SOAR Platform Vendors, open-source threat intelligence, threat intelligence platform open source, Security Automation Platform, vulnerability management asset prioritization, top threat intelligence tools, soc automation open-source soar, security orchestration tools, vulnerability remediation prioritization, security orchestration, asset vulnerability management tool, soar solutions, Gartner, top threat intelligence platformsSecuraa is a next-generation Security Orchestration and Response system.
For readers who are still new to this domain, here is a summary of what a Security Orchestration and Response (SOAR) Platform does:
- Aggregation: A SOAR system collects/aggregates alert data from various sources like SIEMs, Mailboxes, Syslog servers, etc.
- Enrichment: Once an alert is collected, the SOAR platform enriches alerts based on entities contained in the alert like usernames, IP addresses, domains, etc.
- Orchestration: A soar platform also integrates disparate tools and platforms so they can work together based on the approved direction of the SOC team. Some of the activities could be manual or automated in nature depending on the platform or process.
- Automation: A Security orchestration and automation platform also execute functions on its own to affect other integrated systems. This is be done using automatic playbooks that trigger when certain conditions are met or manually based on the analyst’s requirements.
- Response: Providing canned resolution for known response activities. This involves executing responses based on organization-approved workflows or Standard Operating Procedures.
Let’s understand those capabilities in detail:
1. Aggregation:
This is the simplest capability that allows SOAR to become the single pane of glass for SOC. They consume alerts from various sources like SIEM, emails (in case you have CIRT/CIRC mailbox), or directly from systems that might not be integrated with SIEM. Other sources of alerts could be cloud-based systems that use REST API to collect alerts instead of Syslog or a simple format of alerts that are supported by SIEM. SOAR replaces your current case management capability as it provides a superior and modern case management system that’s more flexible and aligned to today’s dynamic environment
2. Enrichment:
This implies that the SOAR system pulls additional data for all the entities involved in an alert. Ex- if there is a user ID, soar system will fetch context from directory system like username, manager, locations, etc. for an external IP address this could be a reputation lookup from a native or external threat intelligence system
You might be wondering why enrichment is needed as most SIEMS are doing the enrichment on their own. Well, you are correct, however, most SIEMs still do not support enrichment as part of the case management process. Even if they do, the alert raised in the SIEM system often focus on lookups that are easy to perform like threat intelligence. Also, most lookup activity is not dynamic in nature Ex- You can’t configure most SIEM’s to only do a second lookup with a commercial threat intelligence when a HIGH severity alert is created. Most SIEM’s will always do the look for not making it static. Some of them might permit additional lookups that are manual only when the alert is created in the system. With a SOAR platform, you can write a simple playbook that will execute only when an Alert of certain Severity is fired for an asset with a known business criticality. this makes the enrichment dynamic in the SOAR platform compared to SIEM systems. This saves you dollars on TI systems that often charge based on a number of API calls.
3. Orchestration
This is one of the differentiators of the soar platform where it integrates with third-party systems to execute changes based on the response that the analyst needs to provide. These integrations are API-driven. Ex- in an organization, blocking an IP address in a firewall might require approval whereas in others it can be done without approval. Another example could be to get approval from a user’s manager to reset his reporter’s password when the account is blocked after multiple failed login attempts. Once the systems in an organization are integrated, the SOC team can create workflows/playbooks to carry out desired actions manually or automatically. this is the most time-consuming phase for organizations that don’t have predefined Response workflows for most common threat categories. Ex- what to do when a DDoS is detected.
4. Automation and Response:
Automation is all about putting the system in the AutoPilot mode where the system keeps reading alerts from various sources and providing a response to those alerts on its own. It then matches rules/policies and executes workflows/playbooks based on conditions. Ex- automatically scan historical successful connection logs in the SIEM DB when a new external IP address is reported to be in use for a known threat actor. This is a typical use for automation of threat hunting. A variant of this could be sending the same IP address to a firewall system that sends an alert if more than 10 systems are found connecting to this known bad IP address.
Securaa provides all these functionalities along with unique differentiators with a native TIP (Threat Intelligence Platform) and a vulnerability and asset management platform. Please contact us at rajesh@securaa.io.
FAQ
Question: What is the SOAR market guide?
Answer: Gartner published a market guide on SOAR which provides insight on the current state of the SOAR market and the forward outlook for the SOAR market.
Question: What are the four areas of the SOAR market as defined by Gartner?
Answer: Gartner defines SOAR to consist of four engines which are ticket and case management, workflow and collaboration, orchestration and automation, and lastly threat intelligent management.
Question: Why is automation important in security?
Answer: Without requiring the analysts to check whether a threat is significant, automation quickly handles alerts allowing the analysts to focus only on serious threats hence keeping the organization safe. Also, automation allows you to improve and regulate your incident response processes and workflows.