4 core functions of a Security Orchestration, Automation and Response (SOAR) solution

Although the exact features and capabilities of Security Orchestration Automation and Response (SOAR) platforms on the market will vary from vendor to vendor, there are certain core features and capabilities that they should all inherently possess. Depending on the unique set of challenges and pain points that your organization is facing, some functions might prove more important than others in trying to achieve your overall security program objectives. This blog post will briefly explain the four core functions of SOAR technology with the aim of helping you to align them with your organization’s security goals.

1. Flexible integrations

With the number of security solutions expanding within the IT security stack, whether these would be in-house, out-sourced, or commercial, every SOAR solution should be flexible enough to support a multitude of security products. It is crucially important that the organization’s SOAR solution of choice is flexible enough to allow security operations to easily create bidirectional integrations with security products not supported by default. The methods used to support these types of integrations could vary but might include scripting languages such as Perl or Python, APIs, or proprietary methods. Regardless of the chosen method, it should be easy to implement and the user should not be overwhelmed by the difficulty of use.

Bidirectional integrations are important in providing full automation and orchestration, but in some cases, an organization might not require full bidirectional functionality. For some security products, it may only be vital to support the ingestion of data from the security product to the SOAR platform. These unidirectional integrations are usually much easier to create in cases where full bidirectional integration is not required. Due to this reason, a SOAR platform should support common methods of data ingestion, such as Syslog, database connections, APIs, email and online forms, as well as common data standards such as CEF, OpenIOC, and STIX/TAXII.

2. Process workflows

One of the key features of a SOAR solution is the ability to automate and orchestrate process workflows to achieve force multiplication and reduce the burden of repetitive tasks on security analysts. In order to make this happen, a SOAR solution must be able to support flexible methods for implementing process workflows. There are two basic ways to codify process workflows within a SOAR solution: either classified as linear-style playbooks or flow-controlled workflows.

Since both methods have their own pros and cons and each is suitable for different use cases, both should be supported by a SOAR solution. In either case, the implementation of these workflows must be flexible enough to support nearly any process which might need to be codified within the solution. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks to be completed by an analyst.

Flow-controlled workflows should be able to support different types of flow control mechanisms, including those which allow for an analyst to make a decision manually before the workflow continues. Allowing control to be passed between the automation engine and an analyst allows for much greater flexibility and enables the automation to continue beyond the first point at which a human decision is required.

Building workflows should not require a high level of scripting or programming knowledge. Since workflows are the core of the automation and orchestration processes within a SOAR solution, equal attention should be paid to flexibility and ease of use. Workflows that are difficult to build or hard to understand by a wide range of users will cause confusion and sub-optimal performance during an incident.

3. Incident management

The incident response process is a multi-layered, complex process. In this context, the orchestration and automation of security products provide added value to any security program, but to maximize the time and monetary investment in the SOAR solution, it has to include additional features to operate throughout the entire incident response lifecycle. This includes basic case management functionality, such as tracking cases, recording actions taken during the incident, and reporting on critical metrics and KPIs.

However, the incident management capabilities of a SOAR solution should not consist only of case management functionality. To provide proper management of the entire incident response lifecycle, a SOAR solution should also provide the following incident management features:

• Phase and objective tracking

• Detailed task tracking, including assignment, time spent, and status

• Asset management, tracking all physical and virtual assets involved in the incident

• Evidence and chain of custody management

• Indicator and sample tracking, correlation, and sharing

• Document and report management

• Time and monetary effort tracking

4. Threat intelligence

Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. Tracking of indicators and samples, such as IP addresses, URLs, malware samples, and TTPs remains a critical component of incident management.

However, to become actionable threat intelligence, these indicators must be surrounded with further context. Because a SOAR solution has access to not only the indicators but also the rest of the incident information which can provide additional context, it is in a unique position to gather actionable threat intelligence.

In order to provide genuine value, a SOAR solution should go a step further beyond gathering threat intelligence. A proactive security program requires threat intelligence to be properly correlated to the end of discovering attack patterns, potential vulnerabilities, and other ongoing risks to the organization. This correlation should be performed automatically and it should be immediately clear if an ongoing incident may share common factors with any previous incidents.

Although automated correlation is critical for analysts to make informed decisions during the incident response lifecycle, visual correlation is also an important factor when assessing threat intelligence capabilities. Many proactive security programs today include many different forms of threat hunting, while actively looking for attacks and patterns that may not have been detected through automated methods. To make this process easier, threat intelligence and correlated events should be displayed in an easy-to-understand visual manner to allow analysts to effectively analyze the information.

Summary

We hope that the above details will provide you with some guidance in deciding on which SOAR platform to employ within your security program to suit your individual organization’s strategy. As stated in the beginning, even though most SOAR platforms on the market are unique in their own ways, there are still some characteristics that are mentioned here which should be included as the norm.