Security orchestration, automation and response (SOAR) is a widespread discussion among academicians, technologists, and executives linked to the cyber and digital spaces. It is perceived as a solution to many cybersecurity problems. Tech enterprises see excellent potential in the concept of SOAR. Big Tech companies such as IBM, Splunk, Palo Alto Networks and Fortinet are making enormous investments in SOAR. In 2019, Palo Alto Networks paid approximately US$560 million in cash and stocks, excluding purchase price adjustments, to acquire Demisto.1 That same year, Fortinet announced the acquisition of CyberSponse, a leading provider of SOAR.2
SOAR can assist enterprises struggling to keep up with the surge in cyberattacks, the long list of regulators’ compliance demands, the cybersecurity operations workload, and the cost of maintaining a healthy and hygienic digital environment. SOAR promises to reshape cumbersome cybersecurity operations, time-consuming incident handling and substantial cybersecurity spending.
What Is SOAR?
SOAR is a combination of unified programs that enables organizations to automate, orchestrate and respond to cybersecurity incidents with minimal human intervention. SOAR integrates across technology stacks, automates daily tasks and streamlines security operation center (SOC) workflows. It makes threat detection and resolution inexpensive, effective and agile. Currently, the SOAR market size is approximately US$1 billion and is expected to grow to US$2.3 billion by 2025, rising at a 16.3 percent compound annual growth rate during the forecast period.3
As illustrated in figure 1, SOAR fully automates and enhances cyberincident detection, triage and response. Because all incidents are not equal, and one can have a more drastic impact than the other, proper priority can be assigned to incidents using the enterprise’s incident classification with SOAR. SOAR can design workflows that seamlessly trigger and complete the incident response cycle. SOAR service can be further improved by integrating it with external and internal threat intelligence sources.
Reduces Financial and Operational Burden
SOAR can significantly reduce the financial and operational load. Organizations often maintain several security teams, a plethora of technology solutions and complex manual processes to address security threats. This approach can lead to responses that are slow, weak and costly. It varies from organization to organization; but, for example, a typical mid to large enterprise has a minimum of three groups under the leadership of a chief information officer (CIO) or chief information security officer (CISO): a governance, risk and compliance (GRC) unit; a security engineering and operations unit; and a threat management unit (SOC/defense). All three teams have a different understanding of the subject, and they look at cybersecurity through separate lenses because of their backgrounds and experiences in the respective units.
The GRC team is better versed in strategy, risk, policies, processes, regulation, compliance and standards. The security engineering and operations team has technical and product-centric knowledge and skills. The threat management (SOC/defense) team focuses on detection, modeling, endpoints, attack types, exploits and vulnerabilities. SOAR can integrate the function of all three units. The correct application of a SOAR solution dramatically reduces the operational load and increases the return on investment (ROI) of present and future cybersecurity investments (figure 2).
Faster Detection and Efficient Response
Early detection of threat actors is another challenge faced by organizations. FireEye’s M-Trend 2020 Report states that the global median dwell time for an attacker (i.e., the time between the initiation of a cyber intrusion and detection) is 56 days. The median time for organizations that learned of their incident from an external party is 141 days, and the median dwell time for enterprises that self-detected their incidents is 30 days. All scenarios are enough time for bad actors to carry out their malicious goals and clear their tracks.4
SOAR ALLOWS ORANIZATIONS TO MAKE BETTER USE OF TIME BY REDUCING THE MANUAL EFFORTS NEEDED FOR REPETITIVE OPERATIONAL TASKS.
A further challenge is the emerging cyberlaws and regulations that make organizations liable, such as the EU General Data Protection Regulation (GDPR).the EU General Data Protection Regulation (GDPR). For example, if an organization operating in the European Union does not comply or violates the GDPR, it can face liability suits and be forced to pay huge financial penalties. The GDPR dictates stringent security posture requirements around data privacy and cyberincident response. The regulation states that “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent per article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”5, 6 GDPR also sets fines of up to EU€10 million or, in the case of an undertaking, up to 2 percent of the global business turnover of the preceding fiscal year, whichever is higher. Now let us say if the same organization under GDPR has a SOAR solution, it can improve the posture by reducing the detection and response time by leveraging the advanced orchestration and automation features.
SOAR allows organizations to make better use of time by reducing the manual efforts needed for repetitive operational tasks, such as validating phishing emails, filing hashes and identifying false positives. The saved hours can be used for tasks requiring more critical thinking.
Who Are the SOAR Market Leaders?
There are numerous technology vendors offering SOAR and various vendors rebranding their existing products as SOAR solutions to capitalize on the current market trend and the opportunity. SOAR market-leading solutions include the following:
- IBM Resilient
- Splunk Phantom
- Demisto from Palo Alto Networks
- FireEye
- Logrhythm
- FortiSOAR (Cybersponse)
Conclusion
Enterprises need to consider the SOAR option and explore a suitable architecture for their target environment. Smartly planned and correctly implemented SOAR can significantly improve the efficiency, performance and response capability of an organization. The best strategy to adopt is a risk- based solution that identifies and assesses the current risk factors and manages them using SOAR.
Endnotes
1 Palo Alto Networks, “Palo Alto Networks Completes Acquisition of Demisto,” 28 March 2019, https://www.paloaltonetworks.com/company/press/2019/palo-alto-networks- completes-acquisition-of-demisto
2 Fortinet, “Fortinet Acquires CyberSponse,” https://www.fortinet.com/products/fortinet-acquires-cybersponse#:~:text=Empowers%20
3 Markets Insider, “The Global Security Orchestration Automation and Response (SOAR) Market Size Is Expected to Reach $2.3 Billion by 2025, Rising at a Market Growth of 16.3% CAGR During the Forecast Period,” 21 October 2019, https://markets.businessinsider.com/news/stocks/the-global-security-orchestration-automation-and-response-soar-market-size-is-expected-to-reach-2-3-billion-by-2025-rising-at-a-market-growth-of-16-3-cagr-during-the-forecast-period-1028615428
4 FireEye, “FireEye Mandiant M-Trends 2020 Report Reveals Cyber Criminals Are Increasingly Turning to Ransomware as a Secondary Source of Income,” 20 February 2020
5 Intersoft Consulting, “Art. 33 GDPR— Notification of a Personal Data Breach to the Supervisory Authority,” https://gdpr-info.eu/%20art-33-gdpr/#:~:text=In%20the%20case%20of%20a,unlikely%20to%20result%20in%20a
6 Intersoft Consulting, “GDPR—Fines/Penalties,” https://gdpr-info.eu/issues/fines-penalties/#:~:text=83(4)%20GDPR%20sets%20forth,fiscal%20%20year%2C%20whichever%20is%20higher/
Farhan Imitaz, CISM, CISA, CISSP
Works for Dimension Data/Nippon Telegraph and Telephone (NTT) as a cybersecurity manager and looks after the consulting and technical services division of the Middle East region. He has more than 15 years of experience in cybersecurity and technology consulting, solutions, services, security operation centers, support and managed services.