Why SOAR could be the new tool on the block

Unlocking the power of SOAR
(Image credit: Shutterstock)

Security Orchestration Automation and Response (SOAR) isn’t a silver bullet when it comes to cyber security. However, it does provide organisations with the ability to bring their security processes in line with the rest of the business, while identifying areas of waste and automating tedious tasks.

It is important to distinguish that SOAR is not an automation tool. When working with SOAR, businesses need to take a holistic approach that does not focus on automation but identifies how the product can bring about wider business benefits. Without understanding the benefits, problems won’t be solved and the impact it will have once implemented may create more work.

Implementing a SOAR program is more complex than rolling out a new technology; it should be the catalyst for changing an organisation’s approach to security. It is time to improve traditional reporting, such as Service Level Agreements (SLAs) and start to move towards cyber security enrichment, faster response times, and metrics of value such as Mean Time to Respond (MTTR).

The threats posed to businesses

Cyber security threats are growing and the government’s recent Cyber Security Breaches Survey 2020 revealed that almost half of organisations (46%) have reported a breach or attack in the past 12 months, with this figure rising significantly to 75% for larger organisations.

It’s also becoming clear that people are increasingly conscious of – and concerned about – data and technology. In a recent report, Fujitsu revealed that over a third (35%) of respondents admitted to having security concerns about the sharing of personal data, and nearly half were worried that society is becoming too reliant on technology.

It is critically important that responses to cyber threats are timely in order to ensure businesses, particularly larger enterprises, maintain the strongest security posture against malware and ransomware. Cyber security continues to be challenging, threats continue to grow in velocity and complexity and staff retention in the cyber security field remains difficult with the demand for skilled workers rising. But a properly implemented SOAR program can alleviate some of these issues by automating first line tasks.

SOAR can transform the way we deal with security incidents, which should lead to an improved, secure posture. However, SOAR should never be used as a replacement for best practice, nor to replace specialized security technologies.

SOAR is not a replacement, but an important tool that businesses need

SOAR is not a replacement for Security information and event management (SIEM) tooling or IT service management (ITSM) platforms, and it should not be seen as a substitute for basic security practices either. Rather by implementing SOAR it will enhance the technologies and the services that organisations have relied on for years.

Businesses must look to execute SOAR to let these technologies do what they are already proficient at. For example, if a business has a SIEM with great alarm logic then SOAR can be used to ensure alarms are handled consistently, or if businesses have pre-defined ITSM processes and tools in place, they shouldn’t use SOAR to assign tickets but to enhance the tickets already created.

In short, businesses shouldn’t try reinventing the wheel. Instead, SOAR should be used to complement existing security practices, acting as the integration layer and allowing employees to get the job done in less time and focus on jobs where human input is a must.

The benefits to reap

When SOAR is used as an enhancement, rather than replacement it can be transformative for any security environment, particularly as an incident response tool.

This is an opportunity to identify key processes that put a business at risk and refine them. Here, businesses can identify use cases that drive early value whilst improving staff’s morale, particularly those who may be fed up of mundane tasks, or suffer from alert fatigue due to the sheer number of events being triaged.

First, there has to be a developed understanding of how security events across an organisation are currently being handled. This ensures SOAR engineers can create the content to be run by analysts and by the platform itself, providing daily efficiency gains and increasing the number of security events that can be consistently addressed.

Then business process analysts and SOAR consultants should be deployed to identify where business benefit can be realized. Such as, is the goal to reduce response time, reduce data tasks, or increase security posture? Through the early identification of use cases, SOAR can be integrated most efficiently and provide an early ROI.

Only then can SOAR analysts work on the platform daily, using orchestration commands to bring consistency to investigations and expedite the closing of incidents, all the while keeping a thorough log of all work undertaken.

A holistic and honest approach

Before any establishment makes the shift to SOAR they must first identify a clear objective stating where SOAR can add value to current security procedures. First, businesses should evaluate current technologies, tools and the overall security system in place. Only then can a business implement the right processes and craft workable solutions.

Ultimately, SOAR does require a culture change that veers away from the traditional approach to security operations. To unlock the full capabilities of SOAR, there needs to be leadership buy-in with pre-approved changes. In order to provide a faster, more efficient and more effective response, SOAR analysts need to be empowered to enact security responses there and then without the need for unnecessary change governance. As a result, technology can provide the opportunity to change traditional ways of thinking and have the power to make positive security decisions at the time they are needed.

SOAR must be implemented holistically to ensure that end-to-end processes are understood and the delivered content, integrations and playbooks match business goals in an agile manner. Investment in SOAR technology must be approached honestly to be successful. And businesses that understand the capabilities and limitations of SOAR will benefit from SOAR or know what needs to change to be SOAR ready.

Steve Pye, SOAR Technical Lead at Fujitsu Enterprise and Cyber Security. He is responsible for playbook,automation and integration creation, agile working, managing the team and identifying processes for automation etc. Previous threat analyst and incident response working in the CTI and CSIRT team and many more.