Security orchestration, automation, and response (SOAR) describes a set of capabilities used to protect IT systems from threats.
SOAR refers to 3 key software capabilities that cybersecurity teams use: case and workflow management, task automation, and a centralized means of accessing, querying, and sharing threat intelligence. The term SOAR comes from analyst group Gartner. Security analysts also describe SOAR with other terms: IDC refers to the concept as Security Analytics, Intelligence, Response, and Orchestration (AIRO), and Forrester describes the same capabilities as Security Automation and Orchestration (SAO).
SOAR is usually implemented in coordination with an organization’s Security Operations Center (SOC). SOAR platforms monitor threat intelligence feeds and trigger automated responses to security issues, which can help IT teams to quickly and efficiently mitigate threats across numerous complex systems.
Security automation is the process of executing security operations tasks without the need for human intervention. In security, the need for automation is heightened due to the complexity of infrastructure and the likely lack of integration between its various parts. But how do we know which tasks to automate? Ask yourself:
- Is the task routine? Does it need to be done on a regular basis?
- Is the task tedious? Does it involve a specific set of actions that need to be completed precisely?
- Is it time consuming? Does this set of actions consume a significant amount of your team’s time?
Answering "Yes" to any of these questions suggests that automation can help. There are potentially many positive outcomes for your organization including: reduced human error, greater efficiency and speed, and improved consistency in security incident response.
A primary benefit of task automation is that it allows security teams to be more efficient, freeing up their time to be spent elsewhere. As there simply aren’t enough security professionals to meet every organization's needs, automation can help to bridge this talent gap by helping security teams do more and do it faster.
Security teams must contend with a huge set of different tools and products—like Endpoint Detection and Response (EDR) software, firewalls, and security information and event management (SIEM) solutions—which are probably not integrated with one another. Manually managing all of this can result in slower detection and remediation of issues, errors in resource configuration, and inconsistent policy application, leaving systems vulnerable to serious attacks and compliance issues. Automation can help streamline daily operations as well as integrate security into processes, applications, and infrastructure from the start, as with a DevSecOps approach.
According to the Ponemon Institute, detecting and containing security breaches within 200 days or less reduces the average cost of a breach by an average of US$1.22 million. Fast threat detection can reduce the likelihood of a security breach and the associated costs, but remediation across multiple platforms and tools can be complicated, time-consuming, and error-prone.
While manual processes can delay threat identification in complex IT ecosystems, automating security processes can help organizations identify, validate, and escalate threats faster, without manual intervention. Security teams can use automation to improve response times and concurrently apply remediation to affected systems across their environments.
Orchestration is process-based and automation is task-based. Security orchestration is the means by which you connect and integrate disparate security tools and systems in order to streamline your response workflows. By connecting your tools and systems—and the processes that govern them—you can take advantage of automation across your environments.
Automation can simplify workflows, but people are required for one of the most valuable aspects of SOAR: high-level security orchestration. Orchestration allows IT teams to define the process by which automated tasks are executed. The orchestration of security processes relies on the people of these teams to determine the what, why, and when of security automation.
Threat intelligence refers to knowledge about existing and emerging threats to your organization’s assets. Many vulnerability databases exist as sources of threat intelligence. Reference methods, like the CVE list, make it easier to identify and share these vulnerabilities across databases and platforms. Threat intelligence platforms collect this knowledge from a variety of feeds. SOAR tools use multiple threat intelligence feeds to identify potential threats. SOAR aggregates these feeds into a unified source that can be queried by teams and used to trigger automation tasks.
Organizationally, your SOC is the core of your security response, but it can still be difficult to coordinate and communicate with the many departments that comprise your business. Automation can serve as a unifying force and common language between departments. An automation solution across all of your platforms—in every department—can establish clear channels of interaction that make it easier to identify and triage the most urgent security threats.
A cultural shift can improve security by changing where in the development process security is considered. The term “DevOps” describes approaches to speeding up the processes by which an idea goes from development to deployment in a production environment. In the past, the role of security was isolated to a specific team in the final stage of development. When development cycles lasted months or even years, that wasn’t as problematic, but now, we often deliver apps within weeks. In the collaborative framework of DevOps, security can become a shared responsibility integrated from end to end and referred to as "DevSecOps.”
Like DevOps, DevSecOps is a cultural model. In the thinking of DevSecOps, risk management is considered throughout the development process. Security-minded companies are often the first to adopt DevSecOps methodologies, where developers work closely with security teams and implement measures earlier in the development life cycle—also known as “shifting left.”
No matter the cultural groundwork laid, successfully implementing DevSecOps relies on automation. This automation may include source control repositories, container registries, CI/CD pipeline, API management, and operational management and monitoring.
Enterprise open source software uses a development model that enhances testing and performance tuning—usually with a security team that stands behind it. It improves processes for responding to new security vulnerabilities and protocols to notify users about security issues with remediation steps. It's an enhanced version of the open source web of trust that makes sure you're never alone when it comes to IT security.
With a Red Hat® Ansible® Automation Platform subscription, you can automate, orchestrate, and integrate different security solutions to simplify investigation and response to threats across the enterprise in a coordinated, unified way using a curated collection of modules, roles, and playbooks. You can also integrate external applications using APIs, SSH, WinRM, and other standard or pre-existing access methods.
Ansible Automation Platform enables full-stack processes, from infrastructure to applications, allowing everything to be coordinated with a layer of security technologies. And security operations teams can use Ansible Automation Platform to manage other enterprise applications, like SOAR solutions.
Additionally, Red Hat’s expertise in open hybrid cloud gives us a unique perspective on implementing cloud security to guard against cyberthreats and cyberattacks. Adopting a zero trust model can change the security perspective of an organization and realign security policies.