SOAR or not to SOAR?

Published: 2020-02-16
Last Updated: 2020-02-16 17:22:50 UTC
by Guy Bruneau (Version: 1)
6 comment(s)

Security, Orchestration, Automation and Response (SOAR) allow organizations to collect data about security threats from multiple sources to automate an appropriate response on repetitive tasks. As an analyst you need to juggle and pivot several times a day between multiple tools and devices to evaluate a huge amount information and deal with flood of repetitive tasks such as alerts, tickets, email, threat intelligence data, etc. The end goal is to centralize everything in one location to improve analysis using captured institutionalized knowledge.

If you are already using a SOAR tool, what were the main reasons to buy it and did it improve your ability to standardize response procedure in a digital workflow format and standardize best practice?

If you are not using SOAR but are considering implementing it, what are the main qualities you are looking for in this tool?

Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

6 comment(s)


One quality I love about SOAR is that you have to actively define scenarios, the indicators that confirm the scenario has in fact occurred - and prepare the playbooks that can be used to respond to the scenarios.

This makes everyone, not just the system, better prepared for an incident.

When you work across multiple customers you will be able to deploy common scenarios, detections and playbooks. So there is definitely benefits of scale. But the real gold is probably when you go “personal” - define, detect and respond to scenarios in an appropriate manner for each customer.
I m here to get the answer
SOAR products are still pretty immature so understand that there will be a great deal of work up front in order to get value out of it. But as a previous poster noted, it's important to build playbooks even if you don't have a SOAR.

One of the valuable components we've seen is that we can automate responses using scripts and do it from inside the ticket. There's no question of what the analyst did and how they did it because it's documented. And if there were errors in the script, we should see that. It greatly simplifies IOC blocks because as long as there's proper integrations for all of your tools (sometimes they haven't been built yet), you can run a script for BlockIP ip= and have that script block in every security appliance in your environment. You can also use their playbooks to lead new analysts along the correct path of analysis/response. For some specific incident types, you may be able to auto-respond which reduces the amount of analyst work involved. But these scenarios need to be heavily tested out.

Can you script? Then you can build it. The flexibility is nice as long as you understand there will be some amount of maintenance for your custom scripts. In 5 years I bet most of the use cases will be fleshed out, but for now if they don't have it out of the box you can write it yourself and that's truly powerful.

With SOAR being immature there's definitely pain points worth pointing out. I can't tell you how many SOAR vendors I spoke with that tried to sell me on how integrations make everything wonderful. For Threat Intelligence, every vendor has their own purpose built UI for their data. Your SOAR doesn't have that. The way the SOAR displays the data is lowest common denominator and it's fairly feature poor for analysis. And in my experience you can't do a lot of UI customization to show the extra data you care about. I would love to have a link to the my threat intel provider's platform for that IOC so if I need to dig in it's just one click away, but I haven't seen anyone do that yet and my vendor hasn't taken my advice. Also, as a ticketing system the SOARs we've looked at are pretty immature or painful to use. I have heard of more than one shop using JIRA for ticketing and their SOAR for response.

After using a SOAR for a year and a half, my overall feeling is that at present they take a lot of work and they're still immature. But this is definitely where we're going in the future. You should be asking whether you have the manpower to make it work for you now or if you'd rather wait until the water is warmer in a few years.
[quote=comment#43086]I m here to get the answer[/quote]
answer is SOAR )
Thanks Wayne for your comments
Guy, Check out Demisto and post what the gaps are. That product is designed for exactly what you mentioned. Disclaimer: I am a Palo Alto Networks employee.

Diary Archives