Free community edition

Request a demo

4 Core Functions of a Security Orchestration, Automation and Response (SOAR) Solution

Back to all articles

Security Orchestration, Automation and Response (SOAR) Solution

Although the exact features and capabilities of Security Orchestration Automation and Response (SOAR) platforms on the market will vary from vendor to vendor, there are certain core features and capabilities that they should all inherently possess. Depending on the unique set of challenges and pain points that your organization is facing, some functions might prove more important than others in trying to achieve your overall security program objectives. This blog post will briefly explain the four core functions of SOAR technology with the aim of helping you to align them with your organization’s security goals.

1. Flexible Integrations

With the number of security solutions expanding within the IT security stack, whether they these would be in-house, out-sourced or commercial, every SOAR solution should be flexible enough to support a multitude of security products. It is crucially important that the organization’s SOAR solution of choice is flexible enough to allow security operations to easily create bidirectional integrations with security products not supported by default. The methods used to support these types of integrations could vary but might include scripting languages such as Perl or Python, APIs, or proprietary methods. Regardless of the chosen method, it should be easy to implement and the user should not be overwhelmed by the difficulty of use.

Bidirectional integrations are important in providing full automation and orchestration, but in some cases an organization might not require full bidirectional functionality. For some security products it may only be vital to support the ingestion data from the security product to the SOAR platform. These unidirectional integrations are usually much easier to create in cases where full bidirectional integration is not required. Due to this reason, a SOAR platform should support common methods of data ingestion, such as syslog, database connections, APIs, email and online forms, as well as common data standards such as CEF, OpenIOC and STIX/TAXII.

2. Process Workflows

One of the key features of a SOAR solution is the ability to automate and orchestrate process workflows to achieve force multiplication, and reduce the burden of repetitive tasks on security analysts. In order to make this happen, a SOAR solution must be able to support flexible methods for implementing process workflows. There are two basic ways to codify process workflows within a SOAR solution: either classified as linear-style playbooks or flow-controlled workflows or runbooks.

Since both methods have their own pros and cons and each are suitable for different use cases, both should be supported by a SOAR solution. In either case, the implementation of these workflows must be flexible enough to support nearly any process which might need to be codified within the solution. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks to be completed by an analyst.

Flow controlled workflows should be able to support different types of flow control mechanisms, including those which allow for an analyst to make a decision manually before the workflow continues. Allowing control to be passed between the automation engine and an analyst allows for a much greater flexibility and enables the automation to continue beyond the first point at which a human decision is required.

Building workflows should not require a high level of scripting or programming knowledge. Since workflows are the core of the automation and orchestration processes within a SOAR solution, equal attention should be paid to flexibility and ease of use. Workflows which are difficult to build or hard to understand by a wide range of users will cause confusion and sub-optimal performance during an incident.

3. Incident Management

The incident response process is a multi-layered, complex process. In this context, the orchestration and automation of security products provide added value to any security program, but to maximize the time and monetary investment in the SOAR solution, it has to include additional features to operate throughout the entire incident response lifecycle. This includes basic case management functionality, such as tracking cases, recording actions taken during the incident and reporting on critical metrics and KPIs.

However, the incident management capabilities of a SOAR solution should not consist only of case management functionality. To provide a proper management of the entire incident response lifecycle, a SOAR solution should also provide the following incident management features:

  • Phase and objective tracking

  • Detailed task tracking, including assignment, time spent and status

  • Asset management, tracking all physical and virtual assets involved in the incident

  • Evidence and chain of custody management

  • Indicator and sample tracking, correlation and sharing

  • Document and report management

  • Time and monetary effort tracking

4. Threat Intelligence

Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. Tracking of indicators and samples, such as IP addresses, URLs, malware samples, and TTPs remains a critical component of incident management.

However, to become actionable threat intelligence, these indicators must be surrounded with further context. Because a SOAR solution has access to not only the indicators, but also the rest of the incident information which can provide the additional context, it is in a unique position to gather actionable threat intelligence.

In order to provide genuine value, a SOAR solution should go a step further beyond gathering threat intelligence. A proactive security program requires threat intelligence to be properly correlated to the end of discovering attack patterns, potential vulnerabilities and other ongoing risks to the organization. This correlation should be performed automatically and it should be immediately clear if an ongoing incident may share common factors with any previous incidents.

Although automated correlation is critical for analysts to make informed decisions during the incident response lifecycle, visual correlation is also an important factor when assessing threat intelligence capabilities. Many proactive security programs today include many different forms of threat hunting, while actively looking for attacks and patterns that may not have been detected through automated methods. To make this process easier, threat intelligence and correlated events should be displayed in an easy to understand visual manner to allow analysts to effectively analyze the information.

Summary

We hope that the above details will provide you with some guidance in deciding on which SOAR platform to employ within your security program to suit your individual organization’s strategy. As stated at the beginning, even though most SOAR platforms on the market are unique in their own ways, there are still some characteristics that are mentioned here which should be included as the norm.

For further information on deciding on which SOAR solution is for you, why not read our new Enterprise SOAR Buyer’s Guide and you are keen to seen a SOAR platform in action, why not schedule a personalized one-to-one demo or contact us and find out why IncMan SOAR provides the most open SOAR framework on the market today.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo