Security orchestration, automation, and response (SOAR) describes a set of capabilities used to protect IT systems from threats.
SOAR refers to 3 key software capabilities that security teams use: case and workflow management, task automation, and a centralized means of accessing, querying, and sharing threat intelligence. The term SOAR comes from analyst group Gartner. SOAR is also described in other terms by analysts: IDC refers to the concept as Security Analytics, Intelligence, Response, and Orchestration (AIRO). Security Automation and Orchestration (SAO) is a term used by Forrester to describe the same capabilities.
SOAR is usually implemented in coordination with an organization’s Security Operations Center (SOC). SOAR platforms can monitor feeds of threat intelligence, and trigger automated responses to mitigate security issues.
Whether you have a mature and established SOC or you are just beginning your organization’s security transformation, best practices prescribe that every security incident be documented and managed as a case. Case management practices are the means by which incidents are documented and knowledge surrounding the threat is created. This ensures that security threats are identified, prioritized based on risk, and investigated. It also makes it possible for the intelligence gathered responding to an incident to be documented and shared within organizations and communities.
SOAR technology frequently comes with pre-configured workflows for common use cases. If these default use cases do not meet your organization's specific needs they can be adapted to your requirements through custom development.
Security automation is the process of executing security operations tasks without the need for human intervention. In security, the need for automation is heightened due to the complexity of infrastructure and the likely lack of integration between parts of the infrastructure. But how do we know which tasks to automate? Ask yourself:
- Is the task routine? Does it need to be done on a regular basis?
- Is the task tedious? Does it involve a specific set of actions that need to be completed precisely?
- Is it time consuming? Does this set of actions consume a significant amount of your team’s time?
Answering "Yes" to any of these questions suggests that automation can help. There are potentially many positive outcomes for your organization including: reduced human error, greater efficiency and speed, and improved consistency in response.
A primary benefit of task automation is that it allows security teams to be more efficient, and frees up their time to be spent elsewhere. Automation can help organizations address a talent gap in their industry. Put plainly, there simply aren’t enough security professionals to meet every organization's needs. Automation of security tasks helps these teams do more and do it faster.
Security teams must contend with a huge set of different tools and products which are probably not integrated with one another. Manually managing all of this can result in slower detection and remediation of issues, errors in resource configuration, and inconsistent policy application, leaving your systems vulnerable to serious attacks and compliance issues. Automation can help you streamline daily operations as well as integrate security into processes, applications, and infrastructure from the start, as with a DevSecOps approach. Fully deploying security automation can even reduce the average cost of a breach by 95%.
Fast threat detection can reduce the likelihood that your organization will experience a security breach as well as the associated costs if a breach occurs. Detecting and containing security breaches within 200 days or less reduces the average cost of a breach by an average of US$1.22 million. Manual processes can delay threat identification in complex IT environments, leaving your business vulnerable. Applying automation to your security processes can help you identify, validate, and escalate threats faster without manual intervention.
However, remediation across multiple platforms and tools can be complicated, time-consuming, and error-prone. Security teams can use automation to rapidly apply remediation to affected systems across your environment concurrently and respond to incidents faster.
Security orchestration is the means by which you connect and integrate disparate security tools and systems in order to streamline your processes. By connecting your tools and systems you can take advantage of automation across your environments. Orchestration is process-based and automation is task-based. People are a main distinction between orchestration and automation. High-level security orchestration represents most of the value of a SOAR. Orchestration allows teams to define the process by which automated tasks are executed. The orchestration of security processes relies on the people of these teams to determine the what, why, and when of security automation.
Threat intelligence refers to knowledge about existing and emerging threats to your organization’s assets. Many vulnerability databases exist as sources of threat intelligence. Reference methods, like the CVE list, make it easier to identify and share these vulnerabilities across databases and platforms. Threat intelligence platforms collect this knowledge from a variety of feeds. SOAR tools use multiple threat intelligence feeds to identify potential threats. SOAR aggregates these feeds into a unified source that can be queried by teams and used to trigger automation tasks.
Organizationally, your SOC is the core of your security response but it can still be difficult to coordinate and communicate with the many departments that comprise your business. Automation can serve as a unifying force, and a common language, between departments. An automation solution across all of your platforms, in every department, can establish clear channels of interaction when it comes to addressing security threats.
Enterprise open source software uses a development model that enhances testing and performance tuning—usually with a security team that stands behind it, processes for responding to new security vulnerabilities, and protocols to notify users about security issues with remediation steps. It's an enhanced version of the open source web of trust that makes sure you're never alone when it comes to IT security.
With Red Hat® Ansible® Automation Platform you can automate and integrate different security solutions to simplify investigation and response to threats across the enterprise in a coordinated, unified way using a curated collection of modules, roles and playbooks. You can also integrate external applications using APIs, SSH, WinRM, and other standard or pre-existing access methods.
Red Hat Ansible enables full-stack processes, from infrastructure to applications, allowing everything to be coordinated with a layer of security technologies. And security teams can use Red Hat Ansible to manage other enterprise applications—like SOAR solutions.