blog に戻る

2020年04月08日 Dario Forte

Where will SOAR go in the next 5 years?

SOAR emerged in the cybersecurity world from the problems that existing solutions in the past couldn’t overcome. With the ever-growing number of cyber threats posed to countless organizations, it seems as though SOAR was invented just in the nick of time, and in the relatively little time that it exists, SOAR has already proved to be more than capable of vastly enhancing the efficiency of SOCs and SecOps. But what does the future look like for SOAR?

In an internal interview with Sumo Logic’s Senior Director, Michele Zambelli, we discussed the new heights SOAR has climbed to in recent years, the growing importance of this indispensable technology for virtually any SOC and SecOps, and the role that SOAR is expected to take in the future.

What prompted the emergence of SOAR in cybersecurity

Security operations require the merging of intelligence, both from in-house staff and technological solutions. Cyber attacks are becoming more unpredictable than ever, and that exact unpredictability led to the formation of the following challenges that prompted the birth of a whole new cybersecurity technology:

  • An increasing number of alerts

  • False positives and false negatives

  • Overwhelming workload for SecOps and SOCs

  • Sophisticated attacks with no recognizable patterns

Security Operations Centers consist of analysts, engineers, and investigators that work tirelessly to maintain the security of an organization at all times. But without automation installed in the system, analysts have to deal with each and every threat manually, which is time-consuming, tiresome, and just borderline tedious.

Just mere seven or eight years ago, when cyber technology was far from its peak and cyber attacks were less sophisticated, cybersecurity teams confronted cyber threats with technologies that mostly revolved around ticketing systems, which apart from detecting threats, have no way of determining the real danger of cyber threats.

Nowadays, cyber threats are becoming more unpredictable, advanced, and difficult to trace, which leaves analysts with the difficult task of investigating each threat as it arrives in real-time. Keeping in mind that many of those cyber alerts turn out to be false threats or false positives is all the more frustrating for analysts. But what if a cybersecurity solution was to do all that hard and tedious work for you? Wouldn’t that be a relief? Well, that’s exactly what SOAR does.

Why is SOAR considered a top solution in the cyber world?

SOAR is a term coined by Gartner, which stands for Security, Orchestration, Automation and Response. Many of the characteristics that describe SOAR are unique to this technology, and that’s why SOAR is growing in demand in the modern cybersecurity industry. SOAR helps SecOps and CSIRT teams in many ways, most notably with:

  • Improving the efficiency of the security operations by automating workflow processes

  • Improving the detection of false positives

  • Centralizing the operations from a single panel

  • Seamlessly integrating different cybersecurity tools to simplify workflow processes

  • Automating low-risk tasks without the need for human intervention

It is crucial to place emphasis on automation. SOCs have to deal with a lot of different types of threats, including phishing attacks, frauds, malware attacks, etc. The problem is that these attacks are becoming more and more sophisticated, as hackers and fraudsters use advanced technologies to implement those attacks. This is exactly where SOAR comes into play.

Furthermore, investigating and triaging a single cyber threat requires analysts to have access to different types of security tools, manually perform different sets of tasks, and correlate information by hand before an informed decision can be made. But with SOAR, teams can orchestrate technology and processes from a single dashboard and work as a unified entity.

SOAR relieves the burden of analysts and improves the efficiency of SOCs by allowing certain tasks to be fully automated and orchestrated from a single, centralized panel. SOAR as technology is perfectly customizable to the nature of the organization and uses machine learning to detect repetitive patterns and use the knowledge gained from its experience to anticipate similar threats in the future. Which makes SOAR the perfect solution to have by your side against sophisticated, modern cyber threats.

What are the main advantages of using SOAR?

The main goal of SOAR is to replace the manual labor that analysts and SecOps are required to do in the absence of SOAR.

What this means is that SOAR leverages that machine learning to automate the process of detecting, tracking, resolving, and documenting a single threat in real-time, and doing all this with absolute precision. In this regard, SOAR helps SOCs and CSIRT teams:

  • Improve the reaction time to threats

  • Reduce the number of false positives

  • Calculate risk assessment

  • Perform evidence management

  • Free analysts from handling low-risk, mundane tasks

  • Fully document threats

  • Measure success by following important KPIs

  • Leverage the open-integration framework to align with various tools and technologies

So, it is very clear that the benefits of SOAR are particularly focused on improving the weaknesses of SOCs and CSIRT teams that hackers and fraudsters gladly exploit.

The unique thing about SOAR is that the technology is crafted in such a way that it thoroughly follows a potential threat from detection to remediation. And the process of triaging leans on automation and machine learning to resolve the problem, document the characteristics of the attack and learn from the information from that attack to more efficiently tackle future threats with similar patterns.

Can analysts completely rely on automation for security operations?

Analysts can and do rely on automation for security operations, but they do it with caution:

  • Customizable degree of automation: The great thing about automation in SOAR is that it is completely adjustable. Depending on the type of organization and its preferences, SOAR allows analysts and engineers to adjust the degree of automation. This means that analysts still have complete control over which tasks they want to automate and which tasks they want to handle manually.

