SOAR is the acronym for Security Orchestration, Automation and Response. A SOAR solution is a tool that adds intelligence capabilities to the SIEM, allowing organisations to respond quickly to security incidents. The SOAR solution can collect security logs about security threats from the SIEM and other relevant sources and respond to these events without human intervention.

SOAR solutions are heavily dependent on playbooks to automate and coordinate workflows that are used to automatically respond to security incidents. The incident management playbook, as the name implies, is a workflow that outlines standard procedures for responding to and resolving incidents.

Key Capabilities of SOAR Solutions

The key capabilities of the SOAR solution are:

Security Automation: Incident management processes can be automated so that basic incidents are orchestrated and automatically responded to without human assistance. Automation mostly involves the development of automatic playbooks, workflows and/or processes on the SOAR solution. These playbooks are automatically activated once the corresponding alert is sent to the SOAR solution by the SIEM.

Security Response: Due to the availability of automated playbooks/workflows/processes, common incidents can automatically be responded to and closed by SOAR solutions. These playbooks are built to mirror the incident management process of the organisation.

SOAR Use Cases

Imagine this security incident scenario:

1. an enterprise application user logs on from an entirely different country than he normally logs on from, and an automated playbook is activated
2. The organisation's security team has defined a SOAR playbook for logon from unusual geographical locations
3. This playbook is activated and, as designed, sends an email to the user to confirm that he is the one trying to logon to his account
4. If the user does not confirm within a stipulated time, or the user states that he is not the one attempting to login, the playbook automatically disables the user from the network until a network admin investigates and resolves the alert.
5. If the user confirms that he is the one that made the logon request, he is granted access to the application

Industry Leading SOAR Solutions

Some of the industry-leading SOAR solutions include:

• SOC 3D
• Rapid7
• Splunk
• LogRhythm

Why Do I Need a SOAR Solution?

Organisations should consider investing in SOAR tools for the following reasons:

 - Automation of repetitive incident management tasks: Playbooks can be created for the most commonly performed tasks in the incident management process, allowing the SOAR tool to undertake these tasks.

 - Accelerated incident detection and response time: The automated response capabilities of the SOAR tool will generally lead to faster incident response times by the security team.

 - improved security posture: The SOAR tool generally contributes to an improved security posture in the organization as incidents can be nipped in the bud by the automated response of the tool.

 - Less pressure on security analysts as security incidents can be handled automatically by the system. Analysts can then dedicate their time to other important incident management activities.