What is SOAR (Security Orchestration, Automation, and Response)?
Blog: The Enterprise Project - Enterprise Technology
As far as IT acronyms go, SOAR is effective: You can immediately surmise its purpose simply from the terms it represents: Security Orchestration, Automation, and Response.
“SOAR is one of the few clearly named acronyms in security and does what the name implies,” says Jerry Gamblin, manager of security and compliance at Kenna Security. “It handles the Orchestration, Automation, and Response of your Security tools.” That’s no small matter: Cybersecurity is chock-full of such acronyms, and some are quite opaque. One NIST list of system and network security acronyms and abbreviations runs 32 pages long, from “A” (quite literally: “A” stands for “address resource record type”) to “ZSK” (“zone signing key.”)
More importantly, SOAR exists to address an ever-growing problem in security: How do a finite number of humans respond to a seemingly infinite number of potential threats?
The “birth” of SOAR as a tech acronym is typically credited to the research firm Gartner, which used it to describe technologies that bring together security information from various tools and sources and then automate some initial tasks in incident response.
As one security pro will note below, the concept here is comparable to how IT help desks can automate response to and resolution of certain lower-tier support tickets with ITSM tools. The overarching idea with SOAR is to automate, when and where reasonable or feasible to do so, some of the repetitive effort required to maintain a strong security posture.
[ How can automation free up more staff time for innovation? Get the free eBook: Managing IT with Automation. ]
Here are some deeper definitions of the term, with help from Gamblin and other security experts, as well as a look at the how and why of SOAR tools and what they can and can’t do.
What is SOAR? Four definitions
It helps to have some more robust definitions of SOAR that you can use as explainers with other people. Here are four good ones:
“SOAR solutions are tools that provide three key features. First, case management and workflow capabilities: Just like IT support and helpdesk teams use IT service management tools to track and control their work, Security Operations Centers (SOCs) also need tools to manage and control the work of triaging alerts, [as well as] raising, investigating, and solving incidents. Second, automate tasks from those activities via orchestration of multiple tools, such as Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM) and Network Detection and Response (NDR). And third, provide a centralized way to access, query, and share threat intelligence, a vital resource for threat detection and response activities.” –Augusto Barros, VP of solutions at Securonix
“When a security incident is identified, organizations need to contain the damage, preserve evidence, and restore business functions. As many previous incidents show, there is mayhem in the initial hours of responding to an ongoing attack, from identifying the significance of a threat to considering the tradeoffs between containment and business disruption. The idea behind SOAR is to make security incident response more efficient through automation. –Tsvi Korren, field CTO at Aqua Security
“If asked to explain it to someone, I like to describe it as an Automated Air Traffic Control System for security teams that can handle basic tasks while allowing employees to focus on more challenging assignments.” –Jerry Gamblin, manager of security and compliance at Kenna Security
“SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies – where incident analysis and triage can be performed by leveraging a combination of human and machine power – help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.” –Gartner
When do SOAR tools make sense?
It’s important to consider where your organization is in terms of security maturity, as you consider whether SOAR tools make sense. As Red Hat consulting product manager Massimo Ferrari notes, “Although automation brings a well-established set of values, like mitigating human error, reducing time to task and increasing the ability to manage a large scale, multi-vendor infrastructure; an exercise of self-analysis is necessary when introducing this family of technologies in security operations. Every organization must assess its level of maturity to avoid implementing advanced tools at an early stage.”
You may start, for example, on security operations, with the goal of standardizing security tasks and reducing time spent coordinating steps across products from multiple vendors. In this early stage, “Ansible Automation offers its human-readable YAML language as a tool to easily describe these processes, compare them and identify the best workflow to be used as a base for standardization,” Ferrari notes. That standardization process results in roles and playbooks that become the base for a library of response workflows which grows over time.
Later on, when the organization is focusing more on automating security process end-to-end and integrating security and enterprise portfolios, SOAR tools typically come into play, in combination with Ansible. For more detail, read Ferrari’s full blog: The journey to security automation.
How and why do organizations use SOAR?
It’s important to be clear that people are still very much a part of the picture with SOAR. It’s not about replacing anyone; it’s about helping to ensure security pros don’t drown in a lot of manual effort just to gather basic information or initiate responses to every possible event.
