SOAR (Security Orchestration, Automation, and Response) is a class of software designed for the orchestration or, in other words, coordination and management of security systems. Specifically, SOAR solutions enable a security team to gather data on information security events from multiple sources, process it, and automate standard response scenarios.
SOAR solutions integrate multiple security solutions into a single system, relieving security professionals of the need to administer each of them individually and enabling them to focus on the analysis of complex incidents.
SOAR solutions functionality
Collecting data on potential incidents. SOAR systems are capable of aggregating and processing IS signals from multiple sources, including:
- SIEM solutions;
- Antivirus solutions and other endpoint security software;
- DLP products;
- Threat Intelligence platforms;
- UEBA (user and entity behavior analytics) solutions;
- Network firewall;
- OS directory services.
Incident analysis. Using automatic scenarios or manual mode, SOAR solutions supplement available information on a cyberincident with data from external databases, records of similar events, and other sources. This stage also includes assembling a list of affected objects and devices.
Threat identification and classification. Based on a complex analysis of data obtained, a SOAR solution assesses the infrastructure’s condition, identifies potentially unsafe events, ranges them by the degree of risk, and notifies the security team. If necessary, the system quarantines infected devices to prevent the attack from spreading further, or takes other measures in line with the organization’s policy.
Incident response. Based on incident data, the SOAR solution takes a sequence of steps necessary to eliminate the threat or minimize its impact. Potential measures include issuing commands to other information security products, remote removal of malicious objects, restoring register keys, and more.
Data visualization and reporting. Most SOAR solutions offer an overview of cyberincident data across an organization’s departments, endpoints, software products, or individual employees. Reporting on the organization’s current security level is displayed as illustrative diagrams or informers, updated in real time.
The difference between SOAR and SIEM
SIEM (Security Information and Event Management) solutions have a lot in common with SOAR systems, which is why the two terms are sometimes used interchangeably. However, the two have substantial differences: Whereas SIEM solutions are designed for information collection and manual incident management, SOAR systems focus on the automation and orchestration of multiple information security systems, and specifically on the response stage. That means SIEM solutions complement SOAR systems, serving as a source of information about events.