Busy street intersection at night illuminating blurred headlights in motion

Take a proactive approach to security threats with SOAR


7 min read

Empower security analysts’ efficiency

Improve your security posture by implementing a SOAR solution.

Woman coworker explains incident to other coworkers in office with computer monitors and large screen in background

Organizations that lack dedicated incident response (IR) teams, IR plans, threat intelligence programs, or any maturity or strategy when it comes to IR, face the following challenges:

Growing volume of alerts


of organizations report a significant business disruption during the past two years due to a cybersecurity incident1

Multiple tools


Average number of security solutions and technologies in use1


Average number of tools used to investigate and respond to an incident1

Staff shortage


Number of cybersecurity jobs that remain unfilled across the industry as of 20202

Also, organizations face an increasing number of threats with limited skilled staff. Due to the effects of COVID-19, organizations in 2020 began to deal with the challenge of coordinating and supporting security analysts working remotely from a virtual security operations center (SOC). A 2020 Gartner survey found that 74 percent of chief financial officers and finance leaders intended to shift some employees to permanent remote work following their initial experience responding to the changing global conditions.

With so many employees working from home, security teams need to develop a long-term strategy to maintain threat detection and response across a network perimeter that is almost nonexistent.

How a SOAR solution can help

To mitigate the risks that these challenges pose to your organization, you need an orchestrated IR plan to be prepared, understand your security posture, and monitor and analyze relevant activity. You need to make changes in processes and align services in your security strategy that can help with this effort, including modifying how your SOC teams perform threat management.

For example, the Cyber Resilient Report 2020 by IBM Security found that only 26 percent of organizations use an enterprise-wide cybersecurity IR plan.5 Additionally, organizations with IR teams and testing had an average data breach cost $2 million in U.S dollars lower than organizations with no IR team and no IR plan testing.6 A typical data breach can cost $3.92 million in US dollars and average 279 days to identify and contain.7

Having a proactive approach to IR and working with experts to define and implement companywide IR processes can help. This approach can include leveraging a highly trained IR team and process as a service, or deploying a security orchestration, automation and response (SOAR) solution. A combination of both approaches can accelerate your IR and help improve your security posture as well.

Truly intelligent orchestration of people, technology, and processes through a SOAR solution with a trained IR team helps security operations analysts achieve the following goals:

  • Enables security analysts with a guided process to respond to security incidents confidently
  • Maximizes your security and IT investments through orchestration and automation
  • Automates IR intelligently, reducing repetitive tasks and involving security analysts at critical decision points, depending on the use case
  • Fosters collaboration, communication and consistency across the decision chain

With threat management solutions from IBM, built on open standards, you can gain a unified view across security tools. This process gives you powerful AI-driven insights and the ability to quickly act to mitigate threats across hybrid multicloud environments, no matter where the data resides. Detect threats with the leading security information and event management (SIEM) solutions and respond to attacks with precision and speed through SOAR offerings from IBM, designed to help you close cases faster.

The following resources can provide other figures and facts regarding IR teams and testing:

1 Ponemon Institute, Cyber Resilient Report 2020, Sponsored by IBM Security, July 2020.
3 X-Force Threat Intelligence Index 2020, IBM Security, 2020.
5 Ponemon Institute, Cyber Resilient Report 2020, Sponsored by IBM Security, July 2020.
7 Ponemon Institute, Cost of a Data Breach 2020, Sponsored by IBM Security, July 2020.


5 min read

Deploy automation and orchestration

SOAR solution capabilities save time and maximize your security and IT investments.

Coworkers in office looking at computer monitors with large screen and two coworkers talking at white board in background

SOAR solutions encompass two major capabilities, automation and orchestration, which work together hand-in-hand. While SOAR solutions encompass both orchestration and automation, there is a critical distinction.

Technology orchestration and automation

Technology orchestration specifically involves activities involving connectors and application programming interfaces (APIs). This process must occur before layering automation.

Orchestration enables automation. Together they have the potential to accelerate IR. These capabilities can be used to codify an organization’s IR process into playbooks that lay out a sequence of multiple steps or actions that must be completed to resolve a specific type of incident. Depending on the type of incident, this process may be fully automated or involve human action in addition to the automated steps.

Benefits of automation

Automation is a useful method of streamlining menial, repetitive tasks and making your team faster and smarter. SOAR solutions can automate much of the manual portions of incident investigation and response and provide a real difference to an organization.

USD 3.58


Savings in US dollars with security automation fully deployed through technologies like SOAR versus no security automation8


Portion of high-performing organizations reporting improved cyber resilience through automation tools9


Percentage of the most cyber resilient organizations that use automation10

Automation is a useful capability for quickly and effectively executing specific tasks. However, automation doesn’t and shouldn’t replace people. As threats often evolve and adversaries continue to change tactics, human involvement is irreplaceable when it comes to decision-making or when there is a need to intervene for such activities as escalating issues and troubleshooting.

