What is SOAR?

SOAR, also known as Security Orchestration, Automation, and Response, is a function or solution that automates cyber-attack incident response and security operations. It reduces the workload of operators by automatically processing workflows when certain conditions are met, based on rules predefined by the vendor or playbooks defined by the user.

SOAR Overview

SOAR performs processing based on vendor-defined rules or user-defined playbooks (a list of flows that perform a series of actions specified in a script when certain conditions are met). It supports security operators by automatically performing actions in response to pre-assumed situations. For example, communication is blocked when an unspecified number of communications occur within a certain period of time to a server where important information is stored. It also automatically takes actions such as blocking terminals that are infected with malware or accessing command and control (C&C) servers to a quarantine network.

Background of SOAR 

SOAR is needed because of the need to respond immediately when signs of cyber-attacks are detected and the increasing workload on security operators.  

By minimizing the level of "background noise", operators can focus on cases that require manual intervention, and inexperienced operators can easily execute pre-defined actions in playbooks. This is especially crucial due to the current shortage of skilled operators. 

Cyber-attacks occur 24 hours a day, and there is no telling when they may occur

Cyber-attacks occur 24 hours a day, 365 days a year, and there is no telling when they may occur. While some corporate organizations have SOCs that monitor for signs of cyber-attacks, it is preferable from both a security and operational standpoint to automatically respond when signs are detected. For example, a basic policy of shutting down terminals with known malware infections or access to command and control (C&C) servers to a quarantine network would reduce the risk of threats subsequently spreading throughout the organization. In addition, by creating and automating a playbook based on signs of previous cyber-attacks against the company, cyber-attacks can be prevented more quickly.  

The workload of security operators is increasing according to Trend Micro's research

1.25 billion logs are collected from 1,000 devices in just seven days*, but some of these logs are similar to cyber-attacks perpetrated against other companies or in the same industry, or similar to cyber-attacks perpetrated against your company in the past. For example, if you find about 10 endpoints infected with malware in about a month, it will take a lot of time and effort for security operators to decide on a response policy and take action each time. By automating the response to subsequent incidents based on the first few, the workload of security operators can be reduced.  

* Calculated from sample data of 1,000 devices/7 days verified by Trend Micro.  

With this background, how can we help improve the efficiency of security operations with existing resources? SOAR is a technology that has emerged with a focus on how to help improve the efficiency of security operations with existing resources.

Relationship between SOAR and XDR

SIEM is a product that aggregates logs and events from PCs, servers, proxies, firewalls, security products, etc., and visualizes them in a meaningful way; SOAR is a product that automatically acts when certain actions (such as many accesses to a specific server within a certain time) occur based on predefined rules, using information gathered by SIEM. XDR is a product that detects and visualizes traces of attacks to investigate, identify the cause, and respond to incidents as a post-response to cyber-attacks, if a threat enters a user's environment. SOAR has been attracting attention in recent years for its ability to mechanically process massive amounts of log information to remove noise and extract only those alerts that truly require action.  

SOAR can be effective in cases where there are a wide range of products and services that can be used in conjunction with APIs and detailed conditions for script settings, and where experienced security operators can continuously maintain settings. Some XDRs can also be integrated with SOAR, so that XDRs can be used to supplement expertise in cyber-attack detection, while SOAR can be used to integrate with a wide range of products and automate responses. 


Related articles