if I were to tell you that you could do all of those things without moving a finger? Yes, you’ve guessed it; the answer is “Security Orchestration Automation and Response”. A system owner can elaborate a case (sensitive) scenario which instructs the solution on how to respond during each event stage.

For instance, in a SOAR-type environment, the phishing email would be automatically quarantined on delivery and the machine isolated in order to prevent network LM (i.e., lateral movement). The user can also automate post-quarantine actions (e.g., delete suspicious attachments, blacklist the sender’s IP, prevent executable from running, and block any enclosed URLs). That’s just one of SOAR’s applications; plenty more where those came from.

Now here’s the big Q: why would I need to hire and finance an entire SOC team when I can implement a SOAR system? SOAR is a great asset to any company in search of that something extra in terms of security, but it’s not and should never be used as a substitute. SOAR is designed to tackle low-level events (e.g., phishing attempts, volumetric attacks, viruses, common trojans) and, of course, mostly leveraged in data gathering and interpretation. So, you’ll still need that team in case you get hit by something more severe.

Pros & Cons, and Components

Now that we’ve covered some of the basics, let’s have a chat about SOAR components, and some yay or nays.

A Security Orchestration Automation and Response system has five major components.

• Data input and processing. As you might have guessed, the first (and most) important SOAR component is the one that helps us retrieve and centralize info. This data virtually comes from every corner of your company: machines, IoT or mobile devices, emails, IM-type comms, network ‘chatter’, user profiles, etc. Of course, at this point in time, the administrator should establish some data-gathering boundaries – what to collect, when to collect, how much to collect, where to dump that collection, what to analyze, how to analyze, and the list goes merely on.
• Workflows. Automation at its finest – every imaginable SOAR-type process can go into a workflow and, therefore, become automated which means less time spent on repetitive or menial tasks.
• Incident Management (IM). This is where all the fun begins; the incident management component is used to put out incident response and incident recovery flows. In technical lingo, these are called “playbooks” and are used to tackle every foreseeable scenario.
• Threat Intelligence. Because no SOAR or SIEM shouldn’t be without Threat Intelligence – why bother treating a condition if you don’t know the underlying cause?
• Info-sharing. An extra pair of eyes is always welcome, especially when you’re working with malware. SOAR solutions usually incorporate some type of information-sharing system that allows members to review the available information.

Now that we’ve covered components, let’s see about pros and cons.

Pros:

• Increased visibility.
• Ability to automate workflows.
• Ability to script and automate responses.
• Less time spent working on monotonous tasks.
• Great for companies who can’t afford an in-house SOC team.
• Info’s displayed in one place.

Cons

• SOAR solutions are difficult to deploy.
• Challenging getting baseline metrics.
• Only works for low-level incidents.
• Results still need to be gauged by a human team.

Best Practices, Tips, and Parting Thoughts

SOAR is an incredibly flexible threat identification and mitigation tool which is bound to make a resounding statement in the years to come. This wraps up my article on Security Orchestration Automation and Response. But before I go, here are a couple of things you should bear in mind before deploying a SOAR.

1. Baselines and standards. To have a detection & response baseline, you’ll need some standards. In fact, everything about SOAR revolves around standards: scripts, playbooks, procedures, and even the code itself. These standards should be put in place before actually deploying the solution. Have a chat with CIO and IT admins before taking the leap and put in place a clear and concise convention.
2. Data hygiene. Don’t let that data simply pile out. Put in place purging procedures and figure out what to discard and what to keep.
3. Human handlers. Even though the entire idea behind Security Orchestration Automation and Response is to reduce (or sever) its reliance on the human factor, it’s always a good idea to have someone review the data and make adjustments to the workflows and playbooks from time to time.
4. SOAR + SOC. Sounds like overkill, especially when you take into account the financial aspects, but you can run a SOAR and have a SOC team working for your company. Heimdal™ Security’s eXtended Detection and Response (XDR) centralized monitoring and incident response hub brings you the same detection, response, and mitigation capabilities as an in-house SOC team.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.