I recently spoke with a CISO friend of mine who was new to SOAR (security automation, orchestration, and response) but curious to learn more. We had the following Q & A, which I’m sharing in case it helps anyone else:
Lacking familiarity with SOAR, I have the following questions after reviewing the information available on the web:
1) Does a SOAR tool replace or supplement my SIEM?
No, a SOAR tool complements your existing SIEM and acts as as middleware that integrates with all of your existing security tools, including your SIEM. For example, a SOAR tool can ingest alerts from your SIEM and automate the responses to repetitive alerts, freeing you up to handle the more challenging alerts that actually require human intervention. A SOAR tool can present not only the alert, but also valuable contextual information–e.g. asset information & threat intel enrichment, thus increasing security analysts’ ability to make an informed decision & to respond rapidly.
2) Will this tool help me effectively tune my SIEM to minimize alerts?
Yes, a SOAR tool’s reporting capabilities allow you to determine which alarms are causing false positives, enabling you to know exactly which alert rules need tuning. Assuming that your SIEM has an API hook into the alerting mechanism, a SOAR tool also can be configured for specific use cases to automatically or semi-automatically (with the click of a button) modify alerting rules or add exclusion rules to your third-party security tools (e.g. SIEM) to decrease false-positive alerts.
3) Where does a SOAR tool fit within my security architecture?
SOAR acts as middleware, assisting your existing security tools in working together more effectively, allowing you to respond to existing security alerts more efficiently and rapidly.
4) What integration points and data flows are necessary to derive value from the solution?
SOAR can be deployed wherever you’d like in your environment & needs to be able to communicate whatever your existing security tools you’d like to integrate with, usually via RESTful API over HTTPS. Also, if for example, you’d like to pull asset information from AD as part of your automation workflow, then the SOAR server would need access to AD. Many organizations also choose to have SOAR tool communicate with a mail relay server in order to send reports, automated incident response messages, etc.
5) Does a SOAR solution require API integrations and, therefore, existing security solutions that support API integrations?
Most SOAR tools provide many pre-built integrations and allow some ability to create custom integrations. Typically integrations communicate through an API, but there are also many other ways in which that may be used to integrate with existing security solutions.
6) Can you show me a reference diagram of some sort?