In that way, SOAR can have a mitigating effect on talent shortfalls, in that your highly skilled people don’t spend their time chasing down the mundane chores. It’s really about connecting (or orchestrating) what may be, especially in large organizations, a disparate set of security tools, as well automating some first steps or low-level incident responses.
Gamblin shares a clear example of a use case:
“A corporate AV [tool] identifies malware on a system and sends an alert to the SOAR system,” Gamblin says. “The SOAR system workflow can be written to do the following:
- Have the AV system kick off a remediation scan.
- Retrieve the remediation results.
- If the malware was removed: Send a Slack message to the team running the AV system, letting them know.
- If the malware was not removed: Move the system to an isolated VLAN or disable internet access.
- Send a Slack message to the team running the AV system, letting them know.
- Send an alert to the user of the system, asking them not to use the system until instructed.
- Open a support ticket with all the needed information for the right teams to investigate further.”
Because SOAR workflows can run continually, Gamblin notes that if the hypothetical malware in the above scenario is discovered at 10 PM on a Tuesday, all of the above can run automatically and be ready for the next steps when team members get into the office on Wednesday morning. (As opposed to the team’s pagers going off because these steps need to be initiated manually and can’t wait.)
That’s the promise: This kind of scenario and others like it are common. SOAR focuses on reducing the manual effort required to manage the necessary front-end steps of many common security scenarios.
Again: SOAR is not a replacement for security pros, but a complement to their skills.
“The promise of automation leads many organizations to believe they can replace humans in their SOCs with machines. However, that’s not the reality,” Barros says. “Organizations are getting value from SOAR by improving their processes and increasing the efficiency and productivity of their security operations teams.”
As in Gamblin’s example use case, Barros says that SOAR done right can accelerate incident response and investigations and limit the impact of a breach in the process,
“These improvements often come from automating activities such as basic alert enrichment, where analysts have to manually query multiple tools to obtain the necessary information to make decisions,” Barros says. “Some of these tasks change from hours to seconds when SOAR based automation is introduced.”
As a result, Barros notes time-centric metrics like Mean Time to Contain or Mean Time to Respond (MTTC/MTTR) are often used to measure the efficacy of a SOAR implementation.
What SOAR does not do: Fix broken processes or cultures
The general promise of automation in IT has also come with hard lessons learned for some teams. One of the biggies: Automating a manual process that consistently produces negative results doesn’t improve that process. It just allows a broken process to run faster and more frequently.
The same applies with SOAR: If your security pros are working with outdated or incomplete information, patchwork tools, or a business culture that treats security as a hindrance rather than a priority – well, SOAR is not going to solve those problems in some plug-in fashion.
“If security is distant from the applications, bolted on at the end, and can produce unintended disruption – SOAR is not solving any of that,” says Korren from Aqua Security. “It makes it worse.”
Cultural rifts also can’t be mollified by implementing SOAR. Korren points to the classic example of organizational cultures where security and “the business” – everyone else, essentially, even including other IT roles such as developers – work in a constant state of conflict and mistrust. SOAR is not going to achieve much in that organizational scenario, because you’ll never be able to set effective rules for automating the response to any but the most basic of security events, if any at all.
In Korren’s view, the sharper focus should be on DevOps or DevSecOps. Implementing SOAR in parallel to (rather than integrated with) your software pipeline may exacerbate problems instead of solving them. For example, you might implement a siloed SOAR tool with workflow that automatically takes down a service in response to a particular security condition, only to have a separate cloud automation or orchestration tool continuously restore that service.
Some tools you’re already using may come into play here. As we noted earlier, an automation platform like Ansible is not a SOAR tool, per se, but security automation is indeed one of its visible use cases. And Ansible can integrate with and extend the capabilities of SOAR tools, which helps avoid a siloed approach that produces more problems than it solves.
This gets back to the SOAR acronym: It’s less about packaging or marketing, and more about the concepts it represents: using orchestration and automation to optimize how you handle and respond to security information and events.
[ Learn the do’s and don’ts of cloud migration: Get the free eBook, Hybrid Cloud Strategy for Dummies. ]