According to Gartner, SOAR comprises “technologies that enable organizations to collect inputs monitored by the security operations team…SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.”*
But what exactly is SOAR? Is it a suite of all-knowing technologies that work together to mitigate threats and perform analytics—a sort of real-life Terminator-like Skynet technology that prevents cyberattacks? Is there a particular type of “SOAR software”? Or is it a framework that provides a recommended approach to cybersecurity?
It’s much more than just a tool or set of tools. SOAR is a model for creating a solid security plan. Yes, it asks agencies to automate the processing of security data and analytics from a piece of technology (for example, a threat intelligence tool, like a security information and event manager or security log manager). But there’s another part of SOAR—security orchestration—that encourages human intervention.
Consider what happens when a security information and event management solution or similar tool identifies a potential incident. An entire workflow process is created, starting with the tool and ending with a security administrator.
Within that process, the incident is assessed based on the security policies the organization has (hopefully) already put in place. Considerations may include:
Security administrators can then take the threat intelligence derived from the forensic data, use that information to immediately investigate and remediate the problem, and adjust security policies accordingly to strengthen the agency’s fortifications against future attacks.
Thus, the human factor of SOAR comes into play. For all of its emphasis on automation, people are an essential element of the SOAR framework because they are the last line of defense and are responsible for security enhancements. Pairing their expertise with the right security solutions can help organizations stay a step ahead of malicious adversaries.
SOAR focuses on building a security program that is highly adaptive and uses data to continuously improve the way an organization responds to threats. It encourages the use of intelligence to pinpoint current threats, react to those incidents, learn from them, and adapt and improve over time.
At F5, we’re focused on helping organizations build adaptive applications that can automatically adjust their security states. These applications collect and analyze information derived from various touchpoints along the application data path—the path that application traffic takes from application to end user—such as when a user first accesses the application (requiring application authentication), when data is pushed out over the Internet (triggering the use of a web application firewall), and more.
Each of these touchpoints produces its own telemetry and analytics. This data is used to detect whether or not the application is performing as expected—or if there may be some form of anomaly that could indicate a breach.
If it’s the latter, the application can automatically adapt to mitigate the potential threat, thereby satisfying SOAR’s call for an automated response. Let’s say there’s a sudden surge of suspicious traffic detected at some point during the application data path. A bot management solution can automatically detect fraud activity based on the type of traffic—for instance, human vs. bot—that is pinging the application. The application can then automatically block the suspicious traffic based on pre-defined security policies.
The SOAR framework is an excellent blueprint for building an automated, responsive and agile system that leverages multiple technologies and human expertise to enforce and continuously improve security policies. It creates a highly effective deterrent against current and future threats.
*Gartner Glossary, SOAR, https://www.gartner.com/en/information-technology/glossary/security-orchestration-automation-response-soar