To maximize the benefits of automation, your team needs to make an investment in time and resources to optimize its benefits for the following reasons:

  • The processes of automation are usually more complex and unique than they seem.
  • Automation isn’t free. These integrations typically require customization to be effective given the uniqueness of an organization’s IT environment.
  • Very few use cases can be automated end-to-end without human intervention.11

Orchestrating people, technologies, and processes

Orchestration of the IR process involves coordinating what is completed through automation by using certain tools and certain people. This orchestration supports and optimizes the human-centric elements of cybersecurity — such as helping to understand context and decision making — and empowers them as central to security operations. As security threats are uncertain problems, responding to a threat is rarely a final step.

Some organizations combine automation and orchestration with other processes such as artificial intelligence (AI) and machine learning to generate an improved security posture.

8 Ponemon Institute, Cost of a Data Breach 2020, Sponsored by IBM Security, July 2020.
9 Ponemon Institute, Cyber Resilient Report 2020, Sponsored by IBM Security, July 2020.
10 Ponemon Institute, Cyber Resilient Report 2020, Sponsored by IBM Security, July 2020.
11 Ted Julian, Automation Realities in the Context of SOAR, Security Intelligence, 20 August, 2020.


4 min read

Align for success with case management

Playbooks can give security teams flexibility to adapt with new information.

Woman coworker talking to other coworkers in office with large screen

As your security team members work to resolve an incident, they can uncover new pieces of information along the way. Case management offers better efficiency and structure navigating this process by looping in the right stakeholders, keeping everyone organized and working towards a goal.

One feature of case management are playbooks, which are dynamic and additive, giving the team flexibility to adapt with new information for security processes based on changing criteria. For example, the incident could have started with a phishing email. If your team uncovered malware, requiring them to complete additional tasks to fully resolve the incident, a dynamic playbook would add those additional malware tasks.

Case management can provide the following additional benefits:

  • Security teams receive a series of steps to guide them rather than relying on guesswork.
  • IR processes can be designed and orchestrated with visual workflows.
  • Case management allows team members to track how an incident progresses by giving visibility into the tasks that analysts are handling and due dates when they need to be completed.
  • Communication improves among team members, including those outside the SOC, with in-platform notifications, and everyone following a consistent process.

Case management can also help to connect security stakeholders with cross-functional partners assigned to complete tasks to help resolve the incident, such as human resources, legal, communications and so on. All participants from analysts to executives can gain an understanding of what constitutes a serious threat or which security initiatives are most important for the future and know who needs to respond and how. This common security language becomes increasingly important as organizations take next steps after attack discoveries, from communicating with customers to filing compliance reports with regulatory agencies.

IBM SOAR solutions have the ability to integrate privacy use cases into traditional SOAR case management. In addition to the numerous challenges faced by organizations and security teams, they must stay on top of the ever-changing regulations landscape. Organizations may have to comply with local, international and industry regulations, which may have different notification requirements in case of a data privacy breach. To help organizations mitigate the risk and implications of a data privacy breach, security and data privacy teams can receive a guided response to help them address applicable notification requirements through the SOAR solution.

USD 150

Customer Personally Identifiable Information (PII) data has the highest cost per record when compromised for surveyed organizations.12

Services related to a SOAR solution can help define dynamic and robust case management capabilities. IBM Security can help to support case management services in the IBM Security X-Force Incident Response Retainer.

12 Ponemon Institute, Cost of a Data Breach 2020, Sponsored by IBM Security, July 2020.


3 min read

IBM Security SOAR solutions

Introduce efficiency into your SOC with a SOAR solution.

Closeup of man's face from the side with a computer screen reflecting in his glasses

IBM Security SOAR is a solution designed to help security analysts respond to incidents with confidence, automate with intelligence, and collaborate with consistency to accelerate cyber resilience. The SOAR solution can help you:

  • Introduce efficiency into your SOC by leveraging automation and orchestration to maximize existing security and IT tools and to eliminate repetitive tasks.
  • Enable your security team to focus on high-level investigations to take remediation action from a single hub.
  • Provide a guided, consistent response to incidents through dynamic and robust case management capabilities.
  • Integrate data privacy breach requirements with security incident case management to help your team navigate the complex regulatory environment and notification requirements.

Discover the potential return on investment, net present value of benefits and payback period from implementing IBM Security SOAR based on a study sponsored by IBM.

Read report

To learn more about IBM Security SOAR, visit www.ibm.com/security/intelligent-orchestration/resilient

IBM Cloud Pak for Security

IBM Cloud Pak for Security places SOAR capabilities at the heart of a modern, open and integrated security platform built on Red Hat OpenShift. The platform connects to your existing security tools and addresses the complexity of threats by enabling your team to perform the following tasks:

  • Securely access IBM and third-party tools to search for threats across any cloud or on-premises location.
  • Integrate your existing security tools to gain deeper insights into hidden threats across hybrid, multicloud environments.
  • Quickly orchestrate team actions and responses to those threats — all while leaving your data where it is.
  • Deploy on premises, in a public cloud or a private cloud.

To learn more about IBM Cloud Pak for Security, visit www.ibm.com/products/cloud-pak-for-security


4 min read

Use threat intelligence effectively

Better understand, investigate and respond to your security threats.

