In the never-ending quest to stay ahead of cyberattackers, a growing number of enterprises are turning to a relatively new category of security tools: security automation and orchestration solutions.
Gartner, which refers to the products as Security Orchestration, Automation and Response (SOAR) solutions, reported that less than 1 percent of businesses with more than five IT security professionals were using SOAR tools at the end of 2017. But the firm has forecasted that, by 2020, 15 percent of those organizations will be using the tools.
Enterprise Strategy Group (ESG) found somewhat higher numbers of enterprises using security automation and orchestration tools. According to its research, “19 percent of enterprise organizations have adopted security operations automation and orchestration technologies extensively, 39 percent have done so on a limited basis, and 26 percent are currently engaged in a project to automate/orchestrate security operations.”
Vendors have certainly taken note of enterprise interest in SOAR technology. Many large cybersecurity vendors have recently acquired security automation and orchestration startups. For example, Splunk acquired Phantom earlier this year, Microsoft bought Hexadite in 2017, Rapid7 acquired Komand in 2017, IBM purchased Resilient in 2016 and FireEye bought Invotas in 2016.
And SOAR vendor D3 Security recently announced that it had experienced “record breaking growth” in 2018 and that more than 20 percent of the Fortune 500 now use its products.
Clearly, interest in security automation and orchestration is growing, which might seem somewhat surprising given that enterprises already have so many other cybersecurity tools at their disposal. What do SOAR solutions do that these other categories of products don’t?
What is security automation and orchestration?
Gartner defines SOAR solutions as “technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow.” It adds, “SOAR tools allow an organization to define incident analysis and response procedures (aka plays in a security operations playbook) in a digital workflow format, such that a range of machine-driven activities can be automated.”
In general, SOAR solutions have at least two key capabilities:
- Security Orchestration: SOAR solutions integrate other cybersecurity and IT operations solutions so that they can work together and provide a comprehensive view of the environment. In many cases, the tools can also correlate internal data with information provided by external threat intelligence sources. This integration and correlation allows investigators to drill down through the alerts coming from various cybersecurity tools quickly to find and address the root causes of the problem.
- Security Automation: Automation is just what it sounds like — automatically handling a task without needing any manual intervention. For example, security automation can provision or deprovision new users, query logs, conduct IP scoring or handle any other number of tasks without requiring involvement from a staff member. And when a security automation tool is also an orchestration tool, it also automate tasks that would otherwise require the use of more than one security tool.
Many security automation and orchestration solutions also have dashboard and reporting capabilities (hence, Gartner’s SOAR acronym). In addition, some also incorporate security incident response and threat intelligence capabilities.
SOAR vs SIEM
Note, however, that SOAR solutions are different than SIEM solutions. While SIEM systems aggregate log data from a variety of sources and provides real-time alerts, SOAR integrates a broader range of internal and external applications. However, most SOAR solutions are deployed alongside SIEM systems. Also, Gartner noted that many SIEMs are beginning to add SOAR capabilities, so it is possible the two categories of tools may eventually merge into one.
How SOAR tools transform security operations
Enterprises deploy security automation and orchestration solutions primarily in their security operations centers (SOCs). Because so many enterprises are currently focused on cybersecurity, many SOCs are experiencing staff shortages because they either can’t find or can’t afford to hire the experts they need.
At the same time, attackers are becoming more sophisticated — and more successful. Enterprises are experiencing more attacks, and those attacks are becoming more difficult to prevent, detect and mitigate.
To combat the growing threat, most enterprises have invested in multiple security solutions, such as security information and event management (SIEM) systems, user and entity behavior analytics (UEBA), threat intelligence platforms, incident response platforms, intrusion detection and prevention systems (IDPS), and a whole host of others. While deploying multiple solutions can improve an organization’s security posture, it also results in a lot more alerts for staff to investigate. And getting to the root cause of a problem — or determining that a particular alert is a false alarm — may require staff to use many different tools.
In short, understaffed SOC teams simply have more work than they can handle. A security automation and orchestration solution helps remedy the situation by transforming security operations in eight key ways:
- Integrates existing security tools and threat intelligence sources: Most SOCs have a wide variety of different security solutions from a wide variety of different vendors, and these tools don’t always work together. Even when vendors claim that their solution supports a tool from another vendor, security teams sometimes find that the integration between the two tools is more theoretical than practical. The real benefit of security automation and orchestration tools is to perform this integration. In fact, when ESG Research asked IT professionals why they wanted SOAR solutions, 35 percent said they wanted to use security automation and orchestration technology to integrate external threat intelligence with internal security data collection and analysis, and 28 percent wanted the tools to correlate and contextualize data using the output of two or more tools.
- Speeds response to security events: For today’s enterprises, security incidents aren’t a matter of “if” but a matter of “when.” Security teams need to be able to react quickly to identify what is happening, stop the attack and mitigate the damage. SOAR tools speed up this process by integrating all the tools in the SOC’s arsenal. Instead of using a dozen or more different tools, security staff can go to one place for all the information.
- Simplifies the investigation process: This unified repository for security application information not only makes security investigation faster, it also makes it easier. In many cases, SOAR tools can actually investigate low-level alarms on their own, escalating only the most important information so that human staff can intervene. And when the staff does get involved, they have a consolidated place that makes it easier to correlate alarms from different tools and drill down to the root cause of attacks.
- Minimizes the damage from attacks: Because SOAR helps staff respond and investigate attacks more quickly, it also allows them to begin mitigation sooner. Again, the automation capabilities will be able to take some steps to minimize damage from attacks without human intervention. And when people do need to be involved, they’ll have all the most important information about the attack more quickly, so that they can respond more quickly.
- Reduces time spent reacting to false positives: False alarms are a constant plague for SOC staff. These false positives eat into staff time that they could be spending much more productively. Even worse, staff get so used to seeing alert notifications on their various dashboards that they sometimes neglect to respond to true emergencies. SOAR solutions attempt to fix this situation by automating the handling of low-level alerts and focusing attention where it is truly needed.
- Reduces manual processes: It isn’t just false alarms that eat up SOC workers’ time. Many spend a large portion of their day handling cumbersome manual tasks like updating firewall rules, adding new users or deprovisioning users who have left the company. These sorts of repetitive tasks are ideal for automation, and some SOAR vendors claim that up to 80 percent of staffers’ daily work can be automated. In the ESG report, 29 percent of respondents said they wanted to use security automation and orchestration to automate basic remediation tasks.
- Integrates with IT operations tools: Ideally, SOAR tools don’t just integrate security tools, they’ll also provide security analysts with the ability to look into asset databases, helpdesk systems, configuration management systems and other IT management tools. The ESG study found that 22 percent of organizations were looking for this capability.
- Offers cost savings: While cost isn’t the primary driver for security automation and orchestration, it can be a very welcome side benefit. By helping staff become more efficient and productive, SOAR solutions can help reduce operational costs.
Key security automation and orchestration vendors
A few large technology vendors offer SOAR solutions, primarily because the have acquired startups in the security automation and orchestration market. However, most of the top vendors in the market are young startups.
Leading security automation and orchestration vendors include the following:
- D3 Security
- IBM Resilient
- Resolve Systems
Analysts say it’s likely that some of these smaller vendors will be acquired by larger companies as the security automation and orchestration market matures.