Security orchestration, automation, and response (SOAR) describes a set of capabilities used to protect IT systems from threats.
SOAR refers to 3 key software capabilities that security teams use: case and workflow management, task automation, and a centralized means of accessing, querying, and sharing threat intelligence. The term SOAR comes from analyst group Gartner. Security analysts also describe SOAR with other terms: IDC refers to the concept as Security Analytics, Intelligence, Response, and Orchestration (AIRO), and Forrester describes the same capabilities as Security Automation and Orchestration (SAO).
SOAR is usually implemented in coordination with an organization’s Security Operations Center (SOC). SOAR platforms monitor threat intelligence feeds and trigger automated responses to security issues, which can help IT teams to quickly and efficiently mitigate threats across numerous complex systems.
Case and workflow management in SOAR
Whether you have a mature and established SOC or you are just beginning your organization’s security transformation, best practices for vulnerability management prescribe that every security incident be documented and managed as a case. Case management practices are the means by which incidents are documented and knowledge surrounding the threat is created. This ensures that security threats are identified, prioritized based on risk, and investigated. It also makes it possible for the intelligence gathered responding to an incident to be documented and shared within organizations and communities.
SOAR technology frequently comes with pre-configured workflows for common use cases. If these default use cases do not meet your organization's specific needs they can be adapted to your requirements through custom development.
Task automation and orchestration
Security automation is the process of executing security operations tasks without the need for human intervention. In security, the need for automation is heightened due to the complexity of infrastructure and the likely lack of integration between its various parts. But how do we know which tasks to automate? Ask yourself:
- Is the task routine? Does it need to be done on a regular basis?
- Is the task tedious? Does it involve a specific set of actions that need to be completed precisely?
- Is it time consuming? Does this set of actions consume a significant amount of your team’s time?
Answering "Yes" to any of these questions suggests that automation can help. There are potentially many positive outcomes for your organization including: reduced human error, greater efficiency and speed, and improved consistency in security incident response.
Why automate security processes?
A primary benefit of task automation is that it allows security teams to be more efficient, freeing up their time to be spent elsewhere. As there simply aren’t enough security professionals to meet every organization's needs, automation can help to bridge this talent gap by helping security teams do more and do it faster.
Security teams must contend with a huge set of different tools and products—like Endpoint Detection and Response (EDR) software, firewalls, and Security Information and Event Management (SIEM) solutions—which are probably not integrated with one another. Manually managing all of this can result in slower detection and remediation of issues, errors in resource configuration, and inconsistent policy application, leaving systems vulnerable to serious attacks and compliance issues. Automation can help streamline daily operations as well as integrate security into processes, applications, and infrastructure from the start, as with a DevSecOps approach.
According to the Ponemon Institute, detecting and containing security breaches within 200 days or less reduces the average cost of a breach by an average of US$1.22 million. Fast threat detection can reduce the likelihood of a security breach and the associated costs, but remediation across multiple platforms and tools can be complicated, time-consuming, and error-prone.
While manual processes can delay threat identification in complex IT ecosystems, automating security processes can help organizations identify, validate, and escalate threats faster, without manual intervention. Security teams can use automation to improve response times and concurrently apply remediation to affected systems across their environments.
What’s the difference between automation and orchestration?
Orchestration is process-based and automation is task-based. Security orchestration is the means by which you connect and integrate disparate security tools and systems in order to streamline your response workflows. By connecting your tools and systems—and the processes that govern them—you can take advantage of automation across your environments.
Automation can simplify workflows, but people are required for one of the most valuable aspects of SOAR: high-level security orchestration. Orchestration allows IT teams to define the process by which automated tasks are executed. The orchestration of security processes relies on the people of these teams to determine the what, why, and when of security automation.
Centralized threat intelligence
Threat intelligence refers to knowledge about existing and emerging threats to your organization’s assets. Many vulnerability databases exist as sources of threat intelligence. Reference methods, like the CVE list, make it easier to identify and share these vulnerabilities across databases and platforms. Threat intelligence platforms collect this knowledge from a variety of feeds. SOAR tools use multiple threat intelligence feeds to identify potential threats. SOAR aggregates these feeds into a unified source that can be queried by teams and used to trigger automation tasks.
Organizationally, your SOC is the core of your security response, but it can still be difficult to coordinate and communicate with the many departments that comprise your business. Automation can serve as a unifying force and common language between departments. An automation solution across all of your platforms—in every department—can establish clear channels of interaction that make it easier to identify and triage the most urgent security threats.
How can Red Hat help?
Enterprise open source software uses a development model that enhances testing and performance tuning—usually with a security team that stands behind it. It improves processes for responding to new security vulnerabilities and protocols to notify users about security issues with remediation steps. It's an enhanced version of the open source web of trust that makes sure you're never alone when it comes to IT security.
With a Red Hat® Ansible® Automation Platform subscription, you can automate and integrate different security solutions to simplify investigation and response to threats across the enterprise in a coordinated, unified way using a curated collection of modules, roles, and playbooks. You can also integrate external applications using APIs, SSH, WinRM, and other standard or pre-existing access methods.
Ansible Automation Platform enables full-stack processes, from infrastructure to applications, allowing everything to be coordinated with a layer of security technologies. And security operations teams can use Ansible Automation Platform to manage other enterprise applications, like SOAR solutions.