Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

There’s More to SOAR

Orchestrating and Automating Interactions of Security Analysts Across Disparate Security Products Can Deliver a Significant Return on Investment

Orchestrating and Automating Interactions of Security Analysts Across Disparate Security Products Can Deliver a Significant Return on Investment

Ever since the industrial revolution, which began more than 200 years ago, automation has played a role in our world. Today automation is woven into the fabric of our daily lives – from paying bills to making coffee to controlling the temperature in our homes. The emphasis of automation has been to reduce the time humans spend on mundane tasks so that they can focus more time on higher-value activities. 

There’s a place for automation in every industry, security included. As security professionals, we’ve talked about automation for decades yet, as I’ve discussed before, haven’t fully embraced it for a variety of reasons. However, over the last couple of the years we’ve started to see a shift. With the advent and expansion of Security Orchestration, Automation and Response (SOAR), automation now is starting to take hold. 

Gartner is credited with having coined the term SOAR and has written extensively on the topic. Many security vendors are entering the SOAR market, and many are focused on automating playbooks for incident response (IR). There’s no arguing this is important – accelerating mean time to response (MTTR) is a top imperative for security teams in every organization. But SOAR it is a term that can cover so much more. Defenders shouldn’t limit themselves to only automating playbooks. There are many additional activities as part of security operations that can benefit from automation and orchestration. Here are just three examples.

1. Detect threats faster. One important measurement of security effectiveness is the speed with which security operations can detect threats. I don’t mean shaving off an hour or even 10 minutes in mean-time-to-detection (MTTD), although there’s value in that. Many companies cannot detect a threat on their network for weeks or even months. The 2018 Ponemon Cost of a Data Breach Study puts MTTD at 197 days. Even a 5-10 percent reduction could mean finding a breach a week or more sooner – reducing the time hackers have to do damage and the associated costs of the breach. In fact, the study reports that companies that identified a breach in less than 100 days saved more than $1 million dollars, in contrast to those that took more than 100 days. 

To find threats faster, organizations use a range of threat intelligence products. But sometimes these solutions don’t proactively push data and need to be polled. They also produce data in different formats. You can reduce MTTD by bringing all that threat intelligence together in a format that is usable, quickly. Automating that aspect of your security operations allows you to accelerate detection and investigation so you can understand what’s at risk and, if high priority, determine the nature of the risk and the best approach to remediate the problem.   

2. Optimize scarce resources. Given the cybersecurity talent shortage, reducing the time highly-skilled resources spend on mundane tasks through automation is critical. Security professionals are hard to find, expensive to hire and difficult to retain. You need to be efficient in how you leverage them – why spend an hour when they can perform the same task in 10 minutes? You also reduce the risk of burnout and turnover by automating tedious tasks. 

For instance, security analysts spend a lot of time manually going into and out of different administration consoles, clicking around until they find what they need, setting up filters, correlating data, and copying and pasting back and forth between systems. If they haven’t saved the data they just looked up, they must repeat the entire process. Instead, something as straightforward as applying automation to pull data from these different security products and aggregating them into a single, easy to read pane can save a tremendous amount of time and frustration. Orchestrating and automating the interactions of security analysts across disparate security products can deliver a significant return on investment.

3. Achieve the impossible. This sounds lofty, but there are some things humans simply can’t do manually, either because the data is in a format that humans can’t process and consume on their own, or there is simply too much data. Consider cases where two or more products don’t talk to each other out-of-the-box and need an intermediary. A great example is dealing with corporate visitors who need wireless connectivity when they’re onsite for a meeting. Often what happens is that individuals share guest wireless accounts, but this creates accountability issues. If you discover some sort of activity – whether inadvertent or malicious – that has exposed the company to risk, it’s difficult to impossible to identify the source. By integrating the badging system used for physical security with the guest wireless system managed through IT, and then orchestrating and automating the onboarding process you can remove the accountability problem. 

Now let’s look at an example of making effective use of massive volumes of data. Through orchestration and automation, you can gather threat intelligence from the cloud, translate it into a useable format and create new blacklists. You can then reconfigure a firewall based on that latest threat intelligence to proactively strengthen security – all without human intervention. 

In each of these examples you’re using SOAR to improve security operations – be it detecting threats faster, making better use of security talent, or making the impossible, possible. Accelerating IR is important. But there’s a lot more to SOAR.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption