Incident Response Automation and Security Orchestration with SOAR

01

Orchestration

Orchestration is the ability to coordinate decision making, and automate responsive actions based on an assessment of risks and environment states.

SOAR tools can do this by integrating with other security solutions in a way that lets them “pull” data and also “push” proactive actions. SOAR provides a generic interface, allowing analysts to define actions on security tools and IT systems without being experts in those systems or their APIs.

03

Incident Management and Collaboration

This SOAR capability helps security teams manage security incidents, collaborate and share data to resolve the incident efficiently.

Alert Processing and Triage

A SOAR tool gathers and analyzes security data, typically taken from the SIEM, correlates data to identify priority and criticality, and automatically generates incidents for investigation. The incident already includes relevant context information, allowing analysts to investigate further. This removes the need for a human to notice the relevant security data, identify it as a security incident and manually set up an incident in the system.

Journaling and Evidentiary Support

A SOAR tool provides an investigation timeline to collect and store artifacts of the security incident, for current and future analysis. Artifacts may relate to known attacker’s activities, which may be carried out over an extended period. Additional artifacts can be pulled in to investigate if they are related to the ongoing incident.

Case Management

The tool can record actions and decisions made by the security team, making them visible to the entire organization, as well as external auditors. Over time, the SOAR tool creates an organizational knowledge base of tribal knowledge—threats, incidents, historical responses and decisions and their outcomes.

Management of Threat Intelligence

A SOAR tools brings in threat data from open-source databases, industry leaders, coordinated response organizations, and commercial threat intelligence providers. The SOAR tool attaches the relevant threat information to specific incidents, and makes threat intelligence easily accessible to analysts as they are investigating an incident.

SOAR tools work closely with SIEM, the SOC’s central information system. SOAR tools leverage the integration with SIEM to:

• Receive alerts and additional security data to identify security incidents
• Draw in data required for analysts to further investigate an incident
• Assist analysts in proactive incident response and threat hunting, which relies on querying and exploring cross-organization data

SOAR as Part of Next-Gen SIEM Solutions

According to Gartner’s Critical Capabilities for SIEM 2017 report, next-generation SIEM solution must include a native component that enables handling and responding to detected incidents via automated and manual case management, workflow and orchestration, as well as capabilities for advanced threat defense.

So while SOAR tools are evolving as a separate category, in Gartner’s vision, SOAR should be an integrated part of the SIEM.

Exbeam’s Security Intelligence Platform is an example of this new hybrid. Exabeam is a SIEM solution based on modern data lake technology, which enables advanced analytics and User Entity Behavioral Analytics. In addition, Exabeam comes with two components that provide full SOAR functionality:

• Exabeam Incident Responder—provides security case management, integration with third-party tools, centralized security orchestration, and automated incident response via security response playbooks.
• Exabeam Threat Hunter—a point-and-click interface that lets SOC analysts quickly perform searches to identify patterns in vast amounts of historic security data. It also provides access to complete incident timelines for past and present security incidents.