Security Orchestration, Automation, and Response (SOAR)
Security Orchestration, Automation, and Response (SOAR) is a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
- scans security and threat intelligence data collected from multiple sources within the enterprise and then analyze it using various techniques defined via playbooks
- can assist with provisioning tasks
- e.g.,
- creating and deleting user accounts
- making shares available
- or launching VMs from templates
- e.g.,
- uses
- cloud and SDN/SDV APIs, orchestration tools, and cyber threat intelligence (CTI) feeds to integrate the different systems that it is managing
- automated malware signature creation and user and entity behavior analytics (UEBA) to detect and identify threats
- automates the work of identifying, analyzing, and responding to security threats often flagged by a SIEM
- frequently “bolt on” to a SIEM and trigger after an alert is generated
- Instead of sending the alert to a security analyst for manual review
- the alert is instead forwarded to a SOAR platform
- performs a series of tasks grouped within pre-established playbooks in response to the alert
- extracts relevant fields from the alert and can evaluate events and data contained within the alert and respond to them accordingly
- using scripts or API integrations with other security tools
- provides a case management interface used by security analysts to manage and document their work
- operates similarly to a help desk ticketing solution
- allows analysts to search for specific events and filter/sort events by specific attributes (e.g., severity level)
Benefits
- reduce the number of false positives and the number of mundane tasks performed by security personnel
- reduce the amount of time and manual labor required to monitor and respond to security threats
- ensure that security threats are promptly identified and addressed
SOAR Runbook
A playbook contains a checklist of actions to perform in response to an incident.
- incident response workflow is a classic example of a SOAR task defined within a playbook
- should be made highly specific by including the query strings and signatures that will detect a particular type of incident
- may account for compliance concerns
- breach notification requirements
When a playbook is automated from a SOAR system, it is called a runbook.
- aims to automate as many of the playbook’s stages as possible
- keeps clearly defined interaction points for human analysis
- should present contextual information and guidance to make an informed decision about the best way to proceed with incident mitigation
Example
A runbook may use integrations for cloud-based email platforms and antimalware solutions.
- runbook may take email attachments from user emails and submit them to a detection engine (e.g., VirusTotal)
- if VirusTotal identifies the file to be malicious
- SOAR can provide a new custom detection signature to the antimalware software
- so it can locate and block other instances
Identifying Tasks Suitable for Automation
Security Operation Center (SOC) teams can identify tasks suitable for automation in several ways:
- Analyze workflows
- identify repetitive or time-consuming tasks
- Tasks that require significant manual efforts, such as data aggregation, correlation, and analysis, are good candidates for automation
- Evaluate time-to-detection
- evaluate how long it takes them to detect and respond to security incidents
- Tasks that contribute to delays in detection or response are good candidates for automation
- Identify high-risk areas
- identify areas of the organization at high risk of a cyber attack
- Tasks critical to these areas’ security are good candidates for automation
- e.g., threat hunting or vulnerability scanning
- Consider the frequency of tasks
- consider how often they perform specific tasks
- Tasks performed frequently
- e.g., log analysis or malware scanning
- Evaluate the benefits of automation
- evaluate the benefits of automation for specific tasks, such as increased accuracy, faster response times, and reduced manual effort.