SOAR helps security analysts during incident analysis and within the incident response process to focus on the important information and events and to avert potential IT security incidents in a targeted manner.
What is a SOAR?
Security Orchestration, Automation and Response (SOAR) systems provide a platform to efficiently handle incoming alerts from various IT security systems within the enterprise. To do this, they bring together all the relevant information within the company that is needed to process a potential IT security incident. Furthermore, the tools offer the possibility to react automatically to alarm messages and to initiate appropriate protective measures. A SOAR supports security analysts in threat and vulnerability management, the incident response process and the automation of various security-related processes.
All systems that can initially detect a potential IT security incident, provide further information for assessment or initiate protective measures are connected to a SOAR. Specifically, these are the connections to the company’s internal SIEM system, EDR (Endpoint Detection & Response) or a pishing detection system. Other important internal data sources include Active Directory, CMDB (Configuration Management Database) and network information from NDR systems. External data sources support the connection to Threat Intelligence information or file analysis with further information. Tool integrations for the initiation of situation-dependent protective measures round off the connected components to the system.
The main task of a SOAR is to automatically enrich all incoming alarms from the various data sources with further information and, if necessary, to take reactive measures. For this purpose, each alarm is processed by an alarm-specific playbook, which interacts with the connected tools and thus supports the analyst in his work. Furthermore, incoming alarms are automatically de-duplicated or summarized case-related, which facilitates the overview.
In the area of response, a SOAR offers a fast and automated reaction to incoming alarm messages through connected components such as firewalls, EDR systems or Active Directory. The playbooks created can be used to control whether an action to block an IP address or isolate a host is initiated with or without approval by a security analyst.
What do I achieve with SOAR?
SOAR, which is integrated into the company, is, in addition to a SIEM, the central tool for handling potential security incidents as part of the incident response process. For this purpose, it combines on one platform all security tools used in the company, combines the available information, supports the collaboration of several analysts on a case and serves to document past events.
SOAR systems usually offer suitable integrations for all common security tools in order to connect them easily to the platform. Via the SOAR, all integrations can then be controlled automatically via playbooks or manually by the analyst, and suitable actions can be triggered. If an integration is not available for a tool, it is usually possible to develop your own connections.
Security analysts create playbooks for different threat scenarios that support the analysis work within the incident response process. The focus is on enriching the initial alarm with additional information from various systems such as EDR or SIEM and on the automatic reaction to the event in question. Furthermore, a playbook serves the analyst as a specification of the individual work steps within the framework of a runbook as well as the simultaneous documentation of the incident. This ensures the reproducibility and quality of the analysis work, even when security analysts change or work in teams.
For the documentation of an alarm as well as for the overview of different cases, a SOAR provides various dashboards and reports that can be adapted to individual needs. These support security analysts not only in specific analysis activities, but also in documenting various alarms or the subsequent correlation of different events and indicators of compromise.
Furthermore, SOAR solutions provide user and rights management to enable multiple people and teams to collaborate on an alert and escalate the case to other responsible personnel. SOAR also supports compliance with defined SLAs (Service Level Agreements) and the integration of involved third parties within the incident response process.
Example for the use of SOAR
As an example scenario, the SOAR could receive a bruteforce alert via a connected SIEM system.
The alarm was triggered by a user who incorrectly authenticated several times in a short period of time with an account of the company’s internal domain on a client.
- After the alarm is received by the SOAR, it automatically starts the associated playbook. The tool first supplements the available information of the alarm with further properties of the affected user account via the connected Active Directory.
- Using the available log data from the SIEM, the tool then checks whether the user logged in successfully after the failed login attempts. For this purpose, additional attributes such as the distinction between private and public IP or the user’s location are determined in addition to the source IP address of the login attempts. The playbook can also correlate the present alarm with similar alarms from the past.
- All collected information is then made available to the analyst in a clear manner via dashboards.
- In a further step, the running playbook can automatically contact the affected user via a sent email and inquire whether the login attempts were triggered by the user or whether there are any further indications. This content is also available to the analyst for further assessment.
- The playbook then switches to the remediation phase and takes appropriate action based on the previously collected information. This can be, for example, the isolation of the host via a connected EDR system or the deactivation of the affected user account within the Active Directory. It is also possible to reset the password of the account if necessary and to inform the user about this step. Depending on the playbook design, the security analyst can decide whether the measures addressed should be carried out automatically or only after a manual release.
- Furthermore, once the protective measures have been carried out, there is also the option of automatically resetting them again in the event of a false positive.
- Parallel to the operations, SOAR creates a documentation of the event.
- In addition, the event can also be reflected in connected components such as a ticket system.
What are the limitations of SOAR?
Depending on the manufacturer of the SOAR, the possibilities of the functions described above vary. This includes, on the one hand, the selection of possible integrations of different security tools. Also the capabilities of data conversion and adaptation at data input or during processing within a playbook are part of it. Furthermore, the functional scope of the playbook editor, the options for displaying alarm information and the functional scope of reporting vary when selecting the appropriate SOAR software.
It should also be noted that a SOAR does not replace the work of security analysts, but rather supports them in a targeted manner. This includes, above all, the automation of recurring tasks of an alarm type or the facilitated control of specific measures. Furthermore, the consolidation of all security-relevant systems, information and people on one platform helps to implement an efficient way of working.
SOAR and SIEM – A Dream Team?
As already mentioned, SOAR does not compete with an existing SIEM system, but increases the efficiency of the security processes.
A SIEM system is responsible for the initial detection of potential security incidents. For this purpose, it aggregates and correlates all security-relevant log information from clients, servers or network components available in the company. With the help of implemented detection rules (so-called use cases), the incoming information is examined and any threats are identified. After the initial alarm from the SIEM system, it is the security analyst’s task to contextualize it and assess the threat to the company. If the alert turns out to be a concrete threat, it is further necessary to respond accordingly and take appropriate protective measures as part of the incident response process.
A SOAR supports the security analyst in all steps after the initial alarm. This includes the automation of recurring analysis steps, the central control of various security tools and the continuous documentation of all steps performed and their results. The combination of SIEM and SOAR sustainably accelerates the security process within the company, strengthens the reproducibility and quality of the analysis work, and standardizes the documentation of various events.
SECUINFRA and SOAR
SOAR systems help security analysts during incident analysis and within the incident response process to focus on the important information and events and to avert potential IT security incidents in a targeted manner.
SECUINFRA has built up expertise for SOAR solutions from numerous vendors over the past years. Combined with their expertise in setting up and operating SIEM systems and their many years of experience in the field of incident response, our cyber defense consultants can support you in setting up, developing and operating SOAR systems. SECUINFRA also offers you long-term cooperation for the comprehensive protection of your IT infrastructure within the scope of co-managed and managed solutions.