Enrich Your Solutions Portfolio with SOAR

Roger Egan

As channel partners across the globe assess their portfolio of products and consider emerging security technologies, checklist criteria likely will include hot new sectors, high margins, big professional services attach rates — and limited competition. If this exercise has led you to the security orchestration, automation and response (SOAR) market, you may be on the right track.

As in many industries, automation is arriving to help cybersecurity teams battle the increasing volume of threats facing their organizations, a rise directly correlated with the expanding attack surface and increasing numbers of detection tools in use by organizations. This is especially apparent in the security operations center (SOC), which is ground zero for addressing security incidents. The daily battle to efficiently and effectively handle the barrage of alerts entering the SOC is further complicated by skills and resource shortages. Solutions like SOAR are rapidly maturing to help dispose of these very challenges and transform security operations for businesses.

How exactly does SOAR work and what can customers expect to achieve from it? To answer that question, we must first dispel some confusion, particularly how SOAR fits in with security information and event management (SIEM).

Anyone who must manage a SIEM installation in an extensive enterprise environment knows that SIEM alone isn’t getting the job done. The first SIEM solutions were developed around 15 years ago with the promise to make life easier and better for security analysts by providing them with a centralized platform from which to manage and respond to security events. Few would disagree that SIEM represents an improvement over the practice of manually managing security information from multiple, widely disparate systems. Yet many enterprise customers are increasingly finding that centralizing this information has merely replaced one problem with another.

A large computing environment might have 30-50 different security products, from firewalls to email gateways to endpoint protection, each of which produce its own alerts. When all of these alerts are funneled into a central place for handling, it can create alert overload: security analysts become inundated with notifications from dozens of tools simultaneously, many of which are likely to be redundant, and the analysts must attend to each one individually to find the correlations and weed out false positives. This is a slow, labor-intensive process that can tie up valuable analyst time for extended periods, and the tedious nature of the work can increase employee stress and eventually lead to burnout as analysts become dissatisfied and seek work elsewhere. And the greater the load on the analysts, the greater the danger that a critical alert might be missed or mishandled.

Get to Know SOAR

SOAR is designed to solve this alert overload problem and bring efficiency to the alert review process. SOAR doesn’t replace the customer’s SIEM installation — rather, it integrates with it to deliver SIEM’s original promise of providing analysts with coordinated, actionable security intelligence. The letters in SOAR tell the story:

• Security orchestration: SOAR works with SIEM to connect and integrate various security systems and processes together.
• Security automation: SOAR automatically handles tasks that would otherwise be performed manually by a security analyst.
• Security response: SOAR provides an organized framework for both analysts and the SOAR solution itself to address and manage security incidents in a way that limits damage and reduces recovery time and costs.

For example, a typical breach incident might trigger alerts in multiple places. Suspicious files and network activity could bring notifications from enterprise firewalls, email gateways, intrusion detection systems, host-based antivirus software and more. On their own, most SIEM solutions would pass these alerts on to a security analyst without attempting to correlate them or provide any additional intelligence. Faced with a clutter of alerts from the same original incident, multiple analysts within the group would likely pick …