Automation creates efficiency. Reducing the need for humans to complete repetitive tasks has been fundamental to the evolution of technology since the very beginning and remains a key part of current thinking around optimal cybersecurity operations.
Likewise orchestration, another fundamental tenet of using software to drive business value. Orchestration integrates and simplifies the multiple into the single – using preset procedures to dictate the resulting action.
Orchestration and automation are the ‘O’ and ‘A’ in ‘SOAR’, quite literally at the center of the fast-growing segment of cybersecurity solutions that promises to streamline and accelerate how organizations successfully manage security incidents.
As SOAR takes off, this post examines what relationship it has with threat intelligence and how the dynamics need to work between them in order to maximize business value.
What is SOAR?
At the heart of every SOAR (Security Orchestration, Automation and Response) solution is typically an orchestration module and an automation engine. Combined, these serve to establish the SOAR platform as a single point of visibility and management for collecting data from all relevant sources and equipping security teams to respond appropriately.
SOAR platforms have grown in relevance to large enterprises on the back of numerous factors:
- More cyber attacks
- More high profile breaches
- Worsening cyber skills crisis and lack of internal resources
- Stiffer regulations and compliance requirements
- Inability to manage increased volume of alerts and information sources
- Lack of a single point of visibility and control of threat data
- Unmanageable levels of false positives
These and other factors are contributing to significant growth in the market for SOAR solutions, which Markets and Markets puts at 16% CAGR between now and 2024.
How does threat intelligence relate to SOAR?
SOAR platforms run on data like airplanes run on fuel. As well as consolidating feeds and logs from various security infrastructure components (firewalls, EDR, SIEM, email gateways, ticketing apps, identity management, etc.), SOARs will also ingest threat intelligence data from external and community sources.
What’s great about SOAR platforms is their ability to present all this information to security teams in an automated and logical way that would be impossible through manual process. SOAR platforms can support a range of use cases that apply this consolidated view, typically via the use of standardized, automatable playbooks.
Through this approach, SOAR platforms accelerate incident response in two ways: first by making the collation and sorting of threat data much faster than through manual means, and second by accelerating the execution of incident response measures. The net result is to reduce MTTD (mean time to detect) and MTTR (mean time to resolution) from hours and days to seconds and minutes, thereby mitigating the impact of incidents. And – crucially – it does this without having to increase the workload of already overstretched security teams. This reduces cost and risk, and dramatically improves reporting capabilities to satisfy boardroom oversight and compliance requirements alike. SOAR can also be a valuable tool in threat hunting.
Why fresh, contextualized threat intelligence makes all the difference to SOAR
Airplanes need high-octane jet fuel, not the kind of gasoline you put in your car. This is a perfect metaphor for the ROI of SOAR platforms; without the right threat intelligence data you cannot expect the optimum results and performance.
Implementing SOAR equips security teams to maximize the exploitable value of threat data, so it makes perfect sense to focus on how valuable that threat intelligence is in the first place. When considering the kind of value available only from a provider like Blueliv, there are five major tests for threat intelligence:
- Is it complete?
- Does it encompass the widest possible range of data sources, or are there blind spots to coverage?
- Is it relevant to the organization?
- Can it major on the kinds of threats that are most likely to affect this specific organization, given its location, size, sector, special circumstances and history? Or are all threat vectors, IOCs, etc. weighted equally?
- Is it fresh?
- Does it measure up to being ‘real-time’ or merely ‘up to date’ or ‘recent’? Can the validity of the threat intelligence be trusted without needing to recheck?
- Is it contextualised?
- Can the threat intelligence be immediately applied to enrich internal alert data with a 360-degree view of external context? Is the external threat intelligence produced solely by automated sources or is it validated and enhanced by experienced threat intelligence analysts to add context where applicable?
- Is it easy to apply?
- Does it readily integrate with SOAR platforms using standards-based APIs? Does it conform to machine-readable standards?
Alas, some organisations report challenges achieving the compelling benefits that SOAR platforms promise, and this is chiefly because of deficiencies in threat intelligence. For some it’s the incomplete picture of the threat landscape, particularly around external sources such as those penetrating underground forums on the dark web. For others it’s the need to validate data entering the SOAR platform (very challenging at high volumes) because it lacks context or represents a false positive.
Lastly, a note on standardized playbooks – which SOAR platforms generate and facilitate so that incident response teams can execute a series of triggers and scenarios. Ultimately, while these undoubtedly contribute to more streamlined operations and – in many cases – faster and more effective IR, playbooks are no magic formula. There will always be exceptions where the presence of solid, actionable threat intelligence offers a dynamic route to incident response that is more effective than the playbook approach. Even playbooks that are constantly under review are one step behind genuinely fresh, contextualized threat intelligence that IR teams can directly act upon.
Unlike many cyber technologies, SOAR is not overhyped. The benefits are clear and the adoption of SOAR platforms destined to soar in the coming years. However, SOAR is subject to the same familiar GIGO (garbage in, garbage out) effect that governs all data processing. Unless organizations realize this when investing in their SOAR solutions, particularly with respect to utilizing the best threat intelligence available, they will struggle to realize their full potential value.