SOAR

Security Orchestration Automation and Response (SOAR) system covers three major functions: response, orchestration and automation of IT security systems.

An information system can quickly become extremely complex: various technologies interact with users with diversified objectives and skills. Ensuring operational security therefore requires being able to act on these different components at all levels (terminals, network, access control, etc.), in the most effective and efficient way possible. Over time, technologies have emerged to perform this function: these are SOAR.

What is a SOAR used for?

As its name suggests, a Security Orchestration Automation and Response system covers three major functions: response, orchestration, and automation of computer security systems. Along with SIEM and CTI, this is one of the three main functions of a SOC/CSIRT.

Response

The first mission of a SOAR is to be able to transmit active instructions to other systems. This is particularly useful in an incident response context, when it is necessary to be able to quickly circumscribe the threat or reconfigure the information system in a degraded mode.

For this, the SOAR must have a vast catalog of integrations, in order to :

know how to speak the language of the various equipment with which it will have to be able to interact,
from the EDR to firewall via the management of privileges or the apps.

Although there are some interoperability standards, none is truly dominant, and connecting sometimes legacy systems requires special expertise.

Orchestration

The second mission of a SOAR is to be able to orchestrate these actions, ie to control the sequence of them in such a way as to optimize the available resources to obtain the desired effect.

Without this capacity, it would be up to an operator to trigger these different sequences manually, one after the other. While trying to respect the procedures in force in the organization.

Nowadays, this orchestration capacity manifests itself under the form of playbooks, which are scripts describing sequences of responses and procedures. To be accessible to as many people as possible, these playbooks can generally be edited visually, sometimes without entering a single line of code: we speak of no-code or low-code SOAR.

It should be noted that orchestration does not only concern incident response. But can also be useful in support of the investigation :

For example to enrich alerts
or in support of CTI analysts.

Automation

Finally, the last great function of a SOAR is to automate everything that can and should be. Indeed, in a large information system, it is not realistic for all actions to be carried out manually, even orchestrated by playbooks. This is even more important when reflex reactions are required, for example to contain the early stages of an intrusion attempt and neutralize threats before impact.

Thus, the automation functions of a SOAR can range :

From simple conditional triggering (“if such an event occurs, then trigger such an action”)
To much more elaborate scenarios. Even unscripted with the help of artificial intelligence.

Automation is made necessary by the shortage of incident response experts, by the requirement for responsiveness. And by the complexity of the systems supervised. However, human action is still crucial: if it sometimes becomes possible to get rid of any human intervention, it is still very limited to basic responses.

Liability and insurance issues further complicate the situation. If the production stoppage of an assembly line was triggered by an automatic mechanism:

Who should be responsible for the loss of earnings? The SOC? The SOAR provider? The integrator service provider?

If automation has made enormous progress, it remains illusory to completely do without human intervention.

How does a SOAR work?

A modern SOAR has two main aspects:

Interconnection, which allows it to be connected to other security equipment and systems,
And orchestration, which allows playbooks and cases to be managed and triggered.

The interconnection must allow the SOAR:

To effectively establish the data link with a third-party system,
To know which actions or type of actions are possible on which perimeters.

This is called the taxonomy of security systems. This module corresponds to a deployment and maintenance phase of the security system.

Orchestration is rather operations-oriented, since it is here that we will find case management. But first, you have to be able to access or configure playbooks. This module therefore provides a playbook editor and playbook libraries, sometimes collaborative, compatible with the taxonomy present in the information system. A playbook that would trigger the interruption of a process on a compromised terminal would be useless if no device steering mechanism is available, for example with an EDR…

How to choose the right SOAR solution?

The heart of a security operational platform (SecOps), a SOAR should:

Have a large catalog of integrations, compatible with several interconnection standards, including a great versatility of actions available, to make deployment rapid,
Offer a simple and accessible playbook management interface, to make handling accessible to less specialized personnel,
Propose a library of generic playbooks to be operational from launch,
Ensure case management and in particular capitalization through the export of telemetry or even CTI,
Have powerful automation corresponding to the real security needs
Ensure the best complementarity between the teams and the tools, in particular in the transparency of data and reporting.

However, as the hub of security operations, SOAR technologies are now routinely integrated into SOC platforms where they natively interface with SIEM and CTI-like functions. Thus, there are fewer and fewer relevant pure-player products, and those that remain mainly play the role of middleware.

SOAR features are now must-haves for operational security solutions. This is the case on SEKOIA.IO. It is not possible to deploy our SOAR module, called Symphony, alone.

It is provided systematically in all our products, from intelligence production with SEKOIA.IO TIP:

Where it facilitates the enrichment and contextualization work of analysts, to extended response with SEKOAI.IO XDR,
Where it allows a wide range of real-time, self-contained or triggered responses.

Discover How SEKOIA.IO can help you to act quickly in the face of the threats.

If you are visiting our website for the first time, know that we are a cybersecurity software publisher. We provide SOC and MSSP teams with a turnkey operational security platform (SOC platform). Through our XDR platform, CTI tool and threat intelligence platform, we enable our users to neutralize cyber threats, regardless of the attack surface.

Others Terms

Others Terms

SOC(Security Operations Center)

Security Operations Center (SOC) is an organizational structure dedicated to the implementation of all the security operations of an organization against cyberattacks. These actions include the supervision and protection of an organization’s information system (workstations, networks, website, applications, databases, etc.)

SIEM(Security Information and Event Management)

A SIEM (Security Information and Event Management) is an IT security tool that is used to collect, store and analyze large volumes of log data from all sources in the enterprise. It is used to take advantage of each of these data (collected) to identify and analyze, from a platform, the events and/or incidents that may take place on the company's computer network.

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !

Contactez-nous

Chat with our team !

Would you like to know more about our solutions ?
Do you want to discover our XDR and CTI products ?
Do you have a cyber security project in your organization ?
Make an appointment and meet us !

Contact us

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_152945562_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
Inbound Converter	2 ans	This script communicates back to TechTarget which accounts, based on reverse IP lookup, have visited this website. The information that is transmitted includes: URL of page landed on, Timestamp of visit, IP Address
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.