Back to blog results

7월 24, 2020 By Dario Forte

3 core pillars of a SOAR Solution

In our first blog in this series, we looked at some of the key drivers for Security Orchestration, Automation and Response (SOAR) adoption and what problems SOAR technology can help solve. Now, let’s look at the 3 core pillars which define what a SOAR solution is: Orchestration, Automation and Measurement.

The Core Pillars of a SOAR Solution: Orchestration, Automation, and Measurement

  • Security orchestration

The number of technologies involved in today’s advanced security and incident response programs is exponentially more than it was even five years ago. While this has become necessary to effectively detect and respond to the current range and complexity of today’s threats, it has created its own problem; coordinating these into one seamless process. Switching between these multiple technologies, what Gartner refers to as “context switching”, can create enormous inefficiencies in an organization’s security program.

Technology integrations are the most common method used to support technology orchestration. There are numerous methods which can be used to integrate technologies through a SOAR solution, including common communication mechanisms such as syslog and email, as well as more complex, bidirectional integration methods such as API calls. Although technology is typically the primary focus of orchestration, it is equally important to consider the orchestration of people and processes in a holistic security program. Technology should be supported by effective processes, which should enable people to respond appropriately to security events. A strictly technology-centric security program is no longer adequate; people and processes must also be orchestrated properly to ensure that a security program is operating at its maximum efficiency.

  • Security automation

Although the concepts of orchestration and automation are closely related, the goals they seek to achieve are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching to support faster, more informed decision making, automation is intended to reduce the time these processes take by automating repeatable processes and applying machine learning to appropriate tasks.

The key to successful automation is the identification of predictable, repeatable processes which require minimal human intervention to perform. Automation should act as a force multiplier for security teams, reducing the mundane actions that must be manually performed and allowing analysts to focus on those actions which require human intervention. Although some processes may be fully automated, a SOAR solution must also support automation which allows for human intervention at critical decision points.

  • Measurement

Because a SOAR solution sits at the crossroads of the incident response process, it is in an ideal location to collect a trove of information. Measurement of security information is key for making informed tactical and strategic security decisions. Proper measurement is what turns raw incident information in to critical intelligence. Measurement of both tactical and strategic information is useless without proper display and visualization. A SOAR solution must support multiple methods for displaying and visualizing all information in an effective and easy to digest manner. Stay tuned for our final blog in this series, where we will discuss the some of the critical components and functionality that a SOAR solution should contain.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Dario Forte

Dario Forte

VP & GM, Orchestration & Automation

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) . Dario Holds 5 patents, he has an MBA from the University of Liverpool, plus executive education at Harvard Business School.

More posts by Dario Forte.

People who read this also enjoyed