1 Introduction
As the number and sophistication of cyberattacks have continued to increase over the years, some vendors realized that the traditional approaches and tools of cybersecurity likewise have failed to keep up. Many security-conscious organizations can find themselves administering over 50 different and disjointed security tools. Security Information and Event Management (SIEM) products were once hailed as the ultimate solution for managing security operations. In many organizations, they still form the foundation of modern Security Operations Centers (SOCs).
Parallel to SIEM solutions, a class of incident investigation and response platforms has emerged focusing on creating more streamlined and automated workflows for dealing with security incidents. SOAR products are the latest iteration of this evolution. Driven by the growing demand to implement centralized, automated control over incident analysis and response workflows across disparate security solutions, vendors are expanding their existing security intelligence, security orchestration, or incident response platforms to combine the key capabilities across all three of these market segments. Complementing or directly integrating with SIEMs, SOAR platforms aim to become the foundation of contemporary SOCs.
SOAR solutions can help organizations reduce the Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) security incidents. Research from multiple sources indicates that MTTD can be in the neighborhood of six months or more, a fact borne out by the recent SolarWinds incident. Likewise, MTTR can take two months or more, depending on the severity of a given incident. Orchestration and automation of responses is key to reducing these KPIs and damage resulting from security incidents.
SOAR systems generally have OOTB connectors (software configurations and code in the form of packaged API calls) to facilitate data layer integration from SIEMs and other upstream sources. These connectors, sometimes called "integrations" by vendors, also allow SOAR console users to operate and/or administer the other security tools in the architecture, to the degree permitted by exposed APIs.
The orchestration aspect of SOAR involves not only the collection of telemetry from these different sources, but also initiating a workflow, opening cases and tickets where appropriate, and correlation and enrichment of event information. Enrichment of event data can be facilitated by SOAR systems by the automatic collection of additional forensic evidence on-site, such as outputs of EPP scans, obtaining non-standard log files, memory dumps, etc. Some vendor solutions can kick off automated threat hunts (looking for IOCs across multiple nodes in an environment) and add the results to a preliminary investigation. SOAR solutions should also be able to generate queries to Cyber Threat Intelligence (CTI) sources based on suspicious items and patterns observed from upstream telemetry. Some vendors have extensive threat intelligence capabilities that are utilized by their SOAR solutions. Examples of threat intelligence content include IOCs, compromised credential intelligence, device intelligence, and domain/file/IP/URL reputation information. Some SOARs incorporate Machine Learning (ML) detection models as a means to reduce false positives and provide more actionable intelligence to analysts and admins. Ideally, SOAR solutions will accomplish many of these listed actions automatically prior to or while alerting a human analyst.
When an analyst is alerted and assigned a case, all pertinent information related to the event should be constructed and presented by the SOAR platform to the analysts for their investigation. The SOAR platform should package information coherently, with descriptions and recommendations for actions.
Most SOAR vendors adhere to the paradigm of a playbook. Playbooks typically address common security scenarios and can be triggered either by manual analyst action or automatically if allowed by policy and supported by the vendor. Examples of security events that may trigger playbooks are phishing, malware, ransomware, failed login attempts, excessive or abnormal use of privileged credentials, prohibited communication attempts, attempts to access unauthorized resources, file copying or moving, attempts to transfer data using unauthorized webmail providers, attempts to transfer data to blocked IPs or URLs, unusual process launches, unusual application to network port activities, unusual network communication patterns, and so on. SOAR platforms often support dozens to hundreds of playbook scenarios and offer hundreds to thousands of possible incident investigation and response actions.