This is the first part of a two-part series. The second part is here.
SOAR — or security orchestration, automation and response — is a collection of processes, software and tools that allows teams to streamline security operations. SOAR platforms are a hot topic in the realm of cybersecurity these days, and with good reason.
By helping to plan and orchestrate responses to security incidents, SOARs offer critical functionality that extends beyond that provided by security incident and event management (SIEM) platforms, a more conventional type of security tool.
That, at least, is a high-level overview of why SOARs are beneficial. To dive deeper, let’s take a look at the top seven advantages that modern SOAR platforms provide, while also briefly exploring their limitations.
1. Automated Incident Response
By helping to automate the complex tasks that engineers must perform when responding to security incidents, SOAR solutions reduce tedium and toil. Instead of spending time manually assessing risks, formulating a response plan and sharing it with stakeholders, teams can use SOAR tools to automate most aspects of this work.
This makes the security response less burdensome. It also lets engineers focus on the work that feels most important and impactful — remediating complex threats — as opposed to the tedium of poring through alert streams, inviting stakeholders to Slack channels and so on.
2. Faster Incident Response
For related reasons, SOAR platforms increase the velocity of security incident response. The less time engineers have to spend manually planning and orchestrating their response to security incidents, the faster they can work and the shorter their mean time to resolve (MTTR).
That’s important, of course, not just because bosses and customers like faster results, but also because when it comes to security in particular, time is of the essence. The longer a breach remains active and uncontained, the greater the chances that it will escalate, leading to higher costs and greater disruption.
3. Security Process Consistency
Because SOAR platforms automate threat intelligence and response based on rules and conditions that teams configure, they result in highly consistent security operations. Each incident will be handled in the same way, no matter who happens to be on call when it occurs or which type of resource the incident affects.
It’s harder to achieve this type of consistency using tools like SIEMs. The latter rely more heavily on manual processes and therefore result in operational variation from one engineer or incident to the next.
4. Complex Threat Detection
One of the main drawbacks of using a SIEM alone is that SIEMs largely leave it up to users to interpret security alerts and data. As a result, it may be hard to detect threats that are too complex for humans to identify easily. For example, a threat may only become obvious after carefully comparing different types of alerts and contextualizing them with logs and event data, a task that humans are hard-pressed to perform.
SOARs, however, can automatically interpret large volumes of data in order to recognize complex threat patterns. In this regard, SOARs increase businesses’ ability to identify risks, especially those that are particularly complicated in nature.
5. Lower Costs
The automations that SOARs provide typically translate to lower total spend on cybersecurity response. By allowing businesses to handle more threats with fewer engineers, SOAR platforms reduce staffing costs.
SOARs also, as noted above, play an important role in reducing the impact of breaches, which in turn means less financial loss due to disruptions to business operations and compliance fines.
6. Automated Security Reporting
In addition to automating security incident detection and response, SOAR platforms usually provide automated reporting features that record what happened, who did what and which steps ultimately mitigated the threat.
This data is crucial for performing postmortems, as well as for tracking trends in security risks and response over time. It may also be useful for auditing and compliance purposes in cases where businesses are required to document their security operations.
SOAR solutions can typically integrate with a wide variety of external tools and platforms. Integrations help with two main tasks: collecting the data that SOARs use to detect and assess risks, and managing responses when incidents take place.
Thanks to extensive integrations, it’s usually easy to brick SOARs into any type of environment or technology stack without having to worry about manually moving data into and out of them. The integrations may not always be trivial to set up, and that’s one of the limitations of SOARs, but they at least exist.
SIEMs may also provide some integrations. But, because the functionality of SIEMs is narrower, their integrations are fewer, and they fit less naturally into complex toolchains.
Conclusion: SOAR Platforms Are Awesome, but They’re Not Perfect
In short, SOARs are an essential tool for any organization that aims to take a modern approach to cybersecurity.
However, just because SOARs are great and valuable doesn’t mean they’re the be-all, end-all of security operations and management. On the contrary, SOARs are subject to a variety of limitations, such as being designed mostly for use only by elite security teams or requiring special expertise to integrate with other tools. Understanding and addressing those limitations, which we will discuss more extensively in next week’s article on the drawbacks of SOAR, is critical for any business that uses a SOAR platform today.
But, for now, let’s close by saying that we love SOARs. They’re great and they’re awesome, even if they are not enough on their own to manage all types of security needs and challenges.