< Overview
Risk-aware companies typically have multiple IT security solutions in place to protect their organization from cyber threats. Even when the individual tools are working optimally - they don't necessarily work together. Due to limited resources and the lack of available skilled personnel, many companies face a particular challenge in keeping pace with this evolution. For this reason, the evolution of Security Orchestration, Automation and Response (SOAR) has gained significant momentum. But what are the actual benefits of SOAR solutions and what do companies achieve with them?

How SOAR solutions are revolutionizing cybersecurity

IT security teams usually have to keep track of numerous, disparate security tools in order to stem the tide of threats. Each alert from the respective software must be monitored, analyzed and interpreted. Cybersecurity automation is critical to managing this constant stream of threats. Security Orchestration, Automation and Response (SOAR) systems provide a platform to efficiently handle incoming alerts from disparate IT security systems across the enterprise.

How SOAR works

SOAR systems bring together all the relevant information needed to process a potential IT security incident. For the initial alarm, SOAR systems obtain information from a SIEM, EDR or NDR system. It is also possible to connect to an email inbox for phishing analysis. For further contextualization, the alarm is enriched with public threat intelligence information, results from file analysis tools or internal databases. Furthermore, SOAR offers the possibility to react automatically to alarm messages via the connected systems and to initiate appropriate protective measures. The deactivation of user accounts, the isolation of affected hosts or the automatic creation of domain block lists can be mentioned here as examples.

Playbooks are used within the SOAR system for the automatic processing of alarms. These contain, related to the respective use case, a defined sequence for information collection, analysis and reaction. Playbooks can react to different results within the analysis process and initiate corresponding action steps. Playbooks can be compared to the structure of a runbook for analysis, but work through the necessary steps automatically.

The main advantages of SOAR for security teams

SOAR, which is integrated into the company, is, along with a SIEM, the central tool for handling potential security incidents.

Specifically, SOAR helps security analysts by automatically (pre-)processing information and alerts. For this purpose, it combines all security tools on one platform, combines the available information and supports the collaboration of several analysts on one case. This enables security analysts to work more efficiently and avert potential damage in a targeted manner. The SOAR also serves to document past events.

In summary, security teams achieve with a SOAR:

  • Central connection of all security tools
  • Automatic (pre-) processing of incoming security alarms
  • Display of all relevant information at a glance
  • Easy collaboration between analysts and cases
  • Automatic reaction to confirmed incidents
  • Continuous documentation of all events

Can SOAR replace the work of security analysts?

The SOAR system supports the work of security analysts in a targeted manner, but cannot replace them. The solution automates recurring tasks, aggregates alarms of one alarm type and reacts to threats with specific measures. It also unites all security-relevant systems in the company on one platform for central control and provides an overview for all security analysts.
SOAR systems aim to support the work of security analysts through automated processing steps and to initiate initial protective measures.
However, the final assessment of an alert remains the responsibility of the analyst.

How SOAR and SIEM work together

SOAR and SIEM complement each other in several ways, as the combination of a SIEM’s work (logging and analysis) and SOAR’s automated response can be very effective.
A SIEM system is responsible for the initial detection of potential security incidents. To do this, it first collects data from various sources and analyzes it in real time using use cases. If anomalies are detected, the SIEM issues an alarm. After the initial alarm from the SIEM system, it is the task of the security analyst to contextualize it and assess the threat to the company. If the alarm turns out to be a concrete threat, it is necessary to react accordingly within the framework of the incident response process and to initiate appropriate protective measures, such as isolating a host or blocking user accounts.
In all steps after the initial alert, a SOAR supports the security analyst in his work. This includes automating recurring analysis steps, initiating initial protective measures, centrally controlling various security tools, and continuously documenting all steps taken and their results.

How companies find the best SOAR solution

More and more companies want to improve their security process with a SOAR – but this is difficult or even impossible, especially when budgets are small or in-house IT security experts are lacking. In this case, the best solution is to implement their individual SOAR according to a modular principle. For this purpose, cyber defense experts like SECUINFRA plan the implementation and optimization of various analysis scenarios and automations together with the company. The support of a SOAR system is not a one-time task, but a continuous process in order to react to the constantly changing threat situation in the best possible way.

Conclusion

SOAR supports threat and vulnerability management, the incident response process and the automation of various security-related processes. The application of SOAR thus represents a significant tool for ensuring the IT security of companies. The solution helps to optimize coordination and collaboration between security teams, automate activities and gain a more precise overview of an organization’s security posture.

Simon Hanke · Author

Cyber Defense Consultant

Im Rahmen seines dualen Informatik-Studiums mit SECUINFRA hat sich Simon bereits früh im Bereich der IT Security spezialisiert und sein Interesse an diesem Feld stetig gefestigt. In den verschiedenen Praxisphasen des Studiums fokussierte er sich auf die Gebiete der Netzwerkanalyse und Automatisation von Security Prozessen.

Im Rahmen seines dualen Informatik-Studiums mit SECUINFRA hat sich Simon bereits früh im Bereich der IT Security spezialisiert und sein Interesse an diesem Feld stetig gefestigt. In den verschiedenen Praxisphasen des Studiums fokussierte er sich auf die Gebiete der Netzwerkanalyse und Automatisation von Security Prozessen. Dabei konnte er sein Wissen über Tools und Erkennungsmöglichkeiten von Angriffen weiter ausbauen und vertiefen. In verschiedenen Projekten wendet Simon seine Kenntnisse an und stärkt die Cyber Defense bei Kunden der SECUINFRA.

Cyber Defense Consultant

During his dual computer science studies with SECUINFRA, Simon specialized in the field of IT security at an early stage and steadily consolidated his interest in this field. In the various practical phases of his studies, he focused on the areas of network analysis and automation of security processes.

During his dual computer science studies with SECUINFRA, Simon specialized in the field of IT security at an early stage and steadily consolidated his interest in this field. In the various practical phases of his studies, he focused on the areas of network analysis and automation of security processes. In doing so, he was able to further expand and deepen his knowledge of tools and detection options for attacks. In various projects Simon applies his knowledge and strengthens the Cyber Defense at SECUINFRA's customers.

> All posts

Ramon Weil · Author

Founder & CEO

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt.

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt. Vor der Gründung von SECUINFRA war Ramon mehr als 20 Jahre im Bereich IT & IT-Security tätig. Unter anderem hat er bei Siemens im Security Operation Center (SOC) gearbeitet, den Back Level Support für IT-Security Produkte bei Siemens aufgebaut und weltweit IT- Security Projekte umgesetzt und geleitet. Von 2006 bis zur Gründung von SECUINFRA hat Ramon das IT-Security Geschäft für Siemens und später Nokia Siemens Networks (NSN) in der Region Asia Pacific (APAC) aufgebaut. Neben zahlreichen IT-Security Produkt-Zertifizierungen ist er seit 2006 CISSP und seit 2010 CISM.

Founder & CEO

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany.

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany. Before founding SECUINFRA, Ramon worked for more than 20 years in the field of IT & IT security. Among other things, he worked at Siemens in the Security Operation Center (SOC), established the back level support for IT security products at Siemens and implemented and managed IT security projects worldwide. From 2006 until the foundation of SECUINFRA, Ramon built up the IT Security business for Siemens and later Nokia Siemens Networks (NSN) in the Asia Pacific (APAC) region. In addition to numerous IT security product certifications, he has been a CISSP since 2006 and a CISM since 2010.

> All posts

Beitrag teilen auf: