SOAR: what it is and why it is needed in cybersecurity

[CarderPlanet]

SOAR is a technology for quick and effective response to cyber attacks. In this article, we will explain what a SOAR system is and how it differs from SIEM solutions, as well as describe the advantages of the technology for cybersecurity.

The SOAR (Security Orchestration, Automation and Response, SOAR) system is a technology that helps coordinate, execute, and automate tasks between different specialists and tools within the same platform. The technology enables organizations to quickly respond to cyberattacks and prevent future incidents.

By Gartner's definition, a SOAR system should have three functions: threat and vulnerability management, security incident response, and automation of security operations.

SOAR receives data about alerts that trigger scripts (playbooks) that automate or manage (orchestrate) workflows or response tasks. Organizations can then use human resources or machine learning to analyze the collected data to prioritize automated incident response actions.

What is SIEM?
SIEM (Security Information and Event Management) — managing events and security information. This is a set of services and tools that collect and analyze security data, as well as help information security specialists create policies and configure incident notifications.

SIEM tools allow the IT team to:

• Use event log management to combine data from different sources;
• Get real-time organizational visibility;
• Correlate security events collected from logs using "if-then" rules to effectively add practical value to the data;
• Use automatic event notifications that can be managed through the control panel.

Comparison of SOAR and SIEM
Many identify SOAR and SIEM as similar products, because both systems detect security issues and collect data about the nature of the problem. However, there are differences between them.

SOAR collects data and alerts specialists using a centralized platform similar to SIEM, while SIEM only sends alerts to security analysts.

SOAR automates the investigation and response process using scenarios or artificial intelligence (AI) to predict similar threats before they occur.

What is security orchestration and automation?
Security automation is the automatic execution of actions to detect, investigate, and respond to cyber threats without the need for manual human intervention. Automation does a lot of routine work for the SOC (Security Operation Center) team.

Security orchestration is the automatic coordination of a number of interdependent security activities within a single complex infrastructure. The system ensures consistent operation of all security tools.

Security automation simplifies security operations and makes them more efficient, because the security automation system performs separate tasks, and security orchestration connects all security tools so that they interact with each other for better performance.

What is Threat Analysis Management (TIM)?
Threat Intelligence Management (TIM) allows organizations to better understand the global threat landscape, anticipate the next steps of attackers, and take prompt measures to prevent attacks.

There is a significant difference between threat analysis and threat analysis management.

TI)Intelligence,ThreatThreat Analysis (refers to data and information about threats, and TIM) refers to collecting, normalizing, enriching, and processing data about potential attackers, their intentions, motivations, and capabilities. This information can help organizations make faster and more informed security decisions.

Why do I need SOAR?
SOAR develops management, analysis, and response to alerts and threats. Information security teams assume responsibility for manually processing thousands of alerts every day, which leads to errors and low efficiency.

As the volume of threats and alerts increases, analysts are forced to prioritize which alerts need to be responded to immediately, and which threats are less important. Specialists are often overworked and make mistakes when responding to threats.

Therefore, it is critical that the organization has SOAR systems that allow you to organize and automate the notification and response process. The SOAR system increases the efficiency and productivity of security teams when investigating incidents, thereby improving the overall security status of the organization.

SOAR allows companies to:

• Integrate security, IT operations, and threat analysis tools to combine all security solutions to achieve a more complete level of data collection and analysis;
• Control everything in one place. The security team gets access to a single console that provides all the necessary information to investigate and resolve incidents.;
• Speed up incident response. SOAR reduces both the average detection time (MTTD) and the average response time (MTTR). Because many actions are automated, most incidents can be handled immediately and automatically;
• Prevent actions that require a large amount of time. SOAR reduces false positives, repetitive tasks, and routine processes;
• Improve threat analysis. SOAR solutions collect and validate data from threat analysis platforms, firewalls, intrusion detection systems, SIEM, and other technologies, providing the security team with more information and context. This way, analysts can conduct more in-depth research on the problem.;
• Improve reporting and communication. With all security actions gathered in one place, stakeholders can get all the information they need to help determine how to improve workflows and reduce response times.;
• Improve your decision-making ability. SOAR platforms offer features such as pre-generated scripts, drag-and-drop functionality for creating scripts from scratch, and automatic notification prioritization.

SOAR is a valuable cybersecurity tool that minimizes the impact of security incidents of all types, maximizes the value of existing security investments, and reduces the risk of legal liability and business downtime.

How SOAR helps solve cybersecurity challenges
Security signal processing
SOAR allows you to automate a number of actions for responding to security system notifications (IDS, IPS, etc.), such as:

• Phishing: Checking suspicious emails for malicious links or attachments, interviewing affected users, extracting and checking Compromise Indicators (IoC), detecting false positive results, and preparing a standard response for the security service;
• Malware infection: getting threat data from endpoint protection tools, matching received files or hashes with SIEM data, notifying analysts, cleaning infected endpoints, and updating the endpoint protection tool database;
• Failed login attempts: After a certain number of failed user login attempts, evaluate whether the login is legitimate or malicious, run the script (playbook), interact with users, analyze their responses, revoke passwords, and close the script;
• Log in from unusual locations: identify potentially malicious VPN access attempts by checking for the presence of a VPN and a Cloud Access Security Broker (CASB), match IP addresses, confirm the violation with the user, block access, and close the script.

