SOAR vs. Orchestration and Automation: What’s the Difference?

If you’re playing buzzword bingo in 2018, Orchestration and Automation (O&A) are two words you want to see on your card. Unlike some buzzwords, O&A are not just fluff; when implemented properly, Orchestration & Automation are real solutions which can provide tremendous benefits to overworked security teams.

However, as the industry starts to see real benefits emerge in new classes of solutions, more and more products start to incorporate aspects of that solution into their existing products. This tends to muddy the waters in the product space and leaves potential customers confused (talk to a SIEM vendor if you want to hear someone else’s perspective on this problem).

Before we go any further, let me clarify something; this blog is not intended to be a shot at anyone’s marketing or any vendor incorporating Security Orchestration and Automation into their existing product. To the contrary, when implemented properly, Automation and Orchestration can benefit customers at many levels. If you’re in a product space where O&A can provide value to your customers, you should absolutely be looking into it. Instead, this blog is intended to answer the question we are getting asked more and more recently; “I see vendor X is doing orchestration and automation now, are they your competitor? How are you different?”

Orchestration and Automation

In terms of O&A, there are two main categories of solutions (of course, there are always some that fall somewhere in the middle:

  1. Security Orchestration, Automation and Response (SOAR) solutions
  2. Other solutions which have implemented some level of Orchestration and Automation into their existing (non-SOAR) solutions

When you begin to compare these two categories, there are two significant differentiators. Non-SOAR solutions tend to focus on O&A within their own product, or within a similar product space (let’s use vulnerability management as an example). Their focus on one particular product space tends to make them very capable of addressing advanced use cases in that product space, however, they typically do not support use cases outside of that space. A SOAR solution, on the other hand, should be capable of performing O&A across many different product spaces in one cohesive solution.

The other significant differentiator between SOAR and non-SOAR solutions is their ability to perform other Response (the R in SOAR) and incident management functions. Whereas a SOAR solution should be able to perform these other Response functions, a non-SOAR solution is typically limited in this regard.

Which is the right solution?

As always, it depends on the problem you are trying to solve.  If you are trying to increase your efficiency in vulnerability management, threat intelligence, endpoint detection or network management, a non-SOAR solution in one of these spaces with O&A capabilities may be the right solution for you.  If you are trying to solve inefficiencies across all of these spaces, you may want to invest in a SOAR solution. Of course, there is also nothing wrong with layering these technologies either; perhaps a focused solution which includes O&A is required in one space, which can then be orchestrated with other security products through a SOAR solution.

So, getting back to answering the original questions, “I see vendor X is doing orchestration and automation now, are they your competitor? How are you different?” If vendor X is not a SOAR solution provider, there is probably some overlap, however, they are usually focused on solving a different or more specific problem to DFLabs, so they are most likely not a competitor. In fact, in some cases, they may be a technology partner. In these cases, our core differentiators are usually those listed above. If vendor X is a SOAR solution provider, they may very well be a competitor and our core differentiators will depend on the specific vendor.

In either case, DFLabs would be happy to discuss its differentiators from other SOAR solutions in a more personalized way, so if you have any questions or would like a one to one demo of our IncMan SOAR platform, please do get in touch. However, I wanted to take a few minutes out of the day to address this common question you may have as you start your journey down the O&A road.

How Security Orchestration and Automation Helps You Work Smarter and Improve Incident Response

We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.

Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.

Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.

With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?

How does security orchestration and automation help security teams?

With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.

Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:

  • Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
  • Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
  • Collaboration – Promotes more efficient communication and knowledge transfer across security teams
  • Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
  • Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.

Now let’s focus on the details of these core functions and see how they improve the overall performance.

Orchestration

Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.

Automation

With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.

Incident Management and Collaboration

Incident management and collaboration consist of the following activities:

  • Alert processing and triage
  • Journaling and evidentiary support
  • Analytics and incident investigation
  • Threat intelligence management
  • Case and event management, and workflow

Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.

Dashboards and Reporting

SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.

Human Factor Still Paramount

Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.

Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.

Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.

Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.

Latest Ransomware Attack Highlights the Need for Advanced Security Automation and Orchestration Solutions

The latest ransomware attack that broke out last Friday, affecting more than 200,000 computers across 150 countries by Sunday, once again highlighted the need for improved preparedness to respond to large-scale cyber incidents by implementing advanced security automation and orchestration solutions capable of containing the damage from such events. In this case, the attackers exploited a vulnerability in Windows Server Message Block (SMB) protocol, which had been discovered and kept quiet for exclusive use by the National Security Agency (NSA).

WannaCry, as the virus is called, is delivered via an email attachment and when executed, paralyzes computers running vulnerable Windows operating systems by encrypting their files. Once it encrypts a computer’s hard disk, WannaCry then spreads to vulnerable computers connected to the same network, and also beyond, via the Internet. This is in many ways a typical ransomware attack, infecting computers with a virus that has the ability to spread quickly to other vulnerable systems; however, the infection in this instance, and the speed at which it spread, was more intense than any other such attack in recent memory. The consensus among cyber security experts around the world is that the damage from this attack could have been reduced to a minimum, and more serious consequences could have been avoided, if organizations had been better prepared and had more effective cyber incident response plans and solutions in place.

Early Detection and Damage Containment via Automation and Orchestration

When affected by an attack such as WannaCry, after an organization’s computer system has been breached, the best thing that the organization can do is try to keep the incident under control by preventing the infection from spreading. There are various security solutions designed to achieve this end, but an automation and orchestration platform is arguably the best suited for the task. When an infected computer is detected, this platform can quickly isolate it in the early stages of an attack, blocking traffic to and from it to contain its spread, and thus reduce the business impact to a minimum.

Recovery and Remediation

Once containment is achieved, the platform provides organizations with the ability to quickly remediate the incident by guiding cybersecurity professionals through the entire process, using pre-defined playbook actions for a faster and more effective execution. The playbook actions can suggest the best remediation and recovery methods, and how to enforce them in the most effective manner. For instance, how to restore files and update the appropriate firewall rules.

All of the above is only a fraction of the capabilities of a typical automation and orchestration platform, a security tool that has become critical for any organization seeking to avoid the immense cost and long-lasting consequences of cyber-attacks such as WannaCry.

Cyber-attacks such as this one are only expected to become more common and more sophisticated in the future, and for this reason WannaCry should serve as an example of why now is the time for organizations serious about cyber security to focus on improving preparedness and containment capabilities through investment in advanced security automation and orchestration.