I have spoken about the evolution of Security Automation in the past - however, 2021 certainly 'SIEMS' like the year where SOAR will really start SOARing!
The story is becoming all too familiar. That is, the incomplete view of security risks as operational teams work with multiple platforms to gather, enrich and correlate data from heterogeneous environments. This of course leads to huge inefficiencies and ‘swivel chair fatigue’.
As the enterprise environment evolves, the risk landscape also evolves. Therefore, the workload of monitoring becomes challenging. Existing approaches to data collection, analysis, and correlation fail to provide the scale needed to address today's security and visibility requirements.
This is where SOAR comes in.
While Automation in the IT world is not a new concept, security teams are using SOAR for GRC, Threat Intelligence, Incident Management, Vulnerability Management (and other use cases) to provide the scale needed to address today's security and visibility challenges.
Security orchestration connects your systems, tools and infrastructure so that they work together seamlessly with one another, enabling teams to more effectively respond to threats. Think of how an orchestra's conductor brings all instruments together at the right time to make the perfect piece of music!
Meanwhile, security automation is more than just automating standard security controls. Automation is the automatic handling of security operations-related tasks (think detect/analyse/prevent/respond), typically applying machine learning capability and typically without human intervention. It is important to note that while it makes perfect sense to automate some processes, a SOAR solution must allow for human intervention at critical decision points.
Security response helps organisations reduce Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) by enabling security alerts to be qualified and remediated in minutes, rather than days. Response methods can be automated for faster results, such as quarantining files, blocking suspicious files across the enterprise or disabling access to compromised accounts.
While SOAR has numerous benefits, it should not be a substitution for human involvement - such as skilled security analysts or security information and event management (SIEM) platforms. Neither should it be seen as a replacement for foundational security practices. Instead, a SOAR solution should be viewed as an enterprise-enabler that enhances the technologies and the services that organisations have relied on for years.
Having a robust and holistic security strategy across detection, analysis, prevention and response is the best way to develop security resilience and protect the enterprise.