Understanding SOAR: Importance, Benefits, Limitations of Cybersecurity's Key Response Mechanism

The escalating threat of cyberattacks, which McKinsey & Company estimates will result in annual costs of up to $10.5 trillion by 2025, underscores the urgent need to safeguard enterprise systems. 

In response to this pressing challenge, Security Orchestration, Automation, and Response (SOAR) has emerged as one of the leading technologies that businesses are employing to combat the ever evolving cyber threats.

A July 2022 survey conducted by Markets & Markets revealed a promising outlook for the global SOAR market, projecting an average compound growth rate of 15.8% annually. By 2027, the market is expected to reach $2.3 billion.

Being an emerging cybersecurity technology, it is important to grasp its essence and comprehend the significant role it can play in fortifying your network security operations.  

What is SOAR?

A term coined by Gartner in 2015, «Security Orchestration, Automation, and Response» is a collection or stack of harmonious software programs that are designed to enable organizations to gather information on security threats and respond to incidents with less human involvement. This is achieved by bringing different security tools into one platform, where they are automated and coordinated to work in unison. The goal of SOAR is to capitalize on automation to reduce time-consuming workloads on SOC teams. 

As low level repetitive tasks are offloaded to an automated and well coordinated security stack, the SOC teams are freed up to focus on high-level operations like threat analysis, compliance reporting, and workflow prioritization. What’s more, through AI and machine learning, the top SOAR solutions can even take care of these high-level workflows, taking your security system to near full automation. 

Ultimately, SOAR solutions aim to achieve fast and effective incident response to curb the effects of cyberattacks.

How does SOAR work?  

Just as the name suggests, SOAR works through orchestration and automation of security operations.

It utilizes scripted playbooks to support the tedious tasks of threat hunting, investigation, and remediation. A playbook refers to a predefined set of procedures and automated workflows designed to guide the response and resolution of specific security incidents. Playbooks outline a series of actions, such as data gathering, analysis, decision-making, and response execution, that should be followed in a step-by-step manner. These playbooks serve as a standardized framework, ensuring consistent handling of security incidents across the organization.

Here is how orchestration and automation play out:

Security orchestration with SOAR

In the context of SOAR, orchestration means coordinating and managing different security tools to work together seamlessly.

For example, during a cyber incident, orchestration enables the coordination of tools like firewalls, intrusion detection systems, and SIEM. The firewall monitors network traffic, the intrusion detection system scans for suspicious behavior, while SIEM collects and analyzes logs.

A global survey by the Ponemon Institute discovered that security teams deploy an average of 45 different tools spread across an average of 19 different platforms. Due to the difficulty of keeping track of separated workflows, more tools mean less ability to identify threats and a slower response to security incidents when they occur.

Through orchestration, SOAR helps to centralize these multitudes of tools. It facilitates triage, allowing you to compile and prioritize security data and events from intelligence sources on one platform. With this, you streamline SOC investigation and analysis workflows without the stress of moving between multiple tools.

Security automation with SOAR

In SOAR, automation refers to the ability to automatically execute security tasks. This reduces the reliance on manual intervention and accelerates the response to cyber threats.

When a potential security breach is detected, the SOAR system automatically triggers a series of predefined actions, such as isolating the affected device from the network, collecting relevant logs and data for analysis, notifying the incident response team, and initiating the investigation process. This level of automation reduces the time and effort required to respond to security incidents, enabling the organization to mitigate threats swiftly.

Using SOAR playbooks, you automate your already orchestrated platform to achieve consistent real-time threat and vulnerability management. Automation can involve low-level repetitive tasks like sending emails or Slack messages to notify your SOC of an Incident of Compromise (IOC), or enriching data from your SIEM and other sources for monitoring. To save even more time, you can configure advanced automations.

You can use built-in or custom playbooks and scripts to streamline workflows between multiple tools. For example, you can create scripts that allow you to go from data ingestion to threat detection, investigation, isolation, and tranquilization,  without human involvement.

Why is SOAR important?

A study by IBM found that globally, SOC teams could as well be spending about 32% of the typical workday looking into false positives — alerts that pose no threat to your systems. This is one of the key challenges that SOAR fixes.

The following benefits add onto the strengths that make SOAR important:

1. SOAR is effective against phishing

IBM’s 2023 X-Force Threat Intelligence Index found that cyber attackers utilize phishing for 41% of their activities. This technique, especially spear phishing, remains the most popular for compromising security systems, and you definitely want to employ technology that is effective against a major threat like this one.

A survey by Swimlane that covered 300 cybersecurity professionals who have deployed SOAR in their organizations proved that it’s indeed effective in fighting phishing. Out of the 300 professionals that were surveyed, 62% use SOAR specifically to fight phishing threats. This group confessed that SOAR has improved the average productivity and efficiency by between 26% and 50%. Swimlane estimates these to be conservative figures, considering that 38% of these professionals were new to SOAR and had used the technology for less than a year. This implies that the percentage improvement could be much higher, and indeed Swimlane affirms that their customers report averages of above 80% improvement in productivity and efficiency.

