Understaffed security teams need all the help they can get, and they are finding that help through SOAR.

SOAR — security orchestration, automation and response — is defined by Gartner as the “technologies that enable organizations to collect inputs monitored by the security operations team.” Gartner identifies a SOAR platform’s three prime functionalities: Threat and vulnerability management, security operations automation and incident response.

The number of threats coming across the network and endpoints each day overwhelms most organizations. Adding SOAR technology strengthens your overall security posture by automating the most repetitive and tedious aspects of threat management and incident response.

The Role of Each Component

The efficiency of SOAR’s security operation comes from each of its components. Collectively, SOAR automates the most mundane and time-consuming tasks in a Security Operations Center (SOC) — tasks that are absolutely necessary to ensure the highest levels of protection for networks and data, but also tasks that take already overworked security teams from their other duties. Understanding how each piece of the SOAR platform operates will help organizations build the solution that works best for them.

Orchestration connects and simplifies all of the security tools and systems within the infrastructure. It integrates custom-built applications with built-in security tools, so they all work with each other seamlessly. In addition, it connects disparate endpoints, firewalls and behavior analytics. While all this connectivity means more alerts, it also improves the ability to detect potential threats before they become full-blown incidents.

Automation affects security procedures across the SOC. Security automation takes the vast amount of information generated through orchestration and analyzes it through machine learning processes. When performed manually, these tasks were not only time-consuming but also subject to human failures. The number of alerts, both false and positive, overwhelmed security teams and left them little time for other projects. With security automation, SOAR handles manual tasks such as scanning logs and handling ticket requests, vulnerability checks and auditing processes. This allows security teams to address anomalies quickly.

Incident response within SOAR allows security teams to monitor, manage and take action when a potential threat is indicated. The response component also handles post-incident activities such as threat intelligence sharing and case management. Incident response tools collect all the information surrounding the incident and share that information through open-source databases for others to reference to add to their security automation toolkit.

Learn More on QRadar SOAR  

The Playbook

Essential to the success of the SOAR automation solution is its playbooks. Like a football coach’s playbook, the SOAR playbook outlines the game plan for the security team’s incident response. Simply, the playbook is a set of workflows that put incident response into action. Automated systems using AI and ML need predefined sets of procedures to be able to detect anomalies, and the steps to follow whenever an issue occurs. With these defined workflows within the playbook, automation takes over with minimal human involvement.

The playbook not only spells out the entire process of how to handle incidents, but it offers consistency and redundancy. Playbooks are useful in situations such as threat hunting and threat intelligence, as well as vulnerability management. They also offer workload guidance to security team members, providing institutional knowledge about the organization’s security processes and incident response.

Included in the playbook will be lists of permissions, tools and network access, potential conflicts with business operations and a defined list of expected results. They aren’t static documents and should be updated and revised whenever there are failures in the system. The National Institute of Standards and Technology (NIST) offers guidelines for creating playbooks.

IBM SOAR Playbook

The Importance of SOAR

With more endpoints to protect and more data generated, protecting the network has never been more important or more difficult. Security teams face a steady flow of alerts, many of them false positives, and do so with limited staff. The more time the SOC spends addressing alerts, the less time they have to spend on other vital security projects. When this task is handled manually, it sets up the additional risk of human error — something gets missed, leading to a cyber incident.

The digital transformation, while streamlining so many processes and improving overall productivity, has created a security gap problem. Legacy systems don’t easily integrate with new technologies. Security tools become outdated or are siloed. And again, the talent shortage comes into play; these new technologies require specific skills and there just aren’t enough people out there with the specific training needed.

SOAR solutions won’t fix all your security problems, but the orchestration and automation handle the repetitive and redundant tasks while connecting disparate security systems and data collection. It makes security processes more efficient in real-time. The security team can more accurately identify and respond to incidents without developing alert fatigue.

Read the Report

The Relationship Between SOAR and SIEM

Many organizations already deploy security information and event management (SIEM) solutions to detect and manage threats, so they may not see the point of adding another security solution. However, for threat management to be successful, it needs rapid incident response. SIEM and SOAR don’t stand alone; they are more effective at working together.

SIEM is all about detection, but detection alone is not enough. Playbooks for SIEMs are complex and expensive to produce, so the detection layer may not go as deep as it should. SOAR solutions balance this with playbooks and processes that introduce well-defined incident response plans.

Using SIEM in tandem with SOAR saves time and money. Using the solutions alone means going through one step (detection) and then following it up with the second step (incident response) as separate procedures. Instead, when the SIEM and SOAR solutions run concurrently, the high number of alerts generated through the SIEM are addressed in real-time with the SOAR.

SOAR solutions should be part of an overall security defense system rather than a stand-alone platform. It should complement the other tools in the SOC, just as it should complement, and not replace, humans on the security team. Used in this way, SOAR solutions will augment the SOC with automated and orchestrated incident response.

More from Incident Response

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read