How Security Orchestration, Automation and Response (SOAR) Evolves IT Security
Organizations are struggling to keep pace with the growing number of security alerts that require manual analysis within modern SIEMs. SOAR tools alleviate the issue by presenting a digital framework to security professionals for building workflows that automate the analysis and response of security threats at scale.
Automation as an IT enabler
The aim of security automation and orchestration is to achieve a balance between technology-driven threat response and our ability as humans to make accurate security decisions. Organizations that integrate Security Orchestration, Automation and Response (SOAR) solutions into their environment gain the ability to evolve IT security policies and procedures over time, enabling them to keep pace with the exponentially increasing demands of the modern threat landscape.
Because it’s easy to interchange the terms “security automation” and “security orchestration,” let’s define them:
- Security orchestration can be thought of as the “control plane” of event response that bridges both security and non-security products to map out tasks and responses through documented workflows.
- Security automation is the “data plane” of security response that executes those workflows based on triggers or predetermined KPIs.
A continually improving security posture
For a strong cloud security posture, raw technology must be combined with fully orchestrated and automated vulnerability management processes, continuous compliance testing and change management. These ensure company security policies are constantly and accurately enforced in the cloud through continuously validated configurations.
There’s more to orchestration and automation than just Incident Response (IR). During the initial adoption of a SOAR solution, most organizations focus on IR as the prime use case. But SOAR methodologies can be applied to countless security functions, including event simulation, vulnerability sandbox testing, continuous compliance checks, patching dry runs and many others.
SOAR packages security functions that can be automated, easily repeated and help mitigate the risk of human configuration and analysis errors.
Should we automate all security functions?
While “automate everything” is a concise, market friendly approach that communicates the urgency and need for automation, it incorrectly portrays the situation as black and white. Not every security process and action can or should be automated. The decision to automate should be made based on the goals of the security organization and industry requirements.
Tasks deemed too delicate or complex for full automation will still require manual approval and build processes to ensure success. In such instances, automation and orchestration can be integrated and applied to smaller chunks of the overall workflow as identified by the security team.
Security orchestration is not an end state and shouldn't be approached in that vein. SOAR methodologies represent a cultural and technical shift within an organization to continually build and update a well-documented and structured set of workflows for a stronger security posture.
Using automation and orchestration tools enables security teams to form and promote the habits of using version control, following strict documentation requirements and continually reviewing security processes.
Does my team need to learn scripting for SOAR?
Although not a necessity, scripting is a key skillset in today’s IT market. The three largest organizational benefits gained by an ability to script are improved speed-to-configure, version control and documentation.
Speed to configure
Out-of-the-box security orchestration tools are meant to offer layers of abstraction, like graphical user interfaces (GUI), with plenty of workflows built in to help level the playing field for those not as experienced in scripting. In general, GUIs are great for policy visibility and dashboards. But they still might require hundreds of clicks to build and configure the right process and policy. Once a policy is built and a similar one is requested, cloning methods within SOAR tools can be used to speed up policy creation. At organizational scale, though, the extra time needed to navigate the GUI really adds up in lost time and productivity with potentially hundreds or thousands of unique policies to configure.
The good news is most out-of-the-box tools show users the backend scripts that run when items are configured on the GUI, easing users into the process of custom scripting. WWT recommends building initial policies in the GUI, then focusing on scripting for similar policies to speed configuration and execution times.
Version control and repeatability are key benefits in the world of scripting and automation. Organizations can create golden policy templates that are uploaded to a central repository for all team members to use for script consistency. As use case specific policy scripts are built and shared, productivity and speed-to-configure increases while improving scripting skills within the team.
Another benefit of version control is it allows for the easy review of additions and removals to the script over time. If an issue comes up and the policy needs to be reverted back, the version control system has all historical script contents ready to pull without having to track down the owner.
Finally, change control processes are improved with version control as approvers know exactly what's being changed, who has changed it and for what purpose.
Documentation is an absolute must with SOAR methodologies. By scripting out a policy and documenting all relevant pieces, other individuals can learn from the script and understand the workflow, possibly for years to come. As we’ve all likely seen in our IT careers, brain share is typically centralized in a few key individuals. The more these individuals can document and teach, the better off the rest of the organization will be.
To achieve a strong cloud security posture and evolve your IT security capabilities, it’s critical to adopt SOAR tools and methodologies that unite multiple teams, pull together disparate information sources, identify risk and security events, and accelerate the subsequent implementation of applicable changes.
The bottom line is the value of security orchestration fully depends on your organizational needs, a solid roadmap to follow, and internal acceptance and usage of the SOAR toolset.
We recommend focusing on how SOAR can benefit existing security tools and workflows to improve your overall threat response posture while identifying gaps in people, process and technology.
WWT offers workshops for SOAR planning and optimization in our Advanced Technology Center, plus a Security Tools Rationalization Workshop to help you discover and plan for the integration of SOAR tooling. Reach out to your local WWT representative or connect with us to learn more.