Security Orchestration, Automation and Response (SOAR)

SIEM and SOAR have a lot in common. Both SIEM and SOAR collect log information from various sources, aggregate it and process it automatically, sometimes using artificial intelligence (AI) or intelligent algorithms.

However, a SIEM is limited to evaluating the collected data to detect security threats and alerts the responsible administrator. The administrator must then react manually to the threat and implement countermeasures if necessary. A SOAR goes one step further here and reacts automatically, i.e. without the intervention of an employee, with defensive measures.

The maturity level of a company in relation to SOAR can be divided into four stages:

• Maturity level 1: The company uses various security solutions such as firewalls and virus scanners, but does not evaluate log files systematically, but only randomly or in the event of special incidents.
• Maturity level 2: There is a systematic, regular evaluation of log files. However, the various security solutions work in isolation. Administrators in the SOC (Security Operation Center) have to manually evaluate and analyze the individual log files of the various products.
• Maturity level 3: Log files from various IT security solutions are merged in a SIEM (Security Information and Event Management) and automatically analyzed. By correlating several sources of information, events can be identified and administrators alerted.
• Maturity level 4: The SIEM alerts the SOAR solution, which handles the incident according to a predefined playbook, a script with individual steps and instructions for action. This playbook can describe, for example, that an account used by an attacker is automatically deactivated and the associated VPN access is blocked.

In particular, the central consolidation of important log files is a fundamental prerequisite for the implementation of a SOAR solution. Whether the log files are collected in a SIEM or directly in the SOAR is of secondary importance, as the trend is towards integrated solutions that offer SIEM and SOAR in one integrated system.

A solution for security orchestration and automation must fulfill various requirements. These include, for example

Flexible connection to existing systems: Your SOAR needs access to large amounts of data that are available in a wide variety of formats. Log files can be provided via syslog, database connection, email, standardized formats such as CEF (Common Event Format) or via proprietary interfaces, for example. It should also be possible to integrate existing SIEM and other evaluation systems into the SOAR.

Simple integration into your infrastructure: This includes, in particular, the broad support of systems from a wide range of manufacturers that can be directly addressed and configured. It must be possible to compile the necessary playbooks without programming knowledge. However, this also includes the possibility of expansion with self-developed software in order to be able to connect your own in-house systems. The SOAR platform should therefore be accessible either via an API or through the integration of scripting languages such as Python or Perl.

Support for existing processes: Admittedly, in some cases it makes sense to scrutinize and redefine existing processes or workflows when introducing a SOAR. In most cases, however, the SOAR will gradually take over and automate processes that were previously carried out manually. The SOAR should therefore allow individual tasks to be automated, while at the same time intermediate steps are executed manually or checkpoints are built in at various points where an analyst can check the status and must approve further process execution.

Comprehensive threat intelligence, i.e. knowledge of current threats: A SOAR must bring a detailed library of known threats, e.g. based on the MITRE ATT&CK matrix as well as indicators for detecting attacks and sensible recommendations for combating them. At the same time, however, false positives must be reliably detected in order to prevent damage to your company. For example, if a lateral movement attack is detected by a specific account, this user could be temporarily blocked on all systems. However, a complete permanent block will not be appropriate.

We advise you on the selection and implementation of your SOAR solution. On the one hand, we have extensive experience in the automation and orchestration of security solutions such as firewalls, VPN gateways and virus protection in general. We also know the various providers of SOAR solutions and can find the right one for you.

We are also happy to help you define or adapt your processes and create and implement suitable playbooks.