Security orchestration, automation, and response - or SOAR - provides organizations a central source for observing, investigating, and actioning security incidents. SOAR has modernized security operations, specifically in the way SOC teams manage and respond to alerts and threats. Without the adoption of some security automation, security analysts end up manually handling a rising number of cyberattacks. SOAR platforms help address everyday, mundane tasks using automation, while also offering orchestration across the security infrastructure to be more productive and responsive to threats.
So what are the key differences between automation and orchestration?
Automation. Gives the ability to perform functions without human intervention. These functions may be internal to the system - for example, escalating an incident’s urgency or adding members to an incident response chain - or they can be external, such as querying the Splunk platform or an external threat intelligence feed for more context on Indicators of Compromise (IoC).
Orchestration. Provides the creation of a sequence of multiple steps or actions that drive a particular process or response. Orchestration typically involves human action as well as automated steps. An example of orchestration might be a security analyst who suspends a user account in Active Directory, where the account suspension process had been pre-configured but still requires a manual decision to execute the process.
The benefits of using security automation and orchestration include:
- Integrate security, IT operations and threat intelligence tools: SOAR gives you the ability to connect different security solutions to achieve a more comprehensive level of data collection and analysis.
- Central visibility: Your security team gains access to a single console that provides the information it needs to investigate and remediate incidents.
- Speed incident response: Through automated actions, a large percentage of incidents can be dealt with immediately and automatically, reducing mean time to detect (MTTD) and mean time to respond (MTTR).
- Prevent time-consuming actions: SOAR drastically reduces false positives, repetitive tasks, and manual processes that take up security analysts’ time.
- Achieve better intelligence: SOAR solutions aggregate and validate data from threat intelligence platforms, firewalls, intrusion detection systems, security information, and event management (SIEM) and other technologies, providing greater insight and context.
- Improve reporting and communication: With all security operations activities aggregated in one place, stakeholders can receive all the information they need, including metrics that help them identify how to make improvements to response workflows and reduce overall response times.
- Boost decision-making ability: Because SOAR solutions may offer features like pre-built playbooks, drag-and-drop functions to build playbooks from scratch and automated alert prioritization, they aim to be user-friendly security systems, even for less experienced security analysts.
Aim and strategy
By enhancing security operations through automation and orchestration, security teams can reduce efforts of time-consuming manual tasks allowing them to focus on high-value tasks that make the biggest impact. Additionally, teams can improve speed and accuracy in investigative tasks, significantly improving the ability of cybersecurity teams to accurately detect and rapidly respond to active threats and risks.
Common use cases
The most common SOAR use cases tend to be SOC-oriented use cases, such as:
- Automatic incident response: SOAR can automatically detect, extract and examine the artifacts of attacks. It can contain threats before critical or confidential data is exposed to attackers, reducing response times from hours to minutes.
- Threat hunting: With automation, many malicious threats are addressed instantly, creating necessary bandwidth for security analysts to address vulnerabilities and making it harder for hackers to access confidential data.
- Penetration testing: SOAR platforms can automate activities such as asset discovery scans, classification activities, and target prioritization, making it possible for security teams to operationalize their penetration testing efforts.
- Improving overall vulnerability management: A SOAR solution can ensure that your security team triage and adequately manage risk introduced by new vulnerabilities discovered within the environment. As a result, they are able to be proactive, while also putting safeguards into place to avoid breaches or other attacks.
Security teams are also looking for ways to utilize automation outside of traditional SOC use cases. SecOps teams can turn to SOAR platforms to help with automation for:
- Security fraud and brand impersonation
- Fraud case management
- Securing employee onboarding and offboarding
- Phishing submissions and triage
- ITOps processes
Lead Security Analyst
|Defining security use cases and analyst workflows, content development strategy|
|SOC Analyst||Conducts investigations and uses case management and collaboration to address threats and risks|
|Security Developer||Documents and develops Playbooks, Workbooks and process workflows|
|Splunk SOAR Admin||Applies configuration changes, app installation and maintenance, user, permissions changes|
Information Security Management
|Change approvals and project sponsorship|
1.1 Establish priorities
It’s best to first evaluate where automation can be most effective, and then prioritize those needs. Consider the big picture, figure out which types of incidents occur most often, and which take the most time to investigate and resolve. Then define your use cases based on your industry and organizational goals, and create a list of how you will use SOAR, where you might have low hanging fruit or simple tasks that are good processes to test. Involve stakeholders across your security operations center (SOC) as you identify use cases.
