Research conducted by ESG found that 58% of organizations have a threat intelligence program, however with a reliance on manual processes and incompatible tools, organizations struggle to realize the value of threat intelligence. To meet these challenges, some security teams are aiming to effectively operationalize threat intelligence through the fundamentals of people, processes, and technology. When aligning people, process, and technology, you get the ideal cross section for SOAR (Security Orchestration, Automation, and Response) platforms.
What is Security Orchestration Automation and Response (SOAR)
Before diving into SOAR, it is important to understand the precursor to implementing a SOAR solution, and that is proper logging. SIEM solutions combine SIM (Security Information Management) and SEM (Security Event Management) functions into one security management system. SIEM solutions collect and aggregate log data that is generated within a technology infrastructure, including applications, network traffic, endpoint events, etc. From the aggregated data, SOCs (Security Operations Centers) and CSIRTs (Cyber Security Incident Response Teams) can then detect events and incidents for further analysis.
Orchestration
Refers to the machine-based coordination of distinct yet interdependent security solutions. Through the collection and centralization of event data, all the information necessary to assess and respond to incidents is available and easily accessible in one location. Furthermore, in the case of a security incident, information is presented in context, and actions can be invoked even in third-party systems.
Automation
Is the machine-based execution of security processes with minimal human interaction. Monitoring the entire attack surface can often require having a large IT security function – a commodity that not many organizations can afford.
Response
Is the combination of human and machine security processes, procedures, and actions that need to be performed when a security event occurs.