Getting Started with SOAR (Security Orchestration, Automation and Response)

SOAR Overview

Security Orchestration, Automation and Response abbreviated to SOAR is a Security focused platform design to automate many of the manual tasks currently performed by a companies Security team. This means automating workflows such as phishing email responses or automatically disabling a user account in active directory as part of an automated response action.

The aim of SOAR is to automate as much as possible for the manual work Security professionals perform in order to look at the more interesting findings or improvements to make on the network. Typically businesses are moving to SOAR to move their tier 1 and in some cases tier 2 analysts into a tier 3 role for role progression, quicker response and specialised teams.

Implementing SOAR also means that any alert will have the same triage and analysis over and over again no matter the analyst that picks up the case for further investigation.

How to use it?

Now obviously there isn’t a one size that fits all approach to SOAR as it is very dependent on the organisation and journey you are on within Security. However, to get started first look at the current processes and manual actions performed by the Security team and question what can be automated. Once this has been established you should be able to create a list of use cases to implement, typically these will be automatically assessing if a phishing submission is malicious or not, or running an antivirus scan if a user has had an AV detection or if a machine has called out to a malicious domain or IP.

There isn’t one way of using SOAR but hundreds of different options so I wouldn’t get too bogged down on how to use it but rather just get started with this fantastic new technology.

SOAR Benefits

  • Simplified case management – SOAR can improve case management by being the ‘central source of truth’ across multiple different alerting products in an organisations estate. It also benefits businesses with multiple divisions or MSSP’s better gather all alerts centrally for investigation.
  • Improved incident response times (MTTR) – One of the key benefits is reducing the mean time to respond to alerts. This is particularly useful for Security teams that do not operate in an on-call manner and means threats can be stopped and contained before any further potential damage is caused.
  • Central threat context – SOAR is able to gather all relevant information about a case from a multitude of products all in one place where it can be served to analysts.
  • Security team progression – When implementing Security teams can look at career development and general team progression as manual of the manual tasks can be automated so any analysts and engineers can refocus to either dealing with higher priority cases or looking at the network environment in order to identify improvements to prevent future attacks.
  • Scalability – No matter how big or small the team is a SOAR can quite easily cater for any team in any situation as its down to you how you would like to implement and as you grow it can be scaled out further and further.
  • Security Investigation Baseline – A great side benefit of implementing SOAR is the ability to baseline an investigation so no matter who is working on the ticket there is a level of assurance all relevant information of a case has been assessed and triaged and then provided to an analyst.

Does it replace the need for a SIEM?

To answer this in short, no it doesn’t replace the need for a SIEM.

SOAR however does work in perfect harmony with a strong SIEM implementation. Although technically many SOAR tools can trigger alerts based on certain factors in some form of log storage, they are typically harder to implement the rules and will likely be a simplified and dulled down version for what could be possible in a fully fledged SIEM such as Azure Sentinel, Splunk or the Elastic SIEM.

SOAR does rather well though everything that comes up after the initial alert by gathering all the details you want and even automating workflows and callout tree’s if applicable to you.

SOAR tools in the market

There are many big players in the market moving to SOAR but a list has been drafted below for well established and utilised SOAR tools.

Splunk Phantom SOAR Platform

Splunk Phantom

Azure Sentinel Logic Apps automation

Azure Sentinel Logic Apps

Siemplify SOAR platform

Siemplify

IBM Resilient SOAR platform

IBM Resilient