What is SOAR (security orchestration, automation and response)?

8 February 2023

What is SOAR (security orchestration, automation and response)?

SOAR—for security orchestration, automation and response—is a software solution that enables security teams to integrate and coordinate separate security tools, automate repetitive tasks and streamline incident and threat response workflows.

In large organizations, security operations centers (SOCs) rely on numerous tools to track and respond to cyber threats, oftentimes manually. This manual investigation of threats results in slower overall threat response times.

SOAR platforms give SOCs a central console where they can integrate these tools into optimized threat response workflows and automate low-level, repetitive tasks in those workflows. This console also allows SOCs to manage all the security alerts generated by these tools in one central place.

By streamlining alert triage and ensuring that different security tools work together, SOARs help SOCs reduce mean time to detect (MTTD) and mean time to respond (MTTR), improving overall security posture. Detecting and responding to security threats faster can soften the impact of cyberattacks. According to IBM’s latest Cost of a Data Breach report, a shorter data breach lifecycle is associated with lower breach costs. Breaches resolved in less than 200 days cost companies USD 1.02 million less on average, reflecting a 23% difference.

How does SOAR work?

SOAR technology arose as a consolidation of three earlier security tools. According to Gartner, which first coined the term "SOAR" in 2015, SOAR platforms combine the functions of security incident response platforms, security orchestration and automation platforms, and threat intelligence platforms in one offering.

To understand how modern-day SOAR solutions work, it can help to break them down into their core features: security orchestration, security automation, and incident response.

Security orchestration

"Security orchestration" refers to how SOAR platforms connect and coordinate the hardware and software tools in a company's security system.

SOCs use various solutions to monitor and respond to threats, like firewalls, threat intelligence feeds, and endpoint protection tools. Even simple security processes can involve multiple tools. For example, a security analyst investigating a phishing email may need a secure email gateway, a threat intelligence platform, and antivirus software to identify, understand, and resolve the threat. These tools often come from different vendors and may not readily integrate, so analysts must manually move between tools as they work.

With a SOAR, SOCs can unify these tools in coherent, repeatable security operations (SecOps) workflows. SOARs use application programming interfaces (APIs), prebuilt plugins, and custom integrations to connect security tools (and some non-security tools). Once these tools are integrated, SOCs can coordinate their activities with playbooks.

Playbooks are process maps that security analysts can use to outline the steps of standard security processes like threat detection, investigation, and response. Playbooks can span multiple tools and apps. They can be fully automated, fully manual, or a combination of automated and manual tasks.

Security automation

SOAR security solutions can automate low-level, time-consuming, repetitive tasks like opening and closing support tickets, event enrichment, and alert prioritization. SOARs can also trigger the automated actions of integrated security tools. That means security analysts can use playbook workflows to chain together multiple tools and carry out more complex security operations automation.

For example, consider how a SOAR platform might automate an investigation of a compromised laptop. The first indication that something is amiss comes from an endpoint detection and response (EDR) solution, which detects suspicious activity on the laptop. The EDR sends an alert to the SOAR, which triggers the SOAR to execute a predefined playbook. First, the SOAR opens a ticket for the incident. It enriches the alert with data from integrated threat intelligence feeds and other security tools. Then, the SOAR executes automated responses, such as triggering a network detection and response (NDR) tool to quarantine the endpoint or prompting antivirus software to find and detonate malware. Finally, the SOAR passes the ticket to a security analyst, who determines whether the incident was resolved or human intervention is required.

Some SOARs include artificial intelligence (AI) and machine learning that analyze data from security tools and recommend ways to handle threats in the future.

Incident response

SOAR's orchestration and automation capabilities allow it to serve as a central console for security incident response (IR). IBM’s Cost of a Data Breach report found that organizations with both an IR team and IR plan testing identified breaches 54 days faster than those with neither.

Security analysts can use SOARs to investigate and resolve incidents without moving between multiple tools. Like threat intelligence platforms, SOARs aggregate metrics and alerts from external feeds and integrated security tools in a central dashboard. Analysts can correlate data from different sources, filter out false positives, prioritize alerts, and identify the specific threats they're dealing with. Then, analysts can respond by triggering the appropriate playbooks.

SOCs can also use SOAR tools for post-incident audits and more proactive security processes. SOAR dashboards can help security teams understand how a particular threat breached the network and how to prevent similar threats in the future. Likewise, security teams can use SOAR data to identify unnoticed ongoing threats and focus their threat hunting efforts in the right places.

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


Benefits of SOAR

By integrating security tools and automating tasks, SOAR platforms can streamline common security workflows like case management, vulnerability management, and incident response. The benefits of this streamlining include:

Processing more alerts in less time

SOCs may have to deal with hundreds or thousands of security alerts daily. This can lead to alert fatigue, and analysts may miss important signs of threat activity. SOARs can make alerts more manageable by centralizing security data, enriching events, and automating responses. As a result, SOCs can process more alerts while reducing response times.

More consistent incident response plans

SOCs can use SOAR playbooks to define standard, scalable incident response workflows for common threats. Rather than dealing with threats on a case-by-case basis, security analysts can trigger the appropriate playbook for effective remediation.

Enhanced SOC decision-making

SOCs can use SOAR dashboards to gain insight into their networks and the threats they face. This information can help SOCs spot false positives, prioritize alerts better, and select the correct response processes.

Improved SOC collaboration

SOARs centralize security data and incident response processes so analysts can work together on investigations. SOARs can also enable SOCs to share security metrics with outside parties, such as HR, legal, and law enforcement.

SOAR, SIEM and XDR

SOAR, SIEM, and XDR tools share some core functions, but each has its own unique features and use cases.

Security information and event management (SIEM) solutions collect information from internal security tools, aggregate it in a central log, and flag anomalies. SIEMs are mainly used to record and manage large volumes of security event data.

SIEM technology first emerged as a compliance reporting tool. SOCs adopted SIEMs when they realized SIEM data could inform cybersecurity operations. SOAR solutions arose to add the security-focused features most standard SIEMs lack, like orchestration, automation, and console functions.

Extended detection and response (XDR) solutions collect and analyze security data from endpoints, networks, and the cloud. Like SOARs, they can automatically respond to security incidents. However, XDRs are capable of more complex and comprehensive incident response automations than SOARs. XDRs can also simplify security integrations, often requiring less expertise or expense than SOAR integrations. Some XDRs are pre-integrated single-vendor solutions, while others can connect security tools from multiple vendors. XDRs are often used for real-time threat detection, incident triage, and automated threat hunting.

SecOps teams in large companies often use all of these tools together. However, providers are blurring the lines between them, rolling out SIEM solutions that can respond to threats and XDRs with SIEM-like data logging. Some security experts believe XDR may one day absorb the other tools, similar to how SOAR once consolidated its predecessors.

Mixture of Experts | 10 January, episode 37

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.

Related solutions
Threat detection and response solutions

Elevate your security with our premier suite of threat detection and response solutions.

Explore threat detection solutions
Threat detection and response services

Protect existing investments and enhance them with AI, improve security operations and protect the hybrid cloud.

Explore threat detection services
Incident response services

Improve your organization’s incident response program, minimize the impact of a breach and experience rapid response to cybersecurity incidents.

Explore incident response services
Take the next step

Leverage IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

 

Explore threat detection solutions Book a threat-centric briefing