Cyber threats are rising in both volume and sophistication. Beyond a certain point, investments in prevention technologies show diminishing returns. Organizations there- fore look to add strong orchestration and automation capabilities to quickly identify threats and respond before they turn into breaches.
Traditional security monitoring is built around limited log collection and rule-based analysis is no longer sufficient. While it is good for compliance use cases and visibility into common attacks, it is ineffective against newer forms of attacks. The next genera-tion of security operations need other technologies beyond traditional SIEM (security information and event management) and newer skills beyond eye-on-glass monitoring.
SOAR (security orchestration, automation and response) is a programs that enables an organization to collect data about security threats and respond to security events without human assistance. The goal of using a SOAR platform is to improve the efficiency of physical and digital security operations.
Security orchestrationSecurity orchestration connects and integrates internal and external tools via built-in or custom integrations and application programming interfaces (APIs). Connected systems may include vulnerability scanners, endpoint protection products, end-user behaviour analytics, firewalls, intrusion detection and intrusion prevention systems (IDSes/IPSes), and security information and event management (SIEM) platforms, as well as external threat intelligence feeds.With all the data gathered comes a better chance at detecting threats, along with more thorough context and improved collaboration. The trade-off, however, is more alerts and more data to ingest and analyse. Where security orchestration consolidates data to initiate response functions, security automation acts.
Security automation, fed by the data and alerts collected from security orchestration, ingests and analyzes data and creates repeated, automated processes to replace manual processes. Tasks previously performed by analysts, such as vulnerability scanning, log analysis, ticket checking and auditing capabilities, can be standardized and automatically executed by SOAR platforms. Using artificial intelligence (AI) and machine learning to decipher and adapt insights from analysts, SOAR automation can make recommendations and automate future responses. Alternately, automation can elevate threats if human intervention is needed.