SOAR – Security Operations, Analytics and Reporting

Orchestration and Automation of incident response are key elements for resource constrained Security Operations teams and larger organisations seeking to mature their security operations and incident response processes. Secure-ISS currently considers SOAR as an advanced function or toolset within a layered defence in depth strategy.

What is SOAR?

As the acronym itself suggests SOAR is a number of differing functions within a Security Operations environment. It comprises functions across the Security and Incident Response lifecycle including Security Orchestration, Automation, Incident Response (and Management) and the associated reporting functions (through Dashboards and detailed reporting).

SOAR technologies enable the “connecting” of disparate tools and systems (through the collection of information), and leverage both Human and Machine analysis to define, prioritise and respond to threats within an organisation.

SOAR enables the organisational response procedures or playbooks to become automated with machine based actions occurring automatically within a workflow

Orchestration — The integration of disparate technologies (both traditional IT and security specific toolsets)
Automation — Enabling machines to complete task-oriented “human work”
Incident Management, Collaboration and Response — End-to-end management of an incident by organisational teams
Dashboards and Reporting — Visualizations and capabilities for collecting and reporting on metrics and other information related to the Security events and incident response.

What are some of the organisational benefits of utilising SOAR tools and technologies?

SOAR tools can assist organisations to reduce the impacts of staff/ resourcing shortages to define, streamline, automate and orchestrate various security tasks and incident response activities.

It also assists an organisation to understand their preparedness to various security incidents.

With an exponential increase in alerts across organisations SOAR toolsets enable Operations teams to more effectively determine if an alert requires action, prioritise such alerts and affect the level of human involvement in such an action. With threat outcomes such data destruction, monetary or other ransom type attacks, exfiltration of data and/ or IP occurring with ever increasing speed, Operations teams need to ensure that the y keep becoming more sophisticated and exfiltration of data or happening in much more

SOAR tools and the prevailing Threat Landscape

SOAR tools often combine threat intelligence ingestion, to provide organisations with further context to enable a better understanding of how an organisation’s environment interacts with the prevailing threat landscape.

Selecting a SOAR tool?

SOAR tools come in a variety of states and functions and should be chosen based upon organisational requirements, security maturity levels potentially the technology mix and Security Operation team’s capability and available resourcing.

How can Secure-ISS assist with your SOAR requirements?

SOAR tools can be added into a number of Secure-ISS Managed Security Services including SOCaaS and MDR services. We can also assist with the implementation of various toolsets as part of an organisations security operations framework.