Hot Topics
Governance, Risk & Compliance Security Bloggers Network 
SBN

What is SOAR?

by Katie Bykowski on February 15, 2022

SOAR Platform Architecture

Security orchestration, automation and response (SOAR) technology is designed to help security operations teams automatically execute on repetitive tasks, such as responding to phishing alerts, SIEM or EDR alert triage, and is typically used within the context of the Security Operations Center (SOC).

Low-code security automation solutions make it possible to extend SOAR beyond SOC use cases as the needs of security organizations expand beyond the SOC. At the most basic level, there are three primary ways that SOAR works to improve SecOps outcomes:

  1. Automates incident response: Security automation is technology that allows software to execute a sequence of workflow tasks without human intervention. Security teams who automate incident response with SOAR speed their mean time to resolution (MTTR). Automation also frees up analyst time for more strategic work, increasing the team’s job satisfaction and retention rates.

  2. Adds context to incident data: Security orchestration integrates disparate systems or platforms. This leads to consolidated and contextualized intelligence so that analysts can quickly view all incident data in a single case management view, complete with customizable dashboards and reports. This enrichment process provides security teams with actionable intelligence so they can improve operational efficiencies and mature the security posture.

  3. Unifies people, process and technology: Integrations are the magic behind how SOAR unites people, processes, and technology. SOAR technologies that deliver well-orchestrated security ecosystems ensure that security teams accelerate time-to-value and speed incident response times.

The Benefits of SOAR

SOAR technologies have many benefits for SOC teams. Breach prevention, improved SecOps KPI’s, reduced analyst burnout, and improved overall ROI are the leading benefits that customers realize.

  • Reduce likelihood of a breach: With Swimlane technology, an enterprise customer was able to proactively respond to ~80% more security telemetry data. They were able to stop attacks earlier in the attack lifecycle and prevent them from becoming breaches. Actionable intelligence that is gathered through Swimlane’s reporting and low-code visualizations helps measurably improve their risk posture overtime.

  • Improve SecOps metrics: Another Swimlane customer reduced manual interventions by one-third in the first six months of the SOAR deployment. This enabled them to cut their MTTR by 50%. The result was improved efficiency and effectiveness of day-to-day security operations.

  • Reduce staff burnout: All Swimlane customers remark that by using low-code security automation, their analysts save time required to filter, sort, and visualize data. This frees analysts from manual and error-prone tasks so they can spend more time on strategic initiatives. Because of this, customers are able to retain talent and institutional knowledge, which leads to greater overall security.

  • Improve ROI for all security investments: A Fortune 100 Swimlane customer saves $160,000 per month in labor costs. This financial benefit is a result of low-code automation, saving them 3,700 hours of work each week. The ROI was calculated by measuring the percentage of detection alerts that require manual processes versus automated processes. Automation dashboards and reporting make it easy to measure these statistics so that security leaders can evaluate the efficacy of their investments.

Most Common SOAR Use Cases

The most common SOAR use cases tend to be SOC use cases like phishing triage, incident response, vulnerability management, intelligence processes, threat hunting, and alert/event management. Looking ahead, security teams will turn to automation capabilities that are sophisticated enough to tackle security use cases beyond the SOC, like automating fraud remediation. Swimlane’s low-code automation platform is flexible and extensible enough to automate both common use cases, as well as planned use cases inside and beyond the SOC.

SOAR vs. SIEM

Security information and event management (SIEM) is similar to SOAR in that both technologies ingest data from multiple security products like firewalls, network appliances, and detection tools. Both technologies are core technologies adopted by SOC teams. Those two factors are where the similarities end.

A SIEM solution works by collecting, aggregating, identifying, and categorizing incidents and events. SOAR ingests and enriches data in a similar way, including data from the SIEM, but then it takes the additional steps to automate complex incident response workflows through integrations and playbooks.

SIEM customers find benefit in security monitoring, incident detection, alerting, and dashboard creation. These are often useful for reporting information needed for compliance use cases like GDPR, CCPA, and HIPPA. However, SIEMs are often expensive. It’s typical for SIEMs to be priced based on the amount of data they consume, which often is not scalable or value-oriented. SIEM’s can also be difficult to manage or operate on their own. For this reason, SOAR is a perfect compliment to a SIEM solution because it translates the SIEM’s intelligence into actions that prevent breaches and improve SOC metrics.

What SOC metrics should I be looking at?

SOAR success and metrics are going to be unique to each company and the organization’s goals, but a few basic key performance indicators (KPIs) that all security teams need to measure include:

  • Mean time to detect (MTTD)

  • Mean time to investigate (MTTI)

  • Mean time to respond (MTTR)

  • Granular ROI reporting

  • Analyst workload

These are just a few of the SOC metrics that are calculated in Swimlane’s SOC dashboards.

What SOAR Metrics Should I Be Looking At?

Traditionally, the value of SOAR has been limited to the SOC, but as we look to the future of security automation, we can expect to see the notion of SOC metrics expand to include more comprehensive security metrics.

Gartner has started referring to this as their “CARE standard for cybersecurity.” This framework provides a suggestion for what the industry standard of security metrics or KPIs should be. This framework is outlined by the CARE acronym: consistent, adequate, reasonable, effective. Some KPIs that align to these groups include metrics like:

  • Consistent: security awareness trainings completed by employees in the past month

  • Adequate: percentage of endpoints that have been updated for anti-malware protections

  • Reasonable: average length of delays caused by security protocols

  • Effective: number of incidents in the past year related to configuration issues

While these metrics are not commonly associated with SOAR use cases, Swimlane’s automation engine is powerful enough to provide insights and answers to nearly any security metric that you need to measure. Swimlane’s low-code security automation platform is built for cloud-scale and is extensible enough to serve as the system of record for security.

Interested in learning more? Get started today at swimlane.com/demo

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Katie Bykowski. Read the original post at: https://www.swimlane.com/blog/what-is-soar/

Katie Bykowski