Security Orchestration, Automation and Response (SOAR) is an oft-discussed term in discussions about cybersecurity. It’s commonly positioned as a solution that can help organizations streamline their security programs, relieve workload from their existing security teams, and increase the speed to eradicate threats - especially as more organizations are adopting remote work postures while accelerating adoptions of cloud applications.
But are there also drawbacks to SOAR? What kind of organizations would benefit most from its implementation, and under what kinds of scenarios? To find out, we spoke with Kory Daniels, Global Director, Threat Detection & Response Consulting at Trustwave.
“SOAR is a critical element of an organizations cyber threat detection and response program maturity,” Kory said. “SOAR combines functionality that cyber teams would need to historically seek out as point-solutions, or homegrown effort, for ticketing/case management, threat intelligence, and scripting automation with other tooling in the infrastructure. The problems that SOAR is used to address are helping to alleviate time sinks, so that staff can focus on higher-value activities.”
Organizations will typically use SOAR to automate many of the processes and tasks that their cybersecurity teams had done historically — especially tasks that were inefficient, reactive, or manually intensive. It helps free up capacity as you become more time-efficient by empowering your skilled security staff to focus on what really matters.
Additionally, SOAR can help you maximize the value of your internal threat intelligence, with better quality data to help contextualize incidents, make better informed decisions and accelerate threat detection and response. Aggregating data from all of the wide range of sources – both internal and external – can help your security operations center (SOC) become more intelligence driven, as well as more effective with their time.
While SOAR is a relatively new acronym in the cybersecurity world, the concept has actually been around for quite some time.
Prior to use of the term SOAR, organizations would have been seeking for whatever tools they could find to try to make case management and investigations more efficient. If you go back far enough, you find organizations using ad hoc solutions, like shifting logs that were kept in documents and spreadsheets on a local computer, to knowledge shares kept on SharePoint.
From that basic principle, purpose-built cyber-automation tools and companies began to be created, especially ticketing systems. The challenge for organizations became trying to integrate and apply automation to all the disparate tools they would be engaged with, from a security information and event management (SIEM) system to intrusion detection and prevention systems (IDPS) and beyond.
Faced with a hodgepodge of systems, organizations attempted to use ticketing systems to create foundational automation of their process workflows and case management, with varying degrees of success. Of course, as time went on and organizations began to realize that there was room for improvement, the concept of SOAR was developed.
Today, cybersecurity providers have created powerful solutions that integrate SOAR capabilities to combine the best aspects of a ticketing system, the best of threat intelligence, the best playbook automation practices for workflows and threat response and more – giving organizations a true security advantage. In a sense, SOAR technology is essentially making good on the original promise of security information and event management (SIEM) systems from the early 2000’s.
Almost every organization that needs to detect and responds to threats can benefit from SOAR capabilities, depending on where they are at in their security maturity journey.
"It really comes down to what your security maturity is, and what your goals are, that will determine what use cases are most valuable for you, and when you need to implement SOAR functionality,” Kory said.
For organizations that are just starting with cybersecurity and are beginning to put basic procedures and processes in place, implementing native SOAR solutions will probably be a step too far. The best step would be engaging a service provider who has out-of-the-box SOAR capabilities that can easily leveraged within your security environment.
While SOAR offers powerful benefits, there can also be potential pitfalls.
“Where organizations typically fall down when trying to implement automation technologies is in not having clearly defined use cases, underestimating skills, and operating model requirements ,” Kory said. “For example, who in the operating model is going to be responsible for the ongoing plan, build and running of SOAR for the threat detection and response program?”
Another common pitfall is a misalignment of expectations. Lot of organizations buy technologies with SOAR capabilities not fully understanding what they’re trying to automate, or whether the breadth of the solution they’re picking actually matches the scope of the problem. Many organizations think they’re getting a security operations center (SOC) in a box. Or, they buy SOAR technology to help defend against phishing, instead of dealing with phishing at its source. These common misunderstandings will wind up simply re-creating some of the problems, or the bad internal processes, that organizations bought the technology to help try and solve.
When it comes to managed threat detection and response services (MTDR), providers such as Trustwave built automation into the very core of the service. Leveraging native SOAR capabilities in the cybersecurity platform and rich APIs and bi-directional integrations with a client’s existing security tools and SOAR capabilities, Trustwave provides extended threat detection and response services across the ecosystem.
Trustwave Fusion connects organizations' digital footprint to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence and a wide range of Trustwave services, including Trustwave SpiderLabs, an elite team of security specialists.