SOAR to the next level with automation

Implementing a security orchestration automation and response (SOAR) tool is a crucial capability for security operations teams to perform incident response effectively. Security event volume continues to grow exponentially, and the right technology components need to be in place to set an organisation up for success.

A security information and event management (SIEM) is that central building block needed to get the most out of a SOAR tool. These two security tools offer complementary capabilities that are essential to keep pace with ever-increasing and more sophisticated threats.

It is important for organisations that may be deciding when or how to implement either of these tools to understand the differences and benefits of each prior to making strategic decisions.

A SIEM tool is primarily utilised to aggregate and correlate organisation event data in a central location. It allows security engineers to configure rule sets and thresholds by which to generate alerts on only the most meaningful and high-risk events, based on the unique risk profile of each organisation. SIEM tools parse countless volumes of data to reduce noise and filter down to a subset that require further investigation and action. 

A SOAR tool, on the other hand, is used to link disparate tools across an organisation’s IT infrastructure to orchestrate or automate response actions based on predefined workflows or “playbooks.”

SOAR capabilities enable security teams with fixed resources to scale to meet the demands of higher event volume through increased automation capabilities. Traditionally manual processes such as configuration updates, rule changes or other steps can now be executed in a partially automated or fully automated manner in response to specific event types.

SIEM technology is absolutely essential to a security programme. It is that foundational building block that other tools can integrate with and truly elevate incident response capabilities to the next level.

For an organisation to derive the greatest benefits from a SOAR implementation, it should be done after a well-tuned SIEM tool is in place. Existing event aggregation and correlation by the SIEM tool provides a mechanism for the SOAR component to facilitate actions with greater automation based on the full scope of security events from the organisation.

When SOAR functions are implemented without a SIEM, some siloed automation may be performed in conjunction with tool integration, but the additional event context produced from a SIEM is going to be missing. Without SIEM functionality, the full benefits from implementing a SOAR tool will not be realised.

SOAR capability can elevate security programs to that next level of operational efficiency when building on SIEM technology. However, technology alone cannot transform an organisation – it will only serve as a conduit for greater efficiencies and enable teams to do more with less.

To make the most out of a SOAR tool investment, senior leaders should consider the following:

• Overall objectives and expected outcomes;
• Understand licensing models;
• A mature centralised log management and/or SIEM tool;
• Thoroughly understand most common events types suitable for automation;
• Determine response steps for each event type that can then be incorporated into playbooks within the SOAR tool;
• Identify which existing tools will be integrated with the SOAR functions for automation;
• Establish a strong concept of operations (Conops) between Security and IT operations for task handoff between ticketing tools and the SOAR workflows;
• Create a framework in which continuous feedback and root cause analysis further refines existing tools and drives greater automation.

Security tools can provide immense benefits, but without the proper planning and operational structure within an organisation, the full benefits may not be realised. The prospect of greater security insights along with orchestration and automation to keep pace with evolving threats and protect sensitive data may be all the incentive needed to maximise new security tools.