What is SOAR?
SOAR is a set of security features that helps organizations collaborate on incident investigation and automate certain actions that SOC analysts perform. As the end goal with SOAR, we want to achieve a faster mean time to acknowledge (MTTA) and mean time to respond (MTTR). The MTTA and MTTR are the two most important measurements for a SOC.
The main elements of SOAR are as follows:
- Incident management
- Investigation
- Automation
- Reporting
- TI and Threat and Vulnerability Management (TVM)
Important note
We will touch on reporting as a separate topic in Chapter 3. We will also discuss TI and TVM through automation in Chapter 6.
SOAR is so important due to the increasing number of events to analyze and security incidents to investigate, and the deficit of security experts to perform the job. If you look at SOAR as a complete replacement for SOC analysts, you couldn’t be more wrong. SOAR is probably a SOC analyst’s best friend and provides the SOC team with the ability to analyze threats faster. SOAR as a tool and SOC teams can reduce the MTTA to a few minutes and the MTTR from hours to minutes!
How? The main aspect of SOAR is action automatization. That means that any task that the SOC team repeatedly performs during an incident should be automated. First, this will save time for SOC analysts – plus, we don’t need to worry about whether SOC analysts may forget to perform any tasks. Second, we can carry out the initial triage, and based on the input, we can auto-close false positives so that the SOC team doesn’t even need to work on them. Third, once the incident is assigned to SOC analysts, they can automatically see the enrichments made by automation to that incident. This will empower them to analyze and react to incidents much faster.
Incident management is an essential aspect of SOAR as well. If we want our SOC analysts to respond to incidents effectively, they need to have the space in which to do so. Not only space but also features will empower SOC analysts. These features include an incident overview, the possibility to increase or decrease the severity rating, close an incident, assign an incident owner, see more details, quickly navigate an investigation, comment on incidents, and so much more.
The reason why an investigation is essential is that the SOC team needs to gather as much information as early on as possible for an effective response. That can be through looking at similar incidents; checking what accounts, hosts, and IPs were included; whether those IPs, hosts, and accounts are known or not; how they connect with other data in the solution; and the ability to perform threat hunting. In addition, reporting, TI, and TVM provide even more insights to the SOC team to help perform an incident triage quickly and correctly.
So… do I need solutions such as XDR, SIEM, and so on? Or is SOAR enough?!
The quick answer is yes! These technologies differ in how they handle one common task – quickly and efficiently protecting your organization against threats.
Let’s look at the current situation in the market. We will see that many SIEM vendors either developed their own SOAR solution or bought a SOAR solution and integrated it into their environment. Microsoft Sentinel uses the power of Azure and Logic Apps for automation. Palo Alto bought Demisto (now called Cortex XSOAR) and integrated it into their XDR offering. Splunk bought Phantom and integrated it into their SIEM offering (now called Splunk SOAR). IBM bought Resilient and merged it into their SIEM offering (now called IBM Security QRadar SOAR). And the latest example is Google’s acquisition of Simplify and how they have merged it into their offering.
In all these examples, we can see a few trends. The most important one is that the future is to merge security tools into one so that you can manage your security completely in one place. The boundaries between security tools are receding constantly, and tools such as XDR, SIEM, SOAR, and so on are integrated more and more to provide a native, one-portal experience to organizations. The well-known line from Lord of the Rings is “one ring to rule them all,” and in security, it will be “one tool to rule them all.”
OK, so SOAR is here to stay – but what are the typical use cases?
- Incident enrichment: Here, we will use the information found using TI and TVM solutions to enrich incidents with more data:
- Is that hash or IP malicious? Check using TI and, based on this, you can escalate the incident or even close it if all the data is well-known to your organization.
- Does that host have any vulnerabilities? Check using TVM whether any Common Vulnerability and Exploit (CVE) is connected to the host and decide how to proceed.
Here, we can see how we can use automation to quickly grab that info on incident creation, and when the SOC analyst picks up that ticket, the data will be there. As a result, the SOC analyst doesn’t need to perform an initial triage, thus saving time. Based on this info from automation, we can make faster decisions on how to proceed with an incident.
- Incident remediation: Let’s say that, from the first step, we find out that an IP is malicious or that a host has a critical CVE. As a response, we can run automation that will block that IP in our firewall or EDR solution, or we can isolate that host so that it cannot cause any damage. This is done from the same portal; there is no need to go to different solutions, copy the IP, and then block it. With a click of the playbook, all will be done.
- Reduce fatigue by reducing the number of false positives: SOC teams have significant issues when solving false positives. It takes time to open each incident, check whether it is connected to our known data, and close it. What if the SOC analyst didn’t even need to look at it? Automation can be run to check for well-known data. If it is connected to well-known data, we can auto-close an incident: this means zero engagement from the SOC analyst.
The examples mentioned are clear examples of how tools such as SOAR can help improve the MTTA and MTTR. Instead of repeating tasks, the SOC can focus on high-severity and true-positive incidents. It’s a well-known fact that good SOC analysts will burn out after a few years, and organizations will need to bring in new analysts who need to be onboarded and taught the SOC’s tricks. SOAR will help to decrease pressure on the SOC by reducing fatigue. With it, mental health improves, and SOC analysts don’t burn out. That also means they can perform their job longer, be more satisfied, and focus on the tasks ahead. By reducing the number of events and incidents that a SOC analyst needs to resolve, they can also invest more time into learning about new defense methods. Overall, the losers in this picture are the ones who should be losing out – the bad actors.