SOAR vs. Orchestration and Automation: What’s the Difference?

If you’re playing buzzword bingo in 2018, Orchestration and Automation (O&A) are two words you want to see on your card. Unlike some buzzwords, O&A are not just fluff; when implemented properly, Orchestration & Automation are real solutions which can provide tremendous benefits to overworked security teams.

However, as the industry starts to see real benefits emerge in new classes of solutions, more and more products start to incorporate aspects of that solution into their existing products. This tends to muddy the waters in the product space and leaves potential customers confused (talk to a SIEM vendor if you want to hear someone else’s perspective on this problem).

Before we go any further, let me clarify something; this blog is not intended to be a shot at anyone’s marketing or any vendor incorporating Security Orchestration and Automation into their existing product. To the contrary, when implemented properly, Automation and Orchestration can benefit customers at many levels. If you’re in a product space where O&A can provide value to your customers, you should absolutely be looking into it. Instead, this blog is intended to answer the question we are getting asked more and more recently; “I see vendor X is doing orchestration and automation now, are they your competitor? How are you different?”

Orchestration and Automation

In terms of O&A, there are two main categories of solutions (of course, there are always some that fall somewhere in the middle:

  1. Security Orchestration, Automation and Response (SOAR) solutions
  2. Other solutions which have implemented some level of Orchestration and Automation into their existing (non-SOAR) solutions

When you begin to compare these two categories, there are two significant differentiators. Non-SOAR solutions tend to focus on O&A within their own product, or within a similar product space (let’s use vulnerability management as an example). Their focus on one particular product space tends to make them very capable of addressing advanced use cases in that product space, however, they typically do not support use cases outside of that space. A SOAR solution, on the other hand, should be capable of performing O&A across many different product spaces in one cohesive solution.

The other significant differentiator between SOAR and non-SOAR solutions is their ability to perform other Response (the R in SOAR) and incident management functions. Whereas a SOAR solution should be able to perform these other Response functions, a non-SOAR solution is typically limited in this regard.

Which is the right solution?

As always, it depends on the problem you are trying to solve.  If you are trying to increase your efficiency in vulnerability management, threat intelligence, endpoint detection or network management, a non-SOAR solution in one of these spaces with O&A capabilities may be the right solution for you.  If you are trying to solve inefficiencies across all of these spaces, you may want to invest in a SOAR solution. Of course, there is also nothing wrong with layering these technologies either; perhaps a focused solution which includes O&A is required in one space, which can then be orchestrated with other security products through a SOAR solution.

So, getting back to answering the original questions, “I see vendor X is doing orchestration and automation now, are they your competitor? How are you different?” If vendor X is not a SOAR solution provider, there is probably some overlap, however, they are usually focused on solving a different or more specific problem to DFLabs, so they are most likely not a competitor. In fact, in some cases, they may be a technology partner. In these cases, our core differentiators are usually those listed above. If vendor X is a SOAR solution provider, they may very well be a competitor and our core differentiators will depend on the specific vendor.

In either case, DFLabs would be happy to discuss its differentiators from other SOAR solutions in a more personalized way, so if you have any questions or would like a one to one demo of our IncMan SOAR platform, please do get in touch. However, I wanted to take a few minutes out of the day to address this common question you may have as you start your journey down the O&A road.

How Security Orchestration and Automation Helps You Work Smarter and Improve Incident Response

We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.

Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.

Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.

With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?

How does security orchestration and automation help security teams?

With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.

Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:

  • Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
  • Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
  • Collaboration – Promotes more efficient communication and knowledge transfer across security teams
  • Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
  • Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.

Now let’s focus on the details of these core functions and see how they improve the overall performance.

Orchestration

Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.

Automation

With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.

Incident Management and Collaboration

Incident management and collaboration consist of the following activities:

  • Alert processing and triage
  • Journaling and evidentiary support
  • Analytics and incident investigation
  • Threat intelligence management
  • Case and event management, and workflow

Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.

Dashboards and Reporting

SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.

Human Factor Still Paramount

Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.

Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.

Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.

Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.

Improving the Alignment between Cyber Security and IT Service Management Processes

I frequently marvel at the solutions our customers implement in order to walk the fine line where security operations and IT governance converge. The capability to simultaneously engage the needs of IT service management and cyber security requirements frequently requires a creative approach to effectively align business objectives, priorities and a variety of risk postures. One common denominator I have observed is that the most effective cyber security plans address these 4 points of effective security and IT management policy:

1. Create the right policy
This involves a collaborative approach that leverages the stakeholders from not only the IT and Security Operations groups but Legal, HR and Operations as well to ensure that their needs are also being addressed. Policies are only as good as our ability to monitor and enforce. A policy that detrimentally affects the ability of any one organization to perform their duties will quickly be discarded, opening the door to a domino effect of security issues. Additionally, this collaboration should address organizational dynamics including core services, internal customers and, when applicable, external or business partners that may require access.

2. Perform a risk assessment and analysis
Industry requirements aside, performing a cyber security risk assessment and analysis is critical to building processes that address our most vulnerable systems and processes. We can subsequently formulate a corrective action plan that addresses not only current needs but anticipates future requirements. As part of a greater Business Continuity Planning program, a risk assessment provides the insight to avoid security and governance concerns before they truly become “issues”. An example of this is the development of your Disaster Recovery Plan. Determining the critical systems and the need for warm and cold site requirements as the result of a detailed risk analysis will save your teams hours of work when trying to rebuild critical system data.

3. Define appropriate procedures
If actionable processes and procedures are the lifeblood of effective security operations and governance alignment, then a platform to ensure that these policies are available to the appropriate stakeholders in the form of actions that are vetted, repeatable and defensible should be considered the heart. Security orchestration and automation products, while typically focusing on security operations, can provide this needed heart to IT governance requirements as well. DFLabs IncMan™ provides our customers with over 100 Playbooks that outline the appropriate procedures for a broad range of incidents, delivered in a format that can be easily followed or edited as requirements change and evolve. This gives the user maximum flexibility to ensure the needs of all stakeholders are addressed consistently and with minimum delay during incident response activities when the time is often of the essence.

4. Focus on staffing
Staffing is a common issue on several fronts. Locating and retaining experienced staff is only part of the problem. Facilitating a knowledge transfer between experienced and inexperienced staff is also problematic and frequently results is a small group of individuals that handle the majority of the demanding cases. The good news is that more evolved organizations have recognized the value of utilizing the previously mentioned Playbooks. IncMan Playbooks provide a roadmap designed by the experienced staff members to guide the inexperienced members during the response process. This effectively provides these organizations with a force multiplier by not only reducing incident dwell time but providing the necessary knowledge transfer as well.

If you want more information about how DFLabs IncMan can help align your security and IT service management processes please contact us [email protected] for a no obligation demonstration.