An important piece of cybersecurity, SOAR solutions provide a single location for you to observe, understand, and decide how to respond to security incidents. Short for security orchestration, automation and response, true SOAR solutions are operational tools that can be very flexible and powerful, useful even beyond security use cases.
In this article, we’ll explore what SOAR is, why it’s important for enterprises and how you can get the most value from your SOAR solution.
SOAR has revolutionized security operations, specifically the way security operations teams manage, analyze and respond to alerts and threats. Without security automation and orchestration, your security analysts are left to investigate every detail manually.
Today, that’s simply not enough. And it’s a guarantee for disaster: cyberattacks of all stripes are rising. SOAR can remedy many of these all on its own. SOAR also helps analysts to more efficiently remedy other threats.
So, let’s talk about what SOAR really is. Technology analyst Gartner defines SOAR as:
“solutions [that] combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform.”
Next, we’ll break down these three pieces. As we go along, we’ll see how they realize the rest of what SOAR can do: “document and implement processes (aka playbooks, workflows and processes); support security incident management; and apply machine-based assistance to human security analysts and operators.”
Of the three components, incident response is the easiest to understand. NIST defines incident response as “the mitigation of violations of security policies and recommended practices”. Basically, any incident or event that violates your organization's security policies and/or overall cyber best practices.
Incident response is a full practice, made up of a variety of pieces including incident planning and incident response itself. (There are several steps, depending on the framework you use.) You can put all of this under the umbrella of incident management.
(Related reading: incident response 101, incident response metrics & CSIRTs: critical incident response teams.)
Next, let’s look at automation and orchestration. These are different technologies:
Automation and orchestration are best used in concert. With SOAR, you’re not choosing one or the other: you get both. This capability relieves your security pros from weeding through logs, manually addressing every single alert. (Let them focus on investigation and strategy!)
In a matter of seconds, security automation and orchestration can:
Let’s be clear: SOAR is in no way a replacement for human staff. You will continue to need highly-skilled security analysts to investigate emerging and non-standard issues. And then to orchestrate appropriate responses as necessary.
Threat intel is its own full subject! For our purposes here we can define cyber threat intelligence as “evidence-based knowledge” — things like known TTPs and indicators of compromise or attack. When folded into your SOAR solution, this information can help your security teams to better:
(Read our full explainer on cyber threat intelligence.)
A high-level SOAR workflow
A lot of the alerts your security teams receives are mundane, requiring rote manual responses. Others are redundant or false positives — you can ignore these.
SOARs remove rote tasks and makes clear exactly which alerts are worth exploring more. This way you’re handling incidents more efficiently: the easy ones get handled automatically, and more complicated ones get the attention they deserve. That’s an ideal security posture.
Successful SOARing can really change how your SOC teams operate. We can sum up the benefits in three categories:
Ultimately, SOAR solutions free you to investigate the things worthy of analyst time.
The smartest thing you can do when exploring SOAR solutions is to imagine how your organization will use it — both initially and over the long term. That’s where SOAR maturity models can help. So, what are common use cases? They often depend on your industry and company profile, but common use cases include:
OK, so we know what SOAR tools can do. Now, you’ll need the right features in your SOAR solution. There’s plenty of options out there — including Splunk SOAR — though only a few will have all the features you need.
Here are the capabilities that you should look for:
(Take a guided SOAR tour or try Splunk SOAR for free.)
SOAR solutions are often deployed alongside SIEM technology (security incident & event management) because they have distinct differences. Key differences include data sources, alerting vs. investigating capabilities, and the need for tuning. We can sum up these differences:
(See how Splunk is a Leader in SIEM.)
Yes, SOAR and extended detection and response (XDR) solutions are often compared: they both integrate diverse security tools and automate and coordinate the response. But how they do it — and how widely the technologies can be used — varies:
A SOAR solution will unify all your security tools, making sure they’re working in concert and helping free up your analysts’ valuable time.
As with all security tools, the real value of SOAR is in how you use it. Follow these best practices to gain the most value from your SOAR solution investment:
First evaluate where automation will help immediately, and prioritize those needs. Consider the big picture: prioritize incidents based on frequency and resolution time.
Then define your short-term and long-term use cases and create a list of how you will use SOAR. Involve stakeholders to identify further use cases, even if you implement them later.
Document the steps, instructions and best practices for resolving incidents effectively, ensuring that your security team follows a consistent, repeatable process.
Ensure the vendor you choose can support all the tools you’re currently using. A SOAR solution is only as good as the information you’re putting into it.
Train staff for to use SOAR appropriately, but don’t stop there. Train your team to address complex incidents: When alerts require human invention, your staff must have the expertise and confidence to tackle those issues.
Plan how your analysts will focus on value-added tasks that benefit the organization — for example, conducting a deep investigation as to why you are constantly fighting off phishing attacks. Even better: Automation will create new roles within the organization. So, use this new time for new areas of focus, like managing the automation and playbooks.
Ease in, don’t expect to use every feature immediately. Focus first on one critical area, then mature sophistication over time. This way you’ll realize the full potential of the solution while minimizing growing pains.
(Learn 5 things to automate first: watch the on-demand webinar.)
Enable your security team to do the impossible: Keep up with the never-ending security alerts that plague a highly complex IT environment. Freeing your team from dealing with false positives, repetitive alerts and low-risk warnings, SOAR lets you pivot from a reactionary approach to a more proactive one. Rather than fighting fires, security analysts can put their talents and extensive training to better use, ultimately improving your organization’s overall security posture.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.