Cyber Resilience and SOAR

Threat actors have stepped up the pace of malicious activity. Not only has the number of attacks increased, but the time it takes for a breach to turn into a business problem has narrowed significantly from months or weeks to days or even hours.

So, when it comes to responding to a breach, faster is always better. The early decisions made when responding to a potential security incident can make the difference between successful containment and a crisis.

Manual processes for responding to a breach generally involve a security analyst getting assigned a ticket or seeing an alert, which takes time. The analyst would then manually access the security tool that initiated the alert and pivot to other tools to investigate, which takes more time. It’s also possible that an alert simply doesn’t get a response, depending on the analyst’s workload.

Given the high stakes involved — downtime, data exfiltration, revenue loss, and reputation damage — and the compressed time from an attack to a significant impact, manual processes are too slow, giving threat actors time to penetrate further into your systems and data.

The key to success is automation — the ability to contain a threat without waiting for human input. Security orchestration, automation, and response (SOAR) is a relatively new way to automate response processes. What took minutes, hours, or even days in the past using manual processes can now happen immediately with SOAR, which can contain the blast radius of an incident before a human analyst can get eyes on the system.

Investigate and Respond to Attacks Immediately

SOAR is somewhat like a 911 call center. You may need the fire department, or the police department, an ambulance, or a combination of all three. The 911 dispatcher helps determine the necessary resources to dispatch based on the type of situation and orchestrates the process of getting the right people and resources to the right place.

Like the 911 dispatcher, SOAR doesn’t detect, respond, or remediate. It’s the tool used to orchestrate your security resources to respond to an event. SOAR closes the gap between an attack and your response. As soon as detection happens, SOAR can kick off automated playbooks to act before an attack turns into a full-blown security incident.

SOAR Orchestrates Tools, Processes, and People

SOAR queries information from multiple security systems such as EDR (endpoint detection and response), NDR (network detection and response), XDR (extended detection and response), and SIEM (security information and event management), and more, giving security analysts visibility and context around an event. It orchestrates resources using automated playbooks and processes such as taking action to isolate an endpoint or update a firewall rule. Automation ensures the right steps are taken in the right order.

SOAR can also trigger remediation actions or hand the incident off for human input, for example, if your backup and recovery team or legal team needs to get involved. SOAR can also orchestrate system recovery or help restore systems from backup.

SOAR helps security analysts investigate an attack by providing visibility — a single view of an attack and how SOAR is orchestrating a response. SOAR’s improved context, combined with orchestration and automation, can lower the mean time to detection and speed up the mean time to respond. By detecting and responding to threats more quickly through automated playbooks, the deleterious effects of an attack can be contained and mitigated.

Putting SOAR in Context

While SOAR can potentially reduce the impact of an attack, it’s not a standalone system or a super-solution. SOAR doesn’t replace existing detection and event management technologies but complements their value by centralizing event information for high-level visibility and context.

It also doesn’t replace security personnel. Security professionals need to be available to fill in the gaps and make decisions as necessary, depending on the situation. But by automating workflows, security analysts will spend less time investigating. In this way, SOAR is a force multiplier that gives security analysts more breathing room to better understand the nature of an attack and ensure that automations are running as planned. It also gives Tier 1 analysts more time to write playbooks and automations because their time isn’t absorbed with incident response.

Perhaps SOAR’s biggest benefit is peace of mind. To the extent that security analysts can trust the automations, they can sleep better at night knowing that if sleep is interrupted by an incident, SOAR is already working on the issue.

What You Need to Make SOAR Successful

What generally holds organizations back from getting value from SOAR is a lack of well-defined processes for responding to attacks. At Evolving Solutions, we’ve found that many organizations simply don’t have the time to develop detailed response plans for likely scenarios.

Since it’s impossible to automate something that doesn’t have a defined process, SOAR can only provide value when well-defined processes are in place, such as how SOAR should respond to specific types of detections — the actions, the order of steps, and the data and resources required to contain an event.

How Evolving Solutions Can Help

Many security platforms include SOAR functionality, including a platform you may be using right now. You may even have entitlements to multiple SOAR tools. Evolving Solutions can help you pick the SOAR solution that best meets your needs.

We can work with you to define and refine processes and build the playbooks that SOAR will automate. We can help ensure that your processes don’t miss any steps so that automations will have real value. Our goal is to help organizations hit the ground running with SOAR so it can deliver on its promise of immediate containment in the event of a security incident.

Michael Downs

Chief Technology Officer

Michael is the Chief Technology Officer at Evolving Solutions and joined the company in 2014. Connect with Michael on LinkedIn here.

Photo of Michael Downs