Also read: Types of Email Attacks

2. Less time resolving incidents

A report by Splunk shows that SOAR can reduce the time spent on remedying attacks byup to 10 times. Using phishing emails as an example, the report shows that 45 minutes of manual email parsing tasks can be reduced to only 40 seconds through automated malware investigation.

What’s more, SOAR doesn't need a human to initiate this investigative workflow. Thanks to threat intelligence and automated response capabilities, the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are reduced significantly.

3. Cost reduction

IBM's 2022 report on the Cost of a Data Breach revealed that organizations leveraging AI and automation programs in their security are able to detect threats at a remarkable speed that is 28 days faster than those that don’t. This expedited response time results in an average cost reduction of up to $3.05 million.

SOAR best practices

It isn't just enough to deploy the «best SOAR platform» you can find in the market. You still need to go the extra mile to carry out meticulous management.

Embrace these best practices to get the most out of SOAR.

1. Understand your use-cases well

Before adopting SOAR as an integral part of your security, it's important that you first understand the intricacies of your security infrastructure. This includes the fundamental details about your business and how other areas of IT interact with the security aspect.

Engage in discussions with your SOC (and IT) team members to gain valuable insights into the most critical aspects that need to be addressed when considering a new security solution. This collaborative approach will facilitate the selection of a suitable SOAR tool that offers the necessary features, compliance support, and integrations.

These consultations will also enhance your understanding of workflow logic and empower you to develop highly effective automation playbooks.

2. Adopt essential standards 

To achieve full coordination between services, solutions, and the security team, you need to establish unified standards.

Unified standards here refer to strict conventions around naming and documentation, as well as playbooks, strategies, and integrations.

The goal is to maintain the same understanding of terms and SOAR playbooks across the security team. This will get rid of instances of confusion during security responses.

For integrations, standards make it easy to understand exactly how your third-party solutions work and help you to avoid deploying incompatible tools.

3. Test before committing

You want to make sure that the SOAR tool actually works within your security infrastructure. So before you commit to a purchase, it's important that you first utilize the readily available demos or free trials to test different tools and see how well they fit in your environment.

For deeper insights into overall best management practices around IT, please check this guide on best practices for IT operations. 

SOAR in action: An energy company used SOAR to solve a personnel challenge 

1898 Co., a consultancy services company, utilized SOAR from Swimlane to solve a thorny problem for one of its clients.

The problem and solution: 

The client, an energy company, was experiencing a shortage of operational technology (OT) personnel with good understanding of the key relations between business services and security IT. This meant the energy company couldn't keep up with evolving threats to data and compliance.

Through the on-prem deployment of Swimlane SOAR, the energy company was able to automatically ingest and parse E-ISAC emails, saving 45 minutes per investigation on indicators of compromise (IOC).

The SOAR tool was also able to free up more time on asset management by ingesting and executing forms, and utilizing SIEM alerts for continuous data asset monitoring. This helped solve the company’s compliance issues.

SOAR vs SIEM: difference?

SIEM tools are designed to collect data, identify anomalies, prioritize threats, and generate notifications which security teams then pick and work on. SOAR tools can also do this, but they have additional capabilities which differentiate them from SIEM.

What are these capabilities that distinguish SOAR from SIEM?

• Wider integration: SOAR platforms are capable of integrating with a much more extensive range of security and non-security applications (both internal and external).
• Automated response: While SOAR platforms also issue alerts, they also provide automated responses to threats. This is made possible through AI and machine learning

In simple terms, SIEM helps in detecting and monitoring security events, while SOAR automates and coordinates the response actions to those events.

As SOAR is relatively new compared to SIEM, many organizations leverage SIEM as their primary platform and add SOAR to enhance SIEM's capabilities. This growing trend has prompted many SIEM vendors to incorporate SOAR functionalities, particularly automation, resulting in the emergence of a combined platform known as «next-generation SIEM».  

The key limitation of SOAR 

No single technology has ever passed the litmus test of being all rosy, so is SOAR! 

One of the most profound limitations of SOAR is its heavy reliance on predefined playbooks and rules. This rigid framework may struggle to adapt and respond effectively to new threats that do not fit within the established parameters.

Despite this limitation, all signs point to the enduring presence of SOAR. It's bound to become even more remarkable with advancements in AI and machine learning.

Before you use SOAR: critical insights

It's important to understand that SOAR is not a standalone technology that you can simply deploy and forget about all other solutions. Instead, SOAR is best used as a complementary solution. As we discovered under the section on differences between SOAR and SIEM, many organizations use it to complement SIEM.

Finally, SOAR does not offer a complete replacement for human assistance but rather serves to augment their capabilities, ridding them of lower level repetitive tasks so they can focus on higher tasks and achieve more in a shorter time frame.