Managing Cybersecurity operations
Another SOAR task is SSL certificate management, endpoint diagnostics, vulnerability management, and others. SOAR helps to automate these processes and minimize the human factor. For example:

• Managing SSL certificates: checking endpoints for expired or soon-to-expire SSL certificates, informing users, re-checking the status after a few days, escalating the problem to the appropriate persons, and closing the script;
• Endpoint diagnostics and startup: checking the connection of agents, enriching the context, opening an application, launching agents, and closing a script;
• Vulnerability management: obtaining information about vulnerabilities and assets, enriching data on endpoints and common vulnerabilities and exploits( CVE), requesting vulnerability context, calculating the risk level, transferring control to analysts for correction and investigation, and closing the scenario.

Threat detection and incident response
This includes using various methods to detect hidden or unknown attacks on the network and taking measures to neutralize threats. SOAR helps automate part of this process and provide analysts with the necessary information to make decisions. For example:

• IOC Search: getting and extracting IOC from attached files, searching for IOC using threat intelligence tools, updating databases;
• Malware analysis: getting data from various sources, extracting and detonating malicious files, generating and displaying reports, checking for malicious targets, and updating the database;
• Cloud incident response: consuming data from cloud-based threat detection and event logging tools, combining processes between cloud and on-premises security infrastructures, correlating with SIEM, extracting and enriching indicators, checking for malicious intent ,and transferring control for analysts to view information (reviewing information), updating the database.

Automating data enrichment
This includes using various data sources-threat databases, threat analysis services, public resources, and others-to get more information about potential threats and incidents. SOAR helps automate this process and provides analysts with a more complete picture of the situation. For example:

• IOC enrichment: getting data from different sources, extracting indicators that need to be checked, enriching URLs, IP addresses and hashes, checking for malice, updating the database, inviting analysts to view and investigate information, and closing the script;
• Assigning an incident risk level: checking other products for vulnerability assessments and whether existing indicators have been assigned ratings, assigning severity, checking user names and endpoints for being on the critical list, assigning critical severity, and closing the incident.

How do I choose a SOAR platform?
When comparing different SOAR providers, there are a number of different factors that need to be considered before implementing a SOAR solution. Factors include evaluating your own maturity, the required technology integrations and tool stack, existing processes, and the chosen deployment method.

After the company conducts an internal audit of its security status, it should consider factors related to the SOAR product itself. These factors include:

• Easy to use and connect to other tools: The tool should act as a bridge between detection, data enrichment, response, and allied tools. Ideally, a SOAR solution receives alerts from detection tools and automatically coordinates the actions of response tools;
• Custom integration features: Does the platform have a mechanism (such as an internal SDK) for creating custom integrations? Does the platform implementation period include support for custom integrations by the support team? Are these services optional or included in the product purchase price?
• Ready-to-Use (OOTB)/Pre-created integrations: how many integrations does the platform have? Are new integrations added to the platform over time and as parts? Are the updates free or optional services?
• Incident management: Does the platform have built-in management or does it integrate with the appropriate management tools? Does the platform allow you to restore the history of incidents? Does the platform support post-incident documentation and review?
• Integration with Threat Analytics: Incident investigation is accelerated with the ability to match threat analysis, which can potentially reveal previously undetected malicious activity. Automated workflows allow you to extend the threat analysis process to security points in real time;
• Workflow and Script Capabilities: Does the platform have workflow capabilities? Does the platform show a live run of scenarios for each incident? Does the platform support script embedding? Does the platform support creating custom script tasks (both automatic and manual)? Does the platform support transferring user tasks between scripts?
• Flexible Deployment: What flexible deployment options does the platform have? Is the platform designed for multi-user use and does it have the necessary security to support network segmentation for communication between organizational networks? Does the platform have horizontal scalability across multiple clients and guaranteed high availability?
• Pricing: Today there are the following pricing methods - price per action, price per node or endpoint, annual subscription with additional prices for additional administrators;
• Additional services and features: In addition to the core competencies of SOAR, what other features does the company offer that will benefit your organization?
• Professional Services: Does the company provide professional services to its customers, ensuring successful deployment from start to finish?
• After-sales Support: What kind of support does the company provide after SOAR installation?

Choosing the best SOAR solution for any cybersecurity operation requires matching the vendor's offerings and the security organization's needs for increased efficiency and effectiveness.

The right SOAR solution should not only complement and be compatible with installed products, scenarios, and processes, but also optimize collaboration, provide flexibility in both deployment and hosting capabilities, and have a pricing model that meets the organization's needs.