logo
Technology

Introduction to SOAR

Info

Gartner has recently announced a new cybersecurity technology analysis model called Security Operations, Analytics, and Reporting (SOAR). Sometimes you may also hear cybersecurity professionals refer to it as SOAPA (security operations analytics platform architecture), perhaps because they want to teach us another cybersecurity acronym, but that is not necessary to focus on because Gartner calls it SOAR and we should too.

|
Jul 10, 2023
Introduction to SOAR

In a sense, SOAR can truly help your CSOC feel like it has wings. SOAR is a security operations and reporting platform that leverages machine-readable data from various sources to provide management, analysis, and reporting capabilities to support cybersecurity analysts. The SOAR platform applies decision-making logic, combined with context, to provide standardized workflows and enables triage (priority assignment) of cybersecurity remediation tasks. The SOAR platform provides actionable intelligence, allowing you to stay on top of your workflows.

What is the difference between SOAR and SIEM?

SIEM has been around for some time and has evolved from being a security event correlation tool to a full-fledged security analysis system. Traditionally, SIEM practices involve collecting your security logs and events to provide visibility into what is happening within your organization from a cybersecurity perspective. The evolution of the tools we use is an ongoing process, and while alerts about suspicious behavior are necessary, the primary goal is to act quickly and effectively upon those alerts. Traditional SIEM will notify you that something is happening on your network, while a SOAR platform allows you to take action based on that information. SOAR collects and consolidates all the data from your security applications and threat intelligence feeds, but its capabilities can go beyond SIEM by enabling automated response and coordination of security tasks across connected applications and processes. SOAR allows you to integrate third-party threat intelligence from various sources and simultaneously provides you with the ability to develop a playbook consisting of actionable and follow-up activities to respond to any threats.

How can SOAR help cybersecurity analysts?

Physicist William Pollard once said, "Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision-making, it is a burden, not a benefit," and this holds true in the realm of cybersecurity. The remarkable thing about this 19th-century quote is that it succinctly describes the challenge faced by many modern CSOC teams in certain cases. Often, CSOC analysts are overwhelmed by the sheer volume of alerts and information available to them, often scattered across various systems. Much of the CSOC analyst's time is typically spent filtering and organizing information in a conducive manner for decision-making. This is where SOAR comes in and aims to relieve CSOC analysts of these tasks, enabling them to focus on higher-priority work and deliver measurable return on investment (ROI) in a relatively short time. It is worth noting that the best SOAR platforms are those that can demonstrate evidence of producing ROI, and you will typically see clear savings of 15%+ in your cybersecurity team's time.

What capabilities should a modern SOAR platform have?

Endpoint Detection and Response (EDR): After prioritizing security alerts, security analysts also want to dig deeper into incidents through endpoint monitoring and investigation. This makes EDR capabilities an important part of any SOAR platform.

Vulnerability Management: Part of the SOC analyst's job is to know which alerts need to be prioritized and managed. This decision is usually driven by the vulnerability management capabilities of the SOAR platform, based on direct data.

Threat Intelligence: Integrating SOAR into various threat intelligence platforms and sources facilitates and accelerates analysts in comparing potential threats against known threats.

Case Management-Based Incident Response: Analysts will collect, process, and analyze security data, but they also need to leverage it to prioritize alerts and respond to threats as quickly as possible. Therefore, robust incident response capabilities are important for a SOAR platform.

Playbook Management: Since SOAR is geared towards incident response, a crucial part of SOAR is the ability to create and manage playbooks that align with your incident response policies and streamline your incident response processes.

SOAR IS A KEY COMPONENT IN CYBERSECURITY EFFORTS

The growing threat of cyberattacks and the administrative burden involved in managing data security puts pressure on SOCs to prevent data breaches, operational disruptions, and reputational damage. SOAR provides a different approach to equipping cybersecurity teams—one that is not constrained by manual processes and utilizes automation, predictive analytics, and increasingly advanced AI to help identify and respond to unauthorized intruders before they gain a foothold in the network. SOAR promises to reduce the dwell time of attackers (the time it takes to detect threats after initial compromise) as well as detection and remediation times (the time between identification and response). By integrating automation, incident management, orchestration processes, visualization, and reporting into a single pane of glass, SOAR provides a fast and accurate way to process alert and log data, helping analysts identify and respond to ongoing attacks, enhancing the strength of SOC teams, and making them many times more efficient in handling their workflows.

Share this post

You may also like

This is Why You Need Cybersecurity Honeypots!
Technology

This is Why You Need Cybersecurity Honeypots!

How can we know this? Just like how we can learn about most global cyber threats, the techniques used, the timing chosen, and the tools utilized, the answer lies in honeypots. Honeypots are information system resources whose value lies in the unauthorized or illegal use of those resources, meaning they prove their worth when a hacker attempts to interact with them. Honeypot resources are typically disguised as network servers, appearing and feeling like legitimate servers, but in reality, they are traps used to lure unauthorized intruders. How did analysts discover EternalRocks? It happened because of the presence of honeypots. It's a creative game of cat and mouse that sets clever traps. The adversaries who come either try to outsmart the trap or recognize something suspicious and avoid it, or in some cases, sabotage it. This was humorously responded to by one researcher who wrote a tweet entertaining many, saying, "For those of you who know my honeypot is a honeypot, can you stop placing Pooh bear (honey) pictures on it?" Please

|
Jul 09, 2023 5 minutes read
ITSEC Guide to DevSecOps
Technology

ITSEC Guide to DevSecOps

Tips
Hacks

Any technical team currently using the DevOps framework should seek ways to move towards the DevSecOps mindset by enhancing the security skills of each team member from various technology backgrounds. From building business-focused cybersecurity services to testing potential cybersecurity exploits, the DevSecOps framework ensures that cybersecurity is built by embedding it into applications rather than being just an add-on. By ensuring security considerations at every stage of software delivery, you continuously integrate security, which reduces compliance costs and enables the rapid and secure delivery of software. DEVSECOPS IN PRACTICE The advantage of DevSecOps is that it brings about increased automation along the software delivery pipeline. This automation is beneficial in the long run as it eliminates errors, reduces cyberattacks, and minimizes downtime. Organizations looking to integrate security into their DevOps framework find that the process can be relatively seamless if they use the right DevSecOps tools. The workflows of DevOps and DevSecOps can be summarized as follows: An engineer writes code within a version control platform. Changes are applied to the version

AdministratorAdministrator
|
Jul 10, 2023 4 minutes read
Why You Need To Take Asset Inventory Seriously
Technology

Why You Need To Take Asset Inventory Seriously

If you work in cybersecurity, the saying does not apply and will get you into trouble at some point. Nobody expects you to know everything, but they expect you to know what assets you have on your corporate networks plugged into your IT infrastructure. It's the first thing I look for when speaking to an organisation for the first time. Generally speaking, the more that an organisation can tell you about their inventory of PC's, tablets, smartphones, servers, wireless access points and wireless access points, the better they are at cybersecurity. It may surprise you to discover that most organisations do not have a firm handle on their asset inventory. This is shocking in itself because asset discovery is a foundational IT security measure and it's impossible to defend your IT infrastructure unless you have an up-to-date list of what you are defending. When you learn that most companies do not maintain an active list of their assets, it's not at all surprising that so many get breached. When I

|
Jul 09, 2023 5 minutes read

Receive weekly
updates on new posts

Subscribe