SOAR platforms: how automation and orchestration are revolutionizing SOC work?

An analyst’s job in a modern Security Operations Center (SOC) is a constant race against time. On the one hand, he is inundated by a torrent of thousands of alerts from dozens of different security systems, most of which are false alarms. On the other hand, each alert must be analyzed because it could be the first sign of an advanced attack, where every minute counts. In this reality, the most valuable resource is not technology, but the time and attention of a skilled professional. Unfortunately, a huge portion of this valuable time is wasted on repetitive, manual tasks: copying IP addresses between different consoles, checking file reputations, manually blocking indicators on the firewall.

SOAR (Security Orchestration, Automation, and Response) platforms were created in response to this operational bottleneck. This is technology designed to give machines back what they do best – fast, repetitive tasks – and free up humans to focus on what they are indispensable at: critical thinking, analysis and strategic decision-making. SOAR is a kind of “nervous system” for the SOC that connects all the tools (“muscles”) together and allows them to work in a coordinated, automated and intelligent way. It’s a force multiplier that allows security teams to work smarter, not harder.

What is the SOAR platform and what three key problems does it solve?

SOAR (Security Orchestration, Automation, and Response) is a technology platform that allows security teams to streamline and standardize their incident response processes. Its name perfectly captures the three pillars on which it is based, which solve the fundamental problems of any SOC.

1. Orchestration (Orchestration): Solves the problem of tool fragmentation. Modern SOCs use dozens of specialized systems (SIEM, EDR, firewall, sandbox, etc.) that often “don’t talk” to each other. Orchestration involves integrating these tools via APIs, creating a cohesive ecosystem in which data and commands can flow seamlessly between systems.
2. Automation (Automation): Solves the problem of manual work overload. Automation involves replacing the repetitive, rule-based tasks that analysts perform with automated scripts and processes. This frees up valuable specialists’ time and drastically speeds up the initial phases of incident analysis.
3. Response (Response): Addresses the lack of consistency and visibility in incident management. SOAR provides a central platform for managing the entire incident lifecycle – from discovery to analysis to closure. It ensures standardization of processes, facilitates team collaboration and automates documentation creation.

What is orchestration (Orchestration) in the context of security?

Orchestration in SOAR is the process of coordinating and linking multiple independent security systems so that they act as a single, cohesive organism. In a typical SOC, an analyst, investigating an alert, must manually log into several or a dozen different consoles to gather the necessary information. For example, seeing a suspicious IP address in the SIEM system, he must manually copy and paste it into the Threat Intelligence platform to check its reputation, and then log into the firewall console to block it.

The SOAR platform, with its deep integration with these tools through their APIs (Application Programming Interfaces), eliminates this need. An analyst (or automated process) from a single SOAR console can issue a command: “Check the reputation of this IP in all my Threat Intelligence sources, and if it is malicious, block it on all my edge firewalls.” SOAR acts like the conductor of an orchestra, giving the right commands to the various “instruments” (security tools) at the right time, so that together they play a coherent tune in response to the incident.

Orchestration is the foundation on which automation is built. Without the ability to seamlessly communicate and exchange data between tools, large-scale automation would be impossible.

How does automation (Automation) in SOAR ease the burden on security analysts?

Automation is the most tangible benefit of implementing SOAR. It involves coding repetitive, manual tasks into standardized, automated processes called “playbooks.” This allows L1 analysts to focus on interpreting data instead of spending 80% of their time on tedious data collection.

Here are some examples of tasks that SOAR can fully automate:

• Enriching alerts: When an alert is received (e.g., from SIEM), SOAR can automatically retrieve additional context: check the reputation of an IP address, domain or file hash in a dozen Threat Intelligence sources, retrieve user and device information from Active Directory or the CMDB system, and detonate a suspicious attachment in the sandbox.
• Initial classification (Triage): Based on the information gathered, SOAR can automatically close an alert as a false alarm (e.g., if the IP is from a known corporate address pool) or raise its priority if multiple indicators confirm the threat.
• Simple countermeasures: SOAR can automatically perform basic containment actions, such as blocking the malicious IP address on the firewall, disabling the phishing victim’s user account, or sending a command to the EDR system to isolate the infected workstation from the network.