Coworkers sitting at long tables working on computers with view of city from window

Threat intelligence gives security teams better insight and awareness into the activity in their environments. Using threat intelligence helps increase awareness of potential threats and provides improved detection and response. SOAR solutions can seamlessly integrate with numerous threat intelligence feeds to quickly enrich incidents and better understand security threats. When orchestrating IR processes, the goal should always be to put security analysts in the best position to investigate and respond to threats.

With a SOAR solution, you can boost your security analysts’ productivity by automating incident enrichment tasks. By connecting your SOAR solution to your preferred threat intelligence sources, such as IBM X-Force Exchange, incident information can be enriched from third-party feeds, real-time security operations, investigations and research. This activity can free up valuable time to allow your security analysts to focus on higher-level investigations. Through the automated process, indicators of compromise related to the incident are correlated against threat intelligence feeds, giving analysts better insight into whether an attack is malicious and can help them to prioritize their workload.

This process can occur by using IBM Security X-Force Threat Management, which provides consulting and governance to improve identifying and protecting critical assets, detecting advanced threats, and responding and recovering faster from disruptions. With X-Force Threat Management Services, you get a multiyear engagement to integrate an overarching standards-based framework such as NIST to prevent and detect undesired activity.

By interacting with teams including IBM Security X-Force Threat Intelligence, one of the services offered by IBM Security X-Force Threat, a SOAR solution also allows for better alert triage by your analysts, as shown here:

From this point, security analysts already have high-quality, prioritized, actionable threat intelligence when they step in and take control.

To most effectively use threat intelligence for better IR, security analysts should perform the following tasks:

  • Anchor threat intelligence in IR plans
  • Use integrations and correlation to make threat intelligence actionable
  • Track and measure the usefulness of their sources

Ultimately, security automation should be a balancing act of science and art, or of humans and machines, that uses both internal intelligence and threat intelligence from the wider cybersecurity community.

Read this customer success story about simplifying threat intelligence sharing.

Read story


6 min read

Related SOAR services from IBM Security

Get a more complete view of your security threat landscape.

Office with workers at computer monitors listening to woman presenting in front of room and big screen

IBM Security X-Force Threat Management Services

IBM Security X-Force Threat Management Services gives you ongoing insights of your security landscape. using visualization and analysis tools and proactive security techniques and tactics, including AI, machine learning and orchestration. AI and automation also assists with necessary scaling without the need for large personnel shifts.

With X-Force Threat Management Services, you receive an aggressive approach to the security perimeter to encompass widely distributed endpoints. And as technology evolves, so does X-Force Threat Management Services to deliver the same level of protection for emerging technology environments. These domains include Operational Technology (OT), the Internet of Things (IoT) and the Internet of Medical Things (IoMT).

X-Force Threat Management Services integrates the power of IBM Security X-Force and more into a single engagement for clients.

IBM Security X-Force

IBM Security X-Force brings together threat intelligence, high touch IR and remediation services to minimize the impact of cyberattacks. By using X-Force, you get a more complete view of threats through deep domain expertise combined with proven incident management and investigation services executed at a global scale.

Global intelligence experts with X-Force guide you in determining your needs by using industry-leading analysis. X-Force Threat Intelligence integrates with security workflow applications through APIs including SOAR. Its goal to minimize time, costs and exposure associated with data breaches.

The X-Force team is designed to help you before, during and after a breach so you can recover faster and your security analysts will be more knowledgeable about threats to your environment.

Experts with X-Force have two approaches — one to accelerate IRs, the other to gain threat intelligence.

IBM Security X-Force Incident Response Retainer

X-Force Incident Response Retainer provides remediation and proactive services to help you prepare for and respond to threats and incidents across all endpoints.

In the event of a breach, X-Force responders can help you quickly investigate, respond to, and manage cyber incidents to reduce the impact to your business. You can also use your X-Force Incident Response subscription hours to proactively assess your response readiness with the following services:

  • Forensic Analysis
  • Threat Assessments
  • Incident Response Program Assessment and Development
  • First Responder Training
  • Tabletop Exercises and Scenario Testing
  • Managed Detection and Response (MDR) with Threat Hunting

IBM Security X-Force Threat Intelligence

When your problems include poor intelligence quality, lack of trust and minimal integration with other data sources and organization, IBM Security X-Force Threat Intelligence is the solution to use. IBM Security X-Force Threat Intelligence simplifies your intelligence management while improving detection and response with experts who can design, build, deliver and operate an automated cyberthreat platform.

This solution provides accurate, up-to-the-minute cyberthreat data on your environment from both common and unique sources and the ability to share the information with your organization, industry, and communities. You get research, reports and industry-leading analysis for a preemptive approach to cyber security.

With IBM Security X-Force Threat Intelligence, you can take advantage of the following services:

  • Enterprise Intelligence Management
  • Premier Threat Intelligence
  • Threat Intelligence Program Assessment
  • Strategic Threat Assessment
  • Dark Web Analysis
  • Malware Reverse Engineering

To learn more about IBM X-Force Incident Response and Intelligence Services, visit www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence