Putting the Automation into SOAR

Mike Reynolds
by Mike Reynolds
category SOAR
tags security orchestration and automation response, SOAR

According to a recent survey, “more than 62% of respondents agree with the fact that threat-hunting was an exceptional benefit of the SOAR.”1

If those numbers are true, it seems a no-brainer that many organizations have deployed or are thinking about deploying a SOAR software solution in the near future.  However, in working with our security analysis software customers, we are finding the typical use case for SOAR is much different than what it was meant to be.

If you are using, are in the process of rolling out, or are just thinking about it, read further to find out how Respond Software helps you put automation into your SOAR.

The Promise of SOAR

SOAR is derived from various technologies that enable the aggregation of security alerts from multiple sources addressing specific problems in the cybersecurity realm.  These problems include the growing number and sophistication of security threats, the shortage of experts to manage them, and lack of automation needed to remedy them in a reasonable period of time.

The promise of SOAR is to use these security alerts to automate the execution of threat analysis and incident remediation, while providing capabilities for security orchestration, incident management, collaboration, dashboards and reporting.  However, when a security issue arises, analysts will need to interface with multiple consoles to investigate and eventually remediate a single security issue, requiring a substantial amount of time and effort. This limits the effectiveness of the automation and orchestration for remediation that SOAR is meant to provide.

The Reality of SOAR

The adoption of SOAR is still in the relatively early stages and many organizations that have deployed it, are not reaping the full automation, orchestration and incident remediation benefits of the promise.  This is partially true because SOARs are being used for the heavy lifting around investigation of events, an activity that they were not designed to do.

Based on experience with our RDA software customers, 80% of SOAR use cases consist of upstream gathering of additional information, alert investigation, context gathering, interpretation and triage, instead of orchestration, automation and remediation of incidents.

Automating SOAR with the Respond Analyst

While SOAR has not reached its full potential, there is good news.  Respond Software has announced the integration of the Respond Analyst with the leading SOAR vendors including Palo Alto Networks, Demisto, Splunk, Phantom, and ServiceNow Security Operations.

The Respond Analyst from Respond Software enables organizations to unlock the true automation capabilities of their SOAR deployments by managing the up-front analysis of events before they are passed to the SOAR system.  The Respond Analyst is scalable to handle millions of events, only escalating real incidents into SOAR for remediation. However, unlike SOAR, the Respond Analyst does not require coding, customization or maintenance over time, therefore, the rollout of the RDA software is fast and time to value can be recognized in hours. Leveraging the Respond Analyst with SOAR reduces attack dwell time, remediates security issues faster through additional automation and elevates analyst collaboration.

Without security analysis software, like the Respond Analyst in the security stack, the SOAR will become flooded or even choked with event data that it will never be able to process or remediate, thereby reducing or negating its automation capabilities completely.  Conversely, the combination of the Respond Analyst with SOAR, enables a streamlined process for detection, automation and fast remediation of all security related issues, helping organizations to realize the promise of SOAR.

Let the Respond Analyst do the investigation, scoping, triage and correlation of events, removing this burden from SOAR, so it can be re-focused on the job it was designed to do in the first place – automated remediation of security incidents. The Respond Analyst enables security analysts to stop looking at consoles all day and start investigating incidents that truly require a human being.

If you are interested in adding more automation into your SOAR, read more how the Respond Analyst integrates with the leading SOAR vendors.

Learn More:

Press Release: Respond Software’s Integrations with Major SOAR Vendors Help Companies Achieve Additional Automation in Security Operations

Webinar:  Taking the Soreness out of SOAR



1 InfoSec, Introduction: What is SOAR?, March 12, 2019