With automation, the analyst no longer receives a raw alert, but a pre-analyzed, context-rich incident, allowing him to make the right decision much faster.

What are “playbooks” in SOAR and how do they work in practice?

A playbook (scenario or procedure) is the heart of any SOAR platform. It is a defined, automated workflow that describes, step-by-step, what action to take in response to a specific type of alert or incident. Playbooks are essentially the codified knowledge and best practices of the SOC team, turned into a repeatable, machine learning process.

Let’s analyze a simplified playbook for a phishing alert:

1. Trigger: The email security system reports that a user has clicked on a potentially malicious link. The alert goes to SOAR.
2. Automatic enrichment: SOAR automatically:
   • Extracts the URL, IP address of the sender and hash of the attachment from the alert.
   • Sends the URL for analysis in a sandbox (e.g. VirusTotal, Any.Run).
   • Checks the reputation of the sender’s IP address in Threat Intelligence databases.
   • It retrieves from Active Directory information about the user who clicked the link (his department, role, supervisor).
3. Decision: Based on the results of the analysis (e.g., the sandbox confirmed that the site is malicious), the playbook makes a decision.
4. Automatic response: SOAR orchestrates the following actions:
   • Sends a command to the EDR to scan the user’s computer.
   • It sends a command to the firewall and proxy to block the malicious URL across the company.
   • It searches the mail server logs to find all other employees who received the same message.
5. Interaction with the analyst: Playbook creates an incident in the SOAR console with all the collected information and asks the analyst for a final decision, such as whether to reset the user’s password and isolate his computer.

With playbooks, this entire process, which would manually take an analyst 30-60 minutes, can be done automatically in less than a minute.

What are the biggest benefits of implementing the SOAR platform in the SOC?

Implementing the SOAR platform brings tangible benefits that translate into increased efficiency, reduced risk and better use of human resources in the security team.

• Dramatically reduce response time (MTTR): By automating repetitive tasks and orchestrating tools, the average incident response time can be reduced from hours to minutes. Faster response means less damage and less risk of attack escalation.
• Increase consistency and reduce human error: Playbooks ensures that every alert of the same type is handled in the same best-practice manner. This eliminates the risk that a tired analyst will skip an important step in the analysis.
• Unburden analysts and fight burnout: SOAR takes on the most tedious and repetitive aspects of the job, allowing analysts to focus on complex investigations, proactive threat hunting and strategic defense improvement. This directly impacts job satisfaction and retention of valuable professionals.
• Better use of existing tools: SOAR allows you to take full advantage of the potential of your existing security systems. Integration makes tools that previously worked in isolation begin to work together, increasing the return on investment for the entire technology stack.

Is SOAR a solution for every company?

Despite its tremendous benefits, the SOAR platform is not a magic solution for every organization. Its implementation will bring the most value in companies that have already reached a certain level of maturity in security operations. SOAR is a tool to automate and optimize existing processes – it will not create them for us.

SOAR is ideal for companies that:

• They have a mature detection program: They already have alert-generating systems such as SIEM, EDR or NDR in place and reasonably well configured. Implementing SOAR without robust input sources misses the point.
• They have defined processes for responding to incidents: The team knows what steps to take in response to the most common types of alerts. SOAR allows you to codify and automate these procedures. Trying to automate chaos only leads to faster chaos.
• They struggle with a high number of alerts and team overload: If analysts spend most of their time on repetitive tasks and incident response times are too long, SOAR will bring immediate and noticeable improvements.

For smaller companies that are just building their defense capabilities, implementing a full SOAR platform may be premature. For them, a better solution may be to use MDR services, where the vendor uses SOAR within its own infrastructure.