To adapt to the new security demands in the cloud, cybersecurity teams are turning to Security Orchestration, Automation and Response (SOAR) platforms to help them with their growing security operations responsibilities and complexities. The main driver is the need to improve incident response times. Incident response, measured by many metrics, like MTTR or mean time to repair, can be wide-ranging, including minor incidents that are easily automated away, like correcting device configurations, to critical incidents that require more sophisticated tools and active admin involvement.
SOAR solutions are designed to coordinate people, process, and technology, which streamlines security operations, automates incident response, and improves security operations center (SOC) effectiveness.
SOAR platforms consists of three general security components:
● Automation — Automated tasks can lighten security team burdens by handling vulnerability scanning/testing, log analysis, ticket checks and audits. These automations are then collected in runbooks that outline all those processes and procedures, which are then consulted as reference, and used to maintain consistency and ensure reliability.
● Orchestration — Orchestration uses automations to connect and integrate internal and external systems and “orchestrate” larger goals, such as rapid provisioning of on-demand resources. Orchestration encompasses many different devices like endpoint protection devices, vulnerability scanners, IDS/IPS, firewalls, analytics, and security information and event management (SIEM) products.
● Response — The response component is a unified system creating a single view that allows admins to monitor, manage, and plan responses to incidents as they occur in real-time. It will also include the formal reporting, and other post-incident response activities.
SOAR vs. SIEM
A Security Information And Event Management (SIEM) platform provides live analysis of security data in a centralized platform that both IT and security teams can access. SIEMs stop at understanding security information, identifying vulnerabilities, helping with provisioning and governance, and reporting anomalies. Whereas, a Security Orchestration, Automation and Response (SOAR) solution encompasses the functionality of a SIEM and more. SOAR platforms have the same capabilities as SIEMs, with additional features found in incident response software, automated tools that fix security breaches, and vulnerability management software, like patch management tools.