SOAR stands for Security Orchestration, Automation, and Response. The term is used to describe three software capabilities – threat and vulnerability management, security incident response and security operations automation. SOAR allows companies to collect threat-related data from a range of sources and automate responses to low-level threats.
What is SOAR
SOAR connects all your security tools together into a defined workforce that can be run automatically. It increases the efficiency of your team members by automating repetitive processes.
Automation is very important in today’s security world because the security team are overwhelmed. As new tools are developed to address security challenges, network security experts have to switch between those tools to analyse those tools.
One of the common day-to-day tasks is responding to alerts. With more security tools come more alerts. When you have more alerts to respond to that means you have lesser time to spend on each alert. This will increase the likelihood of mistakes being made. When you have more alerts to respond to and it is degrading your performance. It is always referred to as Alert Fatigue.
You should note that even if you want to hire more security analysts, they are in short supply. When SOAR put all the alerts in one place, it reduces the number of Alerts that Analysts have to deal with. This allows Analyst to perform all their analysis from the source interface of the device. This process can now be manually or automatically transformed into a playbook.
A playbook is like a flowchart of steps that can be repeated on demand. By using a playbook, you can ensure that standard operating procedures are followed and there are no errors. You can also monitor the activities that are performed. When it was performed and who was the person that carried out such activity? This is called orchestration and automation in network security.
An investigation is another crucial capability of SOAR. When suspicious activity is discovered, teams can perform their investigative tasks. When carrying out an investigation, they can check threat sources to know where it is coming from and whether it has happened before.
They can also query a security information manifest system to know more about the threats. They can also check the Security Information and event management system to profile the threats and decide on the best ways of dealing with those threats.
The information gathered from the investigation will now determine the required mitigation steps to follow. Because SOAR covers all your security tools, you can take those mitigation steps from within SOAR and apply them to your entire network security structure.
From within SOAR, you can block traffic from a malicious IP address. You can also delete a phishing email from your server. You can also make use of playbooks to automate repetitive tasks from within SOAR.
The automation process allows Analysts to devote more time to investigating threats and taking mitigation steps. SOAR does more than centralise the incident response process. It optimizes the entire network security operations for the organization. An optimisation can help in improving security employee performance and boosting collaboration.
SOAR also allows you to assign different categories of alerts to different types of individuals that can handle such alerts. It also allows them to add additional information to those alerts as they work on them. This will allow those that will work on that later to have an additional context of the information.
More About Playbooks
A team uses a playbook also known as Workflow as a way of determining how to respond to alert workflows. The playbook can emulate and take the steps that Analysts would have taken when they are responding to security incidence. Playbook does repetitive tasks such as compiling databases or sending emails. It can also implement firewall blocks.
It allows teams to improve their response speed and consistency. It also allows teams to maintain authority over the entire process. Using a playbook can reduce the Analyst workload. It is capable of reducing the chance of error.SOAR can be used to carry out our Phishing investigation. With SOAR, an analyst will spend so much time tracing the sender of a phishing email.
If the Analyst determines where Phishing is coming from, they will need to spend more time investigating the Phishing server.
They need to determine who received or click on the email as well as delete them. With a Phishing investigation playbook, the initial steps in phishing investigation are taken automatically. As the emails come in, the Analyst will only be alerted to those emails that the playbook considers suspicious.
After the Analyst confirms that the email is truly a phishing email, the playbook can continue to take further actions on the email. It can now automatically delete the email from all users’ inboxes. It will now alert the Analyst about the actions taken. It can also take decisions on what to do when similar phishing messages are received in the future. The Fortinet SOAR product is called FortiSOAR and it has all the features that we have mentioned so far.
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.