Security orchestration

Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities.^[1]^[2]^[3]

Organizations use SOAR platforms to improve the efficiency of physical and digital security operations.^[4] SOAR enables administrators to handle security alerts without the need for manual intervention. When a network tool detects a security event, SOAR can either alert the administrator or take another predefined action, depending on the event’s nature.^[2]

Components

"Orchestration" connects the different security tools and systems of the Information system. It integrates custom-built applications with built-in security tools, so they all work with each other. It also connects diverse endpoints, firewalls and behavior analysis tools.^[5]

"Automation" takes the huge amount of information generated through orchestration and analyzes it through machine learning processes. SOAR handles many manual tasks such as log analysis and can also handle ticket requests, vulnerability checks and auditing processes.^[5]

"Incident response" allows security teams to react when a potential threat is indicated. This component also handles post-incident activities such as threat intelligence sharing in an automated way.^[5]

Playbooks and runbooks

SOAR allows security administrators to define the potential incidents and the response, thanks to playbooks and runbooks.^[2]

A playbook is a document that describes how to verify a cybersecurity incident and how the incident should be responded. The purpose of the playbook is to document what the runbook should do. A playbook can also serve as a manual backup if the SOAR system fails.^[2]

A runbook implements the playbook data into an automated tool so that it performs predefined actions to mitigate the threat.^[2]

References

^ "Definition of Security Orchestration, Automation and Response (SOAR) - Gartner Information Technology Glossary". Gartner. Retrieved 2023-04-28.
^ ^a ^b ^c ^d ^e Mike Chapple, James Michael Stewart, Darril Gibson (2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex ed.). pp. 845–846. ISBN 978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)
^ "Security Orchestration, Automation and Response (SOAR) Platforms, Solutions and Use Cases". D3 Security. Retrieved 2023-06-21.
^ "What is SOAR (Security Orchestration, Automation and Response)? | Definition from TechTarget". Security. Retrieved 2023-04-28.
^ ^a ^b ^c "The Important Role of SOAR in Cybersecurity". Security Intelligence. Retrieved 2023-04-28.

[1] "Definition of Security Orchestration, Automation and Response (SOAR) - Gartner Information Technology Glossary". Gartner. Retrieved 2023-04-28.

[:0-2] Mike Chapple, James Michael Stewart, Darril Gibson (2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex ed.). pp. 845–846. ISBN 978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)

[3] "Security Orchestration, Automation and Response (SOAR) Platforms, Solutions and Use Cases". D3 Security. Retrieved 2023-06-21.

[4] "What is SOAR (Security Orchestration, Automation and Response)? | Definition from TechTarget". Security. Retrieved 2023-04-28.

[:1-5] "The Important Role of SOAR in Cybersecurity". Security Intelligence. Retrieved 2023-04-28.

[1]

[2]

[3]

[4]

[5]