SOAR, or a higher level of SOC

What is SOAR?

SOAR is a class of cybersec systems designed to more effectively manage security events occurring in an organization’s IT/OT systems. Their functionality basically boils down to three areas: automation of response processes based on playbooks, automatic enrichment of events with additional information based on various integrations, and structuring of processes based on roles and tickets.
The idea of SOAR is based on the need to make response teams more efficient. If you are interested in SOAR, it probably means that you consider your systems advanced enough to develop them to a higher level of security. The chosen direction is the right way to go. Modern SOAR should consist of:
SOAR orchestration does not have to be based on just one tool. Orchestration can be based on a SOM class tool and integrations, for example. Often SIR and TIP cover SOC, it remains to add orchestration to them to finally get in practice something we define SOAR.

Why are companies opting for SOAR?

Distinguishing between incidents and security incidents is taking more and more time due to the vast amounts of information that IT systems record. Of course, SIEM provides mechanisms for correlating and rejecting false-positives but often verification (triage) of these incidents requires reaching into multiple systems. This causes analysts to have to spend a lot of time on this task. SOAR solves these problems increases the effectiveness and efficiency of all IT Sec activities. The efficiency of the security team is significantly improved, the speed of action and response is increased, which translates into a reduction in the cost of “routine” operations.

According to data reported by Gartner, the implementation of SOAR allows an increase of 5% to 10% in the daily analysis capabilities of each malware sample or alert selection. In a way, a “side effect” of SOAR implementation, in addition to economic efficiency gains, is the acquisition of new analytical capabilities, which translates into the effectiveness of attack detection.

SOAR also means consistent management of work, personnel and accountability.

SOAR implementation – what to prepare for?

First of all, it is necessary to secure an appropriate amount of time. You can meet vendors who will claim that SOAR installation is simply “point-and-click”, but this is not true. Of course, theoretically we will be able to imagine this type of implementation under ideal laboratory conditions. But in reality, a pilot SOAR implementation is between 30 and 180 days. It primarily involves integration of solutions already in place (SIEM, EDR, TI, etc.) and testing and more testing. Thus, already at this stage it is possible to determine how and by how much SOAR improves the performance of the security team in the reality of a given organization.

SOAR implementation and optimization is worth conducting, for example, “per incident category.” For example, it could be phishing. Most of the organizations we work with already have processes in place for phishing and reporting potentially dangerous emails.

A software developer will certainly come in handy when it comes to configuring and troubleshooting the integration of tools such as SIEM or EDR. In practice, it usually happens that they do not communicate with SOAR as expected. The developer will simply be able to correct or fix them.

If we are the ones to support the implementation process you can of course count on us. Both during the initial installation and integration, as well as at the stage of improving the operation of the whole thing.

Want to know more?

It is difficult in a short article to describe in detail such a complex issue as SOAR and cover all the relevant areas.  So it is much better and more efficient to do it during a meeting. Therefore, treat this article as an invitation to talk about this topic. And if you accept it then let us know. Together we will set a mutually convenient date for the meeting and its detailed scope of topics. Until we hear from you!