Organizations usually have several security solutions in place, but a shortage of qualified personnel, integration problems and a lack of specialized controls make it impossible to use the full potential of these solutions. 

Meanwhile, the high degree of automation of modern cyberattacks can overload the experts of the security team, who are already faced with managing a large number of other routine operations.

Modern information systems are constantly changing — sometimes radically. Modern technologies, such as hybrid cloud environments, remote mobile access and software-defined networking and storage (SDN/SDS), not only raise the requirements for the competence of cybersecurity personnel and imply the use of specific approaches to protection, but also increase the need for specialized tools required to implement and control security policies.

With multiple, decentralized security solutions, security teams can become overwhelmed with the task of managing many tools.

Security operations centers (SOCs) can partially solve these problems, consolidating the most effective forces and means where they are most needed. However, to completely solve all problems, such centers may benefit from additional gear in the form of security orchestration, automation and response (SOAR) solutions.

Main security goals of SOAR

Below are the top operational goals of security orchestration, automation and response (SOAR) systems:

• Real-time collection of infosec data coming from heterogeneous sources and initial categorization of such information
• Automation of typical chains of tasks related to cybersecurity incidents and identification of abnormalities
• Automation of organizational and technical tasks and procedures for ensuring security within the framework of responding to a security incident, including informing interested parties
• Automation of all SOC routines
• Retrospective analysis of states, conditions, actions taken and results of response to cybersecurity incidents
• Develops organizational security reports with the possibility of retrospective and predictive analysis

SOAR is a relatively recent concept. There are three groups of SOAR functions: unification, automation and orchestration.

The unification of various technologies, processes, resources and interfaces allows effective collaboration of cybersecurity tools aimed at ensuring information security. Automation minimizes the involvement of staff in solving problems while maintaining and often increasing quality and consistency. Orchestration is aimed at building response scenarios, implementing security policies and performing the necessary tasks when responding to and investigating cyber incidents.

Security orchestration is an approach that helps facilitate the planning, integration and coordination of activities and functions of cybersecurity tools and experts. It is also used for the implementation and automation of the necessary actions aimed at responding to an information security incident within the framework of heterogeneous technological paradigms.

In the absence of SOAR, security experts must deal with all tasks related to cyber incident investigation and response, including deploying software; implementing policies and monitoring information security tools; supervising the investigation of a security incident; and obtaining additional information from threat intelligence tools. They also must apply temporal blocks and security policies and plan, manage and improve the functions of information security management systems.

SOAR allows experts to solve management problems, focusing on planning and improving the information security management system. SOAR acts as a single interface for accessing management functions and necessary data. SOAR automates the entire list of tasks associated with responding to information security incidents, including extraction of additional information, enrichment of information about information security events, coordinated management of information security tools, automatic analysis, and monitoring.

SOAR platform and its components

The most important functions of SOAR have to do with the orchestration and automation subsystem designed to integrate information security software and hardware, including enriching the context of a cybersecurity incident; defining a starting point for a security expert to intervene; and automating the response process.

The orchestration and automation subsystem consists of two modules:

1. The orchestration module provides centralized processing of events and incidents, information about which comes from security information and event management (SIEM) and other tools, as well as the collection of threat intelligence from various external sources. This module is represented by a set of connectors that unite multiple security systems, as well as a mechanism for managing these connectors, including managing privileges and credentials.
2. The automation module provides a stage for responding to a cybersecurity event using the playbook mechanism.

A playbook is a tool that details cyber incident response scenarios. It is used to create an algorithm of response actions for a specific type of information security incident and automatically implement it when a certain rule is triggered.

The SOAR concept helps to solve a lot of problems:

• The lack of qualified staff is compensated by focusing the existing security team on management and planning tasks. Typical and routine tasks of applying security policies, responding to information security incidents are solved in automatic or semi-automatic modes with the ability to use previous experience and also predictive analysis.
• Operation of security systems and management of information security functions is ensured by the automation of most processes. At the same time, a decrease in the number of configuration errors is achieved and the efficiency of responding to information security incidents is increased.
• The gap between what security leaders need and what cybersecurity tools provide is leveled out through the use of a single centralized management interface, implementation of policies and transparent feedback from the system. SOAR minimizes the dependence on the knowledge and skills of specific specialists. The introduction of SOAR improves the efficiency of information security management, the quality of the work of specialists and optimizes the costs required to maintain and develop the security ecosystem.
• SOAR helps to scale and unify the functions of information security infrastructure management, regardless of its size, architecture and type of elements.

SOAR is not limited to traditional automation tools and interfaces. An effective solution to the problems facing SOAR is possible when using ontological representations to unify management functions and represent security policies. For example, firewall policies must be invariant to vendor-specific configuration interfaces. 

SOAR solutions can be effectively used not only in information security but also in the management of engineering systems: fire control, physical access control, power management and more. 

SOAR can be considered a means of information protection aimed at solving security management problems that are not directly related to protection against particular threats. SOAR focuses on improving the efficiency and quality of this process, taking into account restrictions due to personnel shortages and diversity of technologies. The use of SOAR helps bridge the gap between business goals and available security tools.