1.2 Inventory your tools, applications and APIs
You need to ensure that the vendor you choose can support all of the tools you’re currently using. Remember that a SOAR solution is only as good as the information being brought into it, so consider whether you need to upgrade data sources or any other parts of your security infrastructure before deploying it.
2. Recommended training
A number of limitations and dependencies should be considered with SOAR platforms that could reduce their overall viability.
The biggest misconception is that SOAR platforms can replace security professionals. SOAR is meant to be a force multiplier for security teams, allowing them to work efficiently and effectively, but does not and is not intended to replace people.
The security team must have experienced professionals who already have or are able to create detailed workflows of their processes. Without this, a team cannot operationalize SOAR in a beneficial way. If the professionals on the team are less experienced, they are likely to not understand the workflows and processes enough to create worthwhile documentation from which SOAR will operate.
Additionally, you need a thorough understanding of the environment to collect and understand operational metrics. If a security team does not know how to collect metrics to measure their effectiveness, it will be difficult to measure the actual benefit the organization is achieving from a SOAR platform. Without these metrics, it will be difficult to change how SOAR is set up in the enterprise for maximum benefit to the organization.
A final consideration is that the SOAR platform must be deployed to the enterprise and connected to various other applications and technologies - a complex undertaking often involving many teams. An organization must have people with the necessary technical skills to deploy and maintain the platform. The applications and technologies used by the enterprise must also support or be supported to integrate into a SOAR platform. Because one of SOAR's greatest strengths is to connect to and orchestrate other technologies, each technology that is unable to be integrated reduces the benefits of deploying SOAR.
Start small and build out. Rather than aiming to use every single SOAR capability from the start, it’s better to start with a limited set of features. Start by focusing on critical areas first and build sophistication over time, which will help you realize the full potential of the solution while minimizing growing pains. While the end goal is full incident response automation, it may take time to build up in stages to get there.
1. Have interactive touchpoints and automate parts of a process
Start slowly rolling out automation and orchestration. You never want to have the solution become more of a problem than what was targeted. Include interactive, human touchpoints to ensure things are meeting the workflow you anticipate. Take smaller manageable components of your process and begin to automate those steps, leaving complex tasks for further down your journey.
2. Develop your playbooks
It’s important to document the steps of your processes, instructions and best practices for resolving incidents effectively, ensuring that your security team follows a consistent, repeatable process. As you establish a priority list for developing playbooks, start with those that will eliminate repetitive tasks and build more complicated processes and logic further into your security maturity journey. For more information, take the Splunk Education course, Developing SOAR playbooks.
3. Integrate your security environment
A SOAR solution can help unify data by integrating different data sources through APIs. Unified security data enables security teams to enrich data with intelligence from other applications. In some cases, the SOAR solution itself serves the purpose of tying together the disparate security tools into a single environment, eliminating the need for analysts to toggle through different applications as they investigate and remediate threats. For more tool ideas, see SOAR Apps.
4. Connect stakeholders through communication, collaboration and cross-organizational workflows
Establish a common security language. Security analysts will find they collaborate better when Level 1 analysts have visibility into Level 2 and Level 3 analyst responsibilities so they can better assist them. CSOs and SOC managers will find they meet with less resistance on budget requests when they can have informed conversations with the CIO, CEO and CFO.
When implementing this guidance, you should see improvements in the following:
- Mean time to Respond (MTTR)
- Mean time to Investigate (MTTI)
- Number of incidents resolved
- Granular ROI reporting
- Analyst workload