Contents
I have spoken about the evolution of Security Automation in the past - however, 2021 certainly 'SIEMS' like the year where SOAR will really start SOARing!
The story is becoming all too familiar. That is, the incomplete view of security risks as operational teams work with multiple platforms to gather, enrich and correlate data from heterogeneous environments. This of course leads to huge inefficiencies and ‘swivel chair fatigue’.
As the enterprise environment evolves, the risk landscape also evolves. Therefore, the workload of monitoring becomes challenging. Existing approaches to data collection, analysis, and correlation fail to provide the scale needed to address today's security and visibility requirements.
This is where SOAR comes in.
SOAR = Security Orchestration, Automation & Response
While Automation in the IT world is not a new concept, security teams are using SOAR for GRC, Threat Intelligence, Incident Management, Vulnerability Management (and other use cases) to provide the scale needed to address today's security and visibility challenges.
Bringing Orchestration, Automation & Response Together
Security orchestration connects your systems, tools and infrastructure so that they work together seamlessly with one another, enabling teams to more effectively respond to threats. Think of how an orchestra's conductor brings all instruments together at the right time to make the perfect piece of music!
Meanwhile, security automation is more than just automating standard security controls. Automation is the automatic handling of security operations-related tasks (think detect/analyse/prevent/respond), typically applying machine learning capability and typically without human intervention. It is important to note that while it makes perfect sense to automate some processes, a SOAR solution must allow for human intervention at critical decision points.
Security response helps organisations reduce Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) by enabling security alerts to be qualified and remediated in minutes, rather than days. Response methods can be automated for faster results, such as quarantining files, blocking suspicious files across the enterprise or disabling access to compromised accounts.
You can't beat good people, good strategy & good software
While SOAR has numerous benefits, it should not be a substitution for human involvement - such as skilled security analysts or security information and event management (SIEM) platforms. Neither should it be seen as a replacement for foundational security practices. Instead, a SOAR solution should be viewed as an enterprise-enabler that enhances the technologies and the services that organisations have relied on for years.
Having a robust and holistic security strategy across detection, analysis, prevention and response is the best way to develop security resilience and protect the enterprise.
Written by Lloyd Cartwright
Lloyd Cartwright has a diverse background in the field of cybersecurity and risk management. He began his career as a Cyber Security Analyst and Cyber Security Technologist at Barclays in 2018. Later, in 2021, he transitioned to Finning, where he worked as a Security Risk and Compliance Analyst. Currently, Lloyd holds the position of Senior Solutions Architect at 6clicks. At 6clicks, Lloyd contributes to building resilient cyber, risk, and compliance programs powered by AI. His expertise helps organizations streamline compliance, manage risk profiles, and confidently engage with vendors. With a passion for sport, reading, and music, Lloyd brings a holistic perspective to their work, emphasizing the importance of open forums and agile responses in today’s fast-changing world.