  • Depending on the automation needed: If the user only needs to collect information regarding a certain alert through enrichment, analysts can fully rely on the automation. However, in scenarios where the use cases also require containment action, which means changing the status of a system, in this case, the automation needs to be used very meticulously.

For instance, in our Cloud SOAR solution, we provide functionality that we call “User Choice” in our automated workflow processes, where the playbook is instructed to stop after some safe actions have been completed so that the user can review the progress and confirm the progress. These so-called “Break-Points” allow the user to choose the path of the automation in cases where decisions that can affect the status of the system need to be taken.

So, in reality, analysts rely completely on automation in some situations that involve enrichment and data collection that do not pose a threat to the integrity of the system, while in use cases where containment actions are required, analysts are given the choice to make a decision on the course of action they want to implement.

Can SOAR be used simultaneously with other cybersecurity technologies?

Without other cybersecurity technologies implemented in the system, SOAR is merely an advanced ticketing system for incident tracking. SOAR, at its core, is an orchestrator. The technology is best used when combined with other cybersecurity tools, as it complements and builds upon their capabilities rather than contradicting them. This means that SOAR can work with other solutions like SIEM without disrupting the workflow of the organization. And, combining the machine-learning traits of SOAR with the precise and thorough threat-tracking of SIEM is a winning combination.

In order to be able to seamlessly interact with other security tools, SOAR must integrate easily with third-party security tools. Note that not every SOAR vendor can provide similar levels of integration. In fact, Cloud SOAR is one of the rare SOAR solutions that characterize by an advanced open integration framework:

  • With Cloud SOAR, a new integration can be built very quickly, in the scope of a few hours

  • Customers can easily integrate tools with little coding experience required

  • Seamless integration with over 200 security tools

Sumo Logic’s Cloud SOAR is particularly focused on providing and enhancing its open integration framework so that clients can easily align SOAR with their security operations without disrupting the flow of their regular workflow processes.

Can SOAR be used for non-cybersecurity incidents?

SOAR is built with the goal of improving the functionality of SOCs and SecOps, but that doesn’t mean that SOAR is not a suitable solution for non-security tasks. On the contrary, SOAR’s unique automation comes in handy in cases not related to cybersecurity. For instance, Cloud SOAR is used by banks with the goal of better monitoring bank transactions, gaining more information regarding those bank transactions, and efficiently detecting false positives.

Such major infrastructures can leverage automation and orchestration to improve the functionality of their operations that are considered outside the scope of cybersecurity incidents. Given that Cloud SOAR is highly customizable, the possibilities of using automation are very broad. Automation can be used in physical security, network security, IT procedures, etc.

Organizations can use the alerts generated by the triage process without the need to open a security incident, such as detailed reporting of a certain issue, following the functionality of a system, reporting different IT problems, etc. Basically, the automation engine is able to automate different types of tasks that are not directly related to cybersecurity incidents, depending on the integrations installed in the particular system.

What is the future of SOAR?

In the near future, SOAR is expected to make an even more dramatic impact. In fact, Gartner predicts that by 2021 70% of all organizations will integrate automation to help employees with routine tasks.

Furthermore, SOAR is expected to be more adapted to MSSPs (Managed Security Service Providers), which are companies that provide SOC services combined with specific technologies, like SOAR. With MSSPs, clients can choose to allow the provider to have full or partial control over their security architecture with a specific tool, like Cloud SOAR. And in these cases, the clients completely rely on MSSPs to protect their organization, and they only want to be able to see how the provider is securing their system while the MSSP does the job for them.

So, in short, MSSPs provide cybersecurity services for clients that choose to have security operations taken care of them, and not only do the MSSPs offer products and technologies, but they also provide SOC services enhanced with cybersecurity solutions, like SOAR. That is why, in the future, SOAR is considered to be more compatible with MSSPs.

What is next for Cloud SOAR?

When it comes to Cloud SOAR, our solution is always under construction. We at Sumo Logic continuously strive to improve our SOAR solution and take perfection. While we don’t know what the long-term future holds, we’re certain of what our goals are for the foreseeable future, which includes:

  • Enhance the already extremely friendly user interface

  • Build upon the existing core pillars that include automation and orchestration

  • Adapting the solution to be more suitable for MSSPs

  • Introduce more advanced features that take automation to a new level

  • Refine threat-hunting and false-positive recognition features

Automation is the future, and we at Sumo Logic are dedicated to taking our Cloud SOAR solution to the next level in order to help our customers optimize their security operations. We are eager to see what the future holds for this very exciting new chapter for SOAR, and we have no doubts that more and more organizations will realize the true potential that lies in this marvelous piece of technology, and that, in fact, SOAR will be the future of cybersecurity.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Dario Forte

Dario Forte

VP & GM, Orchestration & Automation

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) . Dario Holds 5 patents, he has an MBA from the University of Liverpool, plus executive education at Harvard Business School.

More posts by Dario Forte.

これを読んだ人も楽しんでいます