The addition of new features is moving SOAR from supporting security operations centers to broader operational use cases including ITOps to DevOps.
SOAR (security orchestration, automation, and response) solutions are in a transition. Some see SOAR as a product in its own right, and others like to think of it as a component of a platform composed of SIEM (security information and event management), security analytics, and other security tools. But even when it is part of a larger security platform, the solution is usually a module unto itself, and its function and use are frequently akin to a stand-alone solution.
Why? As noted in a recent Sumo Logic blog, “enterprise clients and MSSPs look at SOAR as an intelligent hub capable of pragmatically solving a series of critical use cases, both simple and complex. Additionally, many stand-alone SOAR solutions have increased functionality and differentiated their offerings by adding threat intelligence and automation capabilities.” The addition of these features is moving SOAR as a solution that supports cyber use cases in a security operations center (SOC) to broader use cases in support of operational case management, from ITOps to DevOps.
Broader SOAR capabilities match new demands for skilled workers
One of the biggest problems for legacy SOCs has been slow training cycles and an inability to retain talented security analysts. The current job market that entices those with security expertise to look for new, higher-paying positions and the great resignation trend only makes staffing issues worse.
SOAR solutions with higher-end capabilities can help. As noted in a recent RTInsights article: SOAR solutions let new recruits train on real-world examples through simulation, which helps them get caught up on the latest best practices and strategies in a fraction of the time.
In addition, by virtue of a SOAR solution that automates incident response, analysts have many more spare cycles to shape new approaches to hunting threats or innovating on the new tactics, techniques, and procedures (TTP) they see in real-life cybersecurity incidents. They can work on harder, more interesting problems, which generally improves their job satisfaction and keeps them around longer.
Also, companies can reshape how security analysts perceive their jobs by offloading some of that once-manual work to automated playbooks and moving to proactive or defensive strategies.
Enhanced capabilities fit changing threat landscape
Another factor making SOAR essential is the complexity of security when a business moves to cloud. The use of cloud technology is exploding in the enterprise. Gartner predicts that 70% of all enterprise workloads will be deployed in the cloud by 2023, up from 40% in 2020. This makes cloud deployments an attractive target for malicious actors.
Another factor contributing to the problem is that over the years, businesses have basically added more and more tools to manage and observe their infrastructure and application environments. Many of these tools are single-purpose and do not work well together. This has made it much harder to threats across an entire digital infrastructure.
Combined, these issues (rapid move to cloud plus the increased complexity of application deployment environments plus the use of a plethora of siloed tools) make it all the more difficult to protect against today’s cyber threats.
The problem is that the volume of data and alerts makes it hard to integrate information and understand what’s happening. Those responsible for protecting the company from cyber threats must quickly assimilate all of that data, derive insights into looming threats in real time, and instantly take action. Increasingly, the way to accomplish that is by using SOAR (security orchestration, automation, and response).
SOAR solutions bring together data from multiple cloud-based tools – vulnerability scanners, endpoint protection software, firewalls, intrusion detection systems, and security information and event management (SIEM) software – through extensive use of APIs.
Using SOAR products, security analysts can standardize the actions they regularly take on common tasks, like vulnerability scanning and log analysis. They can also define which steps in the standardized process can be automated into playbooks, only sending notifications about manual follow-up actions after the SOAR solution has taken several mitigation steps.
A SOAR solution with sophisticated threat detection and automation can perform tasks previously performed by SOCs staff, such as vulnerability scanning, log analysis, and ticket checking. In addition, solutions that incorporate artificial intelligence (AI) and machine learning can be used to derive insights. For instance, a SOAR solution could be used to elevate threats if human intervention is needed, make action recommendations, and automate responses. Such solutions use continuous intelligence to derive real-time insights upon which a company can base its response to a threat.
A final word
Forrester recently posted some best practices when selecting and implementing a SOAR solution. It noted that: “SOAR is not a set-it-and-forget-it technology. Depending on the number of integrated tools, playbooks, and use cases being met (for example, detection and response, threat intelligence, metrics gathering, or case management), SOAR may require one or more full-time equivalents to operationalize.”
It also noted that, depending on the SOAR solution selected, an offering “can provide deeper value than automation of detection and response alone.” Forrester recommends that businesses consider whether other functions such as vulnerability management coordination, metrics gathering and dashboarding, and case management capabilities would be of value.