SOAR—for security orchestration, automation and response—is a software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows.
In large organizations, security operations centers (SOCs) rely on numerous tools to track and respond to cyberthreats. In IBM's Cyber Resilient Organization Study 2021, 29% of the organizations surveyed had deployed 31–50 different security tools and technologies, and 23% had deployed 51–100. These tools are not always designed to work together, so SOCs need to manually integrate them in response to each security incident.
SOAR platforms give SOCs a central console where they can integrate these tools into optimized threat response workflows and automate low-level, repetitive tasks in those workflows. This console also allows SOCs to manage all the security alerts generated by these tools in one central place.
By streamlining alert triage and ensuring that different security tools work together, SOARs help SOCs reduce mean time to detect (MTTD) and mean time to respond (MTTR), improving overall security posture. Detecting and responding to security threats faster can soften the impact of cyberattacks. According to IBM's Cost of a Data Breach 2022 report, a shorter data breach lifecycle is associated with lower breach costs. Breaches resolved in less than 200 days cost companies USD 1.12 million less on average than breaches that take longer than 200 days to resolve.
SOAR technology arose as a consolidation of three earlier security tools. According to Gartner, which first coined the term "SOAR" in 2015, SOAR platforms combine the functions of security incident response platforms, security orchestration and automation platforms, and threat intelligence platforms in one offering.
To understand how modern-day SOAR solutions work, it can help to break them down into their core features: security orchestration, security automation, and incident response.
"Security orchestration" refers to how SOAR platforms connect and coordinate the hardware and software tools in a company's security system.
SOCs use various solutions to monitor and respond to threats, like firewalls, threat intelligence feeds, and endpoint protection tools. Even simple security processes can involve multiple tools. For example, a security analyst investigating a phishing email may need a secure email gateway, a threat intelligence platform, and antivirus software to identify, understand, and resolve the threat. These tools often come from different vendors and may not readily integrate, so analysts must manually move between tools as they work.
With a SOAR, SOCs can unify these tools in coherent, repeatable security operations (SecOps) workflows. SOARs use application programming interfaces (APIs), prebuilt plugins, and custom integrations to connect security tools (and some non-security tools). Once these tools are integrated, SOCs can coordinate their activities with playbooks.
Playbooks are process maps that security analysts can use to outline the steps of standard security processes like threat detection, investigation, and response. Playbooks can span multiple tools and apps. They can be fully automated, fully manual, or a combination of automated and manual tasks.
SOAR security solutions can automate low-level, time-consuming, repetitive tasks like opening and closing support tickets, event enrichment, and alert prioritization. SOARs can also trigger the automated actions of integrated security tools. That means security analysts can use playbook workflows to chain together multiple tools and carry out more complex security operations automation.
For example, consider how a SOAR platform might automate an investigation of a compromised laptop. The first indication that something is amiss comes from an endpoint detection and responss (EDR) solution, which detects suspicious activity on the laptop. The EDR sends an alert to the SOAR, which triggers the SOAR to execute a predefined playbook. First, the SOAR opens a ticket for the incident. It enriches the alert with data from integrated threat intelligence feeds and other security tools. Then, the SOAR executes automated responses, such as triggering a network detection and response (NDR) tool to quarantine the endpoint or prompting antivirus software to find and detonate malware. Finally, the SOAR passes the ticket to a security analyst, who determines whether the incident was resolved or human intervention is required.
Some SOARs include artificial intelligence (AI) and machine learning that analyze data from security tools and recommend ways to handle threats in the future.
SOAR's orchestration and automation capabilities allow it to serve as a central console for security incident response. Security analysts can use SOARs to investigate and resolve incidents without moving between multiple tools.
Like threat intelligence platforms, SOARs aggregate metrics and alerts from external feeds and integrated security tools in a central dashboard. Analysts can correlate data from different sources, filter out false positives, prioritize alerts, and identify the specific threats they're dealing with. Then, analysts can respond by triggering the appropriate playbooks.
SOCs can also use SOAR tools for post-incident audits and more proactive security processes. SOAR dashboards can help security teams understand how a particular threat breached the network and how to prevent similar threats in the future. Likewise, security teams can use SOAR data to identify unnoticed ongoing threats and focus their threat-hunting efforts in the right places.
By integrating security tools and automating tasks, SOAR platforms can streamline common security workflows like case management, vulnerability management, and incident response. The benefits of this streamlining include:
SOCs may have to deal with hundreds or thousands of security alerts daily. This can lead to alert fatigue, and analysts may miss important signs of threat activity. SOARs can make alerts more manageable by centralizing security data, enriching events, and automating responses. As a result, SOCs can process more alerts while reducing response times.
SOCs can use SOAR playbooks to define standard, scalable incident response workflows for common threats. Rather than dealing with threats on a case-by-case basis, security analysts can trigger the appropriate playbook for effective remediation.
SOCs can use SOAR dashboards to gain insight into their networks and the threats they face. This information can help SOCs spot false positives, prioritize alerts better, and select the correct response processes.
SOARs centralize security data and incident response processes so analysts can work together on investigations. SOARs can also enable SOCs to share security metrics with outside parties, such as HR, legal, and law enforcement.
SOAR, SIEM, and XDR tools share some core functions, but each has its own unique features and use cases.
Security information and event management (SIEM) solutions collect information from internal security tools, aggregate it in a central log, and flag anomalies. SIEMs are mainly used to record and manage large volumes of security event data.
SIEM technology first emerged as a compliance reporting tool. SOCs adopted SIEMs when they realized SIEM data could inform cybersecurity operations. SOAR solutions arose to add the security-focused features most standard SIEMs lack, like orchestration, automation, and console functions.
Extended detection and response (XDR) solutions collect and analyze security data from endpoints, networks, and the cloud. Like SOARs, they can automatically respond to security incidents. However, XDRs are capable of more complex and comprehensive incident response automations than SOARs. XDRs can also simplify security integrations, often requiring less expertise or expense than SOAR integrations. Some XDRs are pre-integrated single-vendor solutions, while others can connect security tools from multiple vendors. XDRs are often used for real-time threat detection, incident triage, and automated threat hunting.
SecOps teams in large companies often use all of these tools together. However, providers are blurring the lines between them, rolling out SIEM solutions that can respond to threats and XDRs with SIEM-like data logging. Some security experts believe XDR may one day absorb the other tools, similar to how SOAR once consolidated its predecessors.
IBM Security® QRadar® SOAR is designed to help your security team respond to cyberthreats with confidence, automate with intelligence and collaborate with consistency.
IBM Security® QRadar® XDR suite provides a single unified workflow across your tools to detect and eliminate threats faster.
Help your team improve its incident response plan and minimize the impact of a breach by preparing your incident response teams, processes and controls.
Get our latest insights into the expanding threat landscape, and recommendations for how to save time and limit losses.
SIEM helps organizations recognize potential security threats and vulnerabilities before they disrupt business operations.
Build a tightly integrated security operations and analytics platform that accelerates security activities and frees staff to focus on high-priority issues.
IBM Security QRadar SOAR (formerly Resilient) helps your security team respond to cyberthreats with confidence, automate with intelligence and collaborate with consistency. It guides your team in resolving incidents by codifying established incident response processes into dynamic playbooks. And its open, agnostic platform helps accelerate and orchestrate incident response by automating actions with intelligence and integrating with other security tools.