The cybersecurity world is full of acronyms; it’s difficult to go an entire year without vendors beating down the door to promote the latest one as the solution to security woes for businesses. The latest entrant into this progression of technologies is the security orchestration, automation and response (SOAR) platform, a platform that vendors promise will decrease incident response time, improve visibility into the security function and make security teams’ lives easier.
That sounds great, but many businesses have already made significant investments in security information and event management technology. Does implementing SOAR involve throwing those SIEM investments out the window? Let’s take a deeper dive into these questions and explore how SOAR and SIEM fit into the enterprise cybersecurity toolkit.
MORE FROM BIZTECH: Update your cybersecurity response plan before an attack occurs.
The Difference Between SIEM and SOAR
Most businesses already leverage SIEM technology as a core component of their security operations centers. SIEMs serve as a centralized collection point for the millions of log entries generated each day by applications, servers, endpoints, network devices and other log sources.
The SIEM manages a massive processing and storage infrastructure capable of receiving and processing these logs. From there, the SIEM correlates bits of related security information arriving from different sources to provide analysts with a comprehensive view into the security posture of the enterprise.
The major function of the SIEM is to assist in sifting through the proverbial haystack of security information to find the needles that indicate a security incident.
Once a SIEM detects a potential security incident, it may then alert administrators to the activity and/or trigger an automated response. The response toolkit of the SIEM normally consists of blocking activity, triggering vulnerability scans, gathering additional information and similar rudimentary actions. Security teams often manage playbooks that contain a set of response actions to carry out when the SIEM triggers alerts on certain types of security incidents.
Security orchestration, automation and response platforms take the response capabilities of a SIEM to the next level. SOAR solutions supplement, rather than replace, the SIEM. Those familiar with the robotic process automation trend that is currently driving digital transformation efforts in many business processes should think of SOAR as the application of RPA to the security operations center. It allows the cybersecurity team to extend its reach by automating the routine work of cybersecurity.
Security orchestration, automation and response platforms take the response capabilities of a SIEM to the next level. SOAR solutions supplement, rather than replace, the SIEM.”
Why SIEM and SOAR Are Better Together
The incident response processes followed by security teams around the world are fairly standard. They might take the following steps:
- Identify that a potential security incident is underway
- Open a ticket in the organization’s incident tracking system and assign it to an analyst for review
- Notify team members and trigger a call-in mechanism
- Implement a firewall rule that temporarily quarantines affected systems while an investigation is underway
- Query the SIEM for relevant information from affected systems
- Poll external sources for supplemental information, such as IP address ownership and threat intelligence data
- Analyze all the data and take appropriate action to eradicate the threat and recover operations
In a traditional security operations center, the first steps outlined here may take hours to complete before the analyst can move on to the deep intellectual work of the last step. SOAR systems promise to automate this routine work by interacting with other security technologies to automatically carry out the initial steps of incident response.
After receiving an alert from the SIEM about a potential incident, the SOAR platform would typically issue a call to create and assign a ticket in the incident tracking system. It could then reach into the emergency alerting system to notify the incident response team while also automatically implementing a quarantine firewall rule.
When analysts arrive to assess the incident, they find the initial alert along with other information that the SOAR platform obtained from the SIEM and external sources. In this way, SOAR technology saves precious response time and serves as a cybersecurity accelerator.
Percentage of organizations stating that SIEM use resulted in the reduction of security breaches.
Source: Source: 1AlienVault, “2019 SIEM Survey Report,” May 2019
How to Develop a Coherent Security Strategy
SOAR provides tremendous promise to organizations seeking to integrate their existing security platforms and reduce the burden of managing those solutions. However, the effective use of a SOAR platform depends upon the existence of a solid foundation of cybersecurity tools.
Prior to embarking upon a SOAR implementation effort, businesses should first deploy a robust set of security technologies, including an intrusion prevention system, unified endpoint management platform, ticketing system and vulnerability scanner. Each of these solutions should support application programming interface-driven access and report data to a centralized SIEM for correlation.
With that solid foundation in mind, businesses may begin their SOAR deployment efforts. As with many technology initiatives, successful SOAR deployments begin with a small scope that delivers high value and then gradually expands to build upon initial successes.
One approach is to review the existing playbooks used by incident responders and identify those that are simplest in nature and most frequently used. Those are low-hanging fruit for SOAR automation.
SOAR platforms offer tremendous benefits to cybersecurity teams by accelerating incident response, reducing administrative overhead and improving the quality of security information provided to the enterprise. Organizations that already have a solid cybersecurity program in place should consider implementing a SOAR initiative to increase the business value delivered by that program.
Getty Images / Traitov