All Research
Executive View
Security Orchestration, Automation and Response (SOAR) platforms are becoming essential components of security architectures in many organizations around the world. SOAR platforms are designed to provide a centralized analyst and management interface for security teams. They consolidate security event information and allow for faster and more efficient investigations and responses. Cortex XSOAR from Palo Alto Networks is a state-of-the-art SOAR platform that integrates with not only Palo Alto Networks tools but hundreds of the most common security applications in the market today.

1 Introduction

As the number and sophistication of cyberattacks have continued to increase over the years, some vendors realized that the traditional approaches and tools of cybersecurity likewise have failed to keep up. Many security-conscious organizations can find themselves administering over 50 different and disjointed security tools. Security Information and Event Management (SIEM) products were once hailed as the ultimate solution for managing security operations. In many organizations, they still form the foundation of modern Security Operations Centers (SOCs).

Parallel to SIEM solutions, a class of incident investigation and response platforms has emerged focusing on creating more streamlined and automated workflows for dealing with security incidents. SOAR products are the latest iteration of this evolution. Driven by the growing demand to implement centralized, automated control over incident analysis and response workflows across disparate security solutions, vendors are expanding their existing security intelligence, security orchestration, or incident response platforms to combine the key capabilities across all three of these market segments. Complementing or directly integrating with SIEMs, SOAR platforms aim to become the foundation of contemporary SOCs.

SOAR systems generally have OOTB connectors (software configurations and code in the form of packaged API calls) to facilitate data layer integration from SIEMs and other upstream sources. These connectors, sometimes called “integrations” by vendors, also allow SOAR console users to operate and/or administer the other security tools in the architecture, to the degree permitted by exposed APIs.

The orchestration aspect of SOAR involves not only the collection of telemetry from these different sources, but also initiating a workflow, opening cases and tickets where appropriate, and correlation and enrichment of event information. Enrichment of event data can be facilitated by SOAR systems by the automatic collection of additional forensic evidence on-site, such as outputs of EPP scans, obtaining non-standard log files, memory dumps, etc. Some vendor solutions can kick off automated threat hunts (looking for IOCs across multiple nodes in an environment) and add the results to a preliminary investigation. SOAR solutions should also be able to generate queries to threat intelligence sources based on suspicious items and patterns observed from upstream telemetry. Some vendors have extensive threat intelligence capabilities that are utilized by their SOAR solutions. Examples of threat intelligence content include IOCs, compromised credential intelligence, device intelligence, and domain/file/IP/URL reputation information. Some SOARs incorporate Machine Learning (ML) detection models as a means to reduce false positives and provide more actionable intelligence to analysts and admins. Ideally, SOAR solutions will accomplish many of these listed actions automatically prior to or while alerting a human analyst.

When an analyst is alerted and assigned a case, all pertinent information related to the event should be constructed and presented by the SOAR platform to the analysts for their investigation. The SOAR platform should package information coherently, with descriptions and recommendations for actions.

Most SOAR vendors adhere to the paradigm of a playbook. Playbooks typically address common security scenarios and can be triggered either by manual analyst action or automatically if allowed by policy and supported by the vendor. Examples of security events that may trigger playbooks are phishing, malware, ransomware, failed login attempts, excessive or abnormal use of privileged credentials, prohibited communication attempts, attempts to access unauthorized resources, file copying or moving, attempts to transfer data using unauthorized webmail providers, attempts to transfer data to blocked IPs or URLs, unusual process launches, unusual application to network port activities, unusual network communication patterns, and so on. SOAR platforms often support dozens to hundreds of playbook scenarios and offer hundreds to thousands of possible incident investigation and response actions.

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Register
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use