January 23, 2020

Improve the Effectiveness of SOAR Solutions, and Accelerate Threat Detection and Response Times

One way to think of SOAR security solutions is that they’re essentially where man meets machine in the cybersecurity world. Yet as SOARs increase in adoption, it’s important to understand exactly what they are, the value they can provide, and the limitations they can present. We examine all of these topics in this blog, as well as highlight how an innovative new cybersecurity approach can improve their effectiveness.

Improve the Effectiveness of SOAR Security Solutions, and Accelerate Threat Detection and Response Times

Security Orchestration, Automation, and Response (SOAR) is broadly defined as a security solution combining machine and manpower to conduct threat analysis and remediation. Gartner created the concept of SOAR security and as a way of combining critical categories such as security orchestration and automation (SOA), security incident response (SIR), and a threat intelligence platform (TIP) into a single solution.

For example, according to Gartner, SOAR solutions, such as Demisto, can take inputs from many different sources, including SIEMs, firewalls, and IDS tools, and then apply automated workflows and/or  playbooks to the company’s specific processes. When at their best, SOAR security solutions can improve critical cybersecurity operations such as threat detection and incident response by helping human operators, especially security operation center ( SOC) teams, better manage their company’s overall security approach. 


New video: To learn more about our integration with Demisto or how ARIA Cybersecurity solutions can improve other SOAR implementations, watch our ARIA Packet Intelligence-SOAR video now


Machine-led automation, like what is found in a SOAR security offering, is essential in today’s cybersecurity environment, especially mature SOCs teams as IT organizations often struggle with recruiting and training experienced security personnel. Specifically, SOAR solutions can use artificial intelligence and machine learning to automate many critical security operations, helping reduce the need for human involvement and speeding up various cybersecurity processes.

For example, it can take several months to train new security analysts and then enable them to be comfortable with your environment. The SOAR’s automation capabilities help to not only fill the critical awareness and response gaps left by limited personnel, but also improve the efficiency of existing staff and achieve incident resolution speed and accuracy that manual processes typically can’t achieve.


Functional components of SOAR solutions

  • Security orchestration connects security and productivity tools and resources to improve incident response. With SOAR, security teams are empowered to replace slow and manual activities with machine-driven decision-making and remediation processes. That said, automation alone is not sufficient to spot the subtle signs of a hack. For example, an alert system alone cannot determine whether an email is malicious or not, and still requires manual assessment before the appropriate action can be taken.
  • Automation is key as with any incident response there are hundreds of actions that must be taken. Moreover it is impossible for analysts to manually address the number of intrusion  alerts generated by security tools, like SIEMs, received every day. With the automation feature of SOAR the security team can automate a decision-making workflow, define remediation actions and monitor status, supporting reactive and proactive security measures to identify threats and vulnerabilities prior to a real incident.
  • Response helps security analysts manage incidents, collaborate and share data for incident resolution. SOAR collects data from other security tools such as SIEM that security teams can analyze to determine if a threat exists and what to do to prevent further attacks.


SOAR limitations

According to a recent Gartner SOAR report, “Market Guide for Security Orchestration, Automation, and Response Solutions,” SOAR security technologies are currently not advancing as much as they should. This is occurring because early adopters of SOAR technologies may not have done enough to develop their initial use cases for their SOAR solution. 

Additionally, while SOAR solutions offer the power of automation (as described above), they may still be too reactive to scenarios they’ve “seen” in the past since most playbooks are built on previous experiences. Additionally, considering that SOARs take security information from other systems, such as SIEMs, their overall effectiveness depends on data those others systems send. As discussed in past blogs, if a SIEM has limited visibility, the performance of the SOAR security solution will also be impacted.

Additionally, SOAR solutions may not be as easy to implement as compared to point security solutions. Many organizations face an extended implementation timeframe, which if not managed correctly, may threaten the overall effectiveness of the resulting solution.


How ARIA Cybersecurity can help

Our ARIA Software-Defined Security (SDS) platform is specifically designed to work seamlessly with, and improve the network-based visibility of, industry-leading security tools, including SOAR solutions. SOAR tools with ARIA SDS integration provide the automation ensuring consistent and timely threat investigation and response.

With the ability to integrate to leading SOAR security solutions using open RESTful APIs, ARIA SDS delivers the unique capability to surgically stop cyber-attacks without taking devices or applications off-line, including IoT and other devices that can’t run agents or EDRs for protection. Additionally, the ARIA Packet Intelligence application provides access to every packet traveling on the network, which closes a sizable east-west traffic threat surface. When this type of information is ingested by the SOAR, it can be leveraged for automated incident data enrichment, real-time investigation, or post-investigation reporting. 

Simply stated, by integrating ARIA solutions with a SOAR technology such as Demisto, security teams can gain complete insight into their network traffic (with ARIA)  and then use that information to initiate threat verification and containment using existing security playbooks within the SOAR solution. For example, when a playbook is alerted, the SOAR security tool works with the ARIA solutions to take the most effective action, such as shutting down threat conversations between devices.

With more complete insights into your network, you can find threats that are normally missed and automatically stop threats—all while leaving critical devices on-line and  without disrupting valuable business processes and operations.


About ARIA Cybersecurity Solutions 

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success. 

Tags: cyber attack, cybersecurity, siem