SOAR

Security Orchestration Automation and Response (SOAR) system covers three major functions: response, orchestration and automation of IT security systems.

An information system can quickly become extremely complex: various technologies interact with users with diversified objectives and skills. Ensuring operational security therefore requires being able to act on these different components at all levels (terminals, network, access control, etc.), in the most effective and efficient way possible. Over time, technologies have emerged to perform this function: these are SOAR.

What is a SOAR used for?

As its name suggests, a Security Orchestration Automation and Response system covers three major functions: response, orchestration, and automation of computer security systems. Along with SIEM and CTI, this is one of the three main functions of a SOC.

Response

The first mission of a SOAR is to be able to transmit active instructions to other systems. This is particularly useful in an incident response context, when it is necessary to be able to quickly circumscribe the threat or reconfigure the information system in a degraded mode.

For this, the SOAR must have a vast catalog of integrations, in order to :

  • know how to speak the language of the various equipment with which it will have to be able to interact,
  • from the EDR to firewall via the management of privileges or the apps.

Although there are some interoperability standards, none is truly dominant, and connecting sometimes legacy systems requires special expertise.

Orchestration

The second mission of a SOAR is to be able to orchestrate these actions, ie to control the sequence of them in such a way as to optimize the available resources to obtain the desired effect.

Without this capacity, it would be up to an operator to trigger these different sequences manually, one after the other. While trying to respect the procedures in force in the organization.

Nowadays, this orchestration capacity manifests itself under the form of playbooks, which are scripts describing sequences of responses and procedures. To be accessible to as many people as possible, these playbooks can generally be edited visually, sometimes without entering a single line of code: we speak of no-code or low-code SOAR.

It should be noted that orchestration does not only concern incident response. But can also be useful in support of the investigation :

Automation

Finally, the last great function of a SOAR is to automate everything that can and should be. Indeed, in a large information system, it is not realistic for all actions to be carried out manually, even orchestrated by playbooks. This is even more important when reflex reactions are required, for example to contain the early stages of an intrusion attempt and neutralize threats before impact.

Thus, the automation functions of a SOAR can range :

  • From simple conditional triggering (“if such an event occurs, then trigger such an action”)
  • To much more elaborate scenarios. Even unscripted with the help of artificial intelligence.

Automation is made necessary by the shortage of incident response experts, by the requirement for responsiveness. And by the complexity of the systems supervised. However, human action is still crucial: if it sometimes becomes possible to get rid of any human intervention, it is still very limited to basic responses. 

Liability and insurance issues further complicate the situation. If the production stoppage of an assembly line was triggered by an automatic mechanism:

  • Who should be responsible for the loss of earnings? The SOC? The SOAR provider? The integrator service provider?

If automation has made enormous progress, it remains illusory to completely do without human intervention.

How does a SOAR work?

A modern SOAR has two main aspects:

  • Interconnection, which allows it to be connected to other security equipment and systems,
  • And orchestration, which allows playbooks and cases to be managed and triggered.

The interconnection must allow the SOAR:

  1. To effectively establish the data link with a third-party system,
  2. To know which actions or type of actions are possible on which perimeters.

This is called the taxonomy of security systems. This module corresponds to a deployment and maintenance phase of the security system.

Orchestration is rather operations-oriented, since it is here that we will find case management. But first, you have to be able to access or configure playbooks. This module therefore provides a playbook editor and playbook libraries, sometimes collaborative, compatible with the taxonomy present in the information system. A playbook that would trigger the interruption of a process on a compromised terminal would be useless if no device steering mechanism is available, for example with an EDR

How to choose the right SOAR solution?

what is a SOAR

The heart of a security operational platform (SecOps), a SOAR should:

  • Have a large catalog of integrations, compatible with several interconnection standards, including a great versatility of actions available, to make deployment rapid,
  • Offer a simple and accessible playbook management interface, to make handling accessible to less specialized personnel,
  • Propose a library of generic playbooks to be operational from launch,
  • Ensure case management and in particular capitalization through the export of telemetry or even CTI,
  • Have powerful automation corresponding to the real security needs
  • Ensure the best complementarity between the teams and the tools, in particular in the transparency of data and reporting.

However, as the hub of security operations, SOAR technologies are now routinely integrated into SOC platforms where they natively interface with SIEM and CTI-like functions. Thus, there are fewer and fewer relevant pure-player products, and those that remain mainly play the role of middleware. 

SOAR features are now must-haves for operational security solutions. This is the case on SEKOIA.IO. It is not possible to deploy our SOAR module, called Symphony, alone.

It is provided systematically in all our products, from intelligence production with SEKOIA.IO TIP: 

  • Where it facilitates the enrichment and contextualization work of analysts, to extended response with SEKOAI.IO XDR,
  • Where it allows a wide range of real-time, self-contained or triggered responses.

Discover How SEKOIA.IO can help you to act quickly in the face of the threats.