SOAR stands for Security Orchestration, Automation and Response – a term that was first used by Gartner.
These days organizations collect large amounts of data relating to events that take place on their networks, and these events can be generated by a wide range of devices, applications and platforms.
This data needs to be aggregated and correlated to determine whether a security incident has occurred, and what the appropriate response should be. SOAR technologies are used to standardize and automate the entire process.
Let’s take a closer look into how SOAR technologies can help organizations improve their cyber-security posture.
1. High Quality Threat Intelligence
In order to combat security threats, security teams need clear visibility into the tactics, techniques and procedures (TTPs) that are employed by cyber-criminals and be able to identify indicators of compromise (IOCs).
For this to be possible, organizations need to collect and share information about the security threats they encounter and do so in a standardized way so that it can be used by automated systems.
Initially, this information is collected from SIEM, UBA, firewall and IPDS technologies, to name a few, and then published in the form of a threat intelligence feed, which third-parties can use to make informed decisions.
2. Improving Overall Efficiency and Productivity
As the mantra goes, work smart, not hard!
Given the serious shortage of cyber-security professionals, it makes no sense for security teams to be manually carrying out mundane and repetitive tasks, which could otherwise be done by a computer.
Using SOAR solutions to automate these processes will inevitably improve efficiency, minimize the number of mistakes that are made, improve productivity and even save money in the long term.
3. Improving Incident Response
SOAR technologies help us to reduce the time it takes to detect and respond to security incidents, by producing real-time alerts which security teams can examine to determine the cause and severity of the incident.
The alerts can be based on either a single event, or events that match a threshold condition. This allows security teams to automate a response, which might include disabling a user account, blocking an IP address, adjusting the permissions for a given resource, quarantining or shutting down the infected resource.
4. Advanced Reporting
Security teams are often required to generate reports in order satisfy both the executives and the supervisory authorities.
Doing this manually would be a time-consuming task and will get in the way of them doing more productive tasks.
SOAR technologies allow security teams to generate pre-defined reports at the click of a button, which can be either printed out or sent to the relevant parties via electronic communication.
Examples of SOAR in Practice
Data Discovery and Classification
There are number of SOAR technologies that provide data discovery and classification out-of-the-box. If we don’t know exactly what data we have, where it is stored, and how sensitive the data is, we will find it very hard to keep the data secure.
A data classification solution will scan all repositories, whether on-premise on in the cloud, and identify a wide range of data types, such as Social Security numbers, protected health information, payment card details, and more.
Data discovery and classification tools also help us identify and remove data that is stale. According to the 2018 Global Data Risk Report, on average, 54% of the data we store is stale, which is not only a security risk, but also a waste of storage space.
Detect and Respond to Anomalous User Behavior
A User Behavior Analytics (UBA) solution will keep track of all privileged accounts and alert the security team in real-time when user account permissions have changed, as well provide information about who changed them.
They will also detect and respond to suspicious file and folder activity. Most sophisticated UBA solutions use machine learning to establish typical patterns of behavior, which can be tested against to identify anomalies. Any events that deviate from this pattern, will fire an alert, which will be reviewed by the relevant personnel.
As mentioned, SOAR technologies can also detect and respond to events that match a pre-defined threshold condition. For example, such events might include multiple failed login attempts, or when many files are encrypted within a given timeframe.
Once detected, a custom script can be executed to contain the situation, which might include disabling a user account, stopping a specific process, changing the firewall settings, or shutting down/isolating the affected systems.
Inactive User Account Management
According to the above report, 34% of users are enabled, but stale. The problem with “ghost” user accounts is that they are often un-monitored. Were an attacker to gain access to one of these accounts it can enable them to move laterally across the network without arousing too much suspicion.
A lot of modern UBA solutions can automatically detect and manage inactive user accounts.
Interoperability between IT Environments
Most UBA solutions can aggregate and correlate event data from a wide range of platforms, including existing SIEM technologies, on-premise directory services and a wide range of cloud platforms, such as Office365, DropBox, Amazon S3, Box, and more. All event logs are presented via an intuitive console, which can be easily searched and filtered to find the relevant information.
At the end of the day, even if by some miracle we manage to find a way to address the cyber-security skills shortage, I think it is fair to say that SOAR technologies, and automation solutions in general, are going to play a big role in the future of data security. And when it comes to using SOAR technologies with Artificial Intelligence (AI), we haven’t even scratched the surface.