Security Orchestration, Automation, and Response (SOAR) is a key set of tools in any enterprise security infrastructure. SOAR takes the logs and alerts aggregated by an organization’s data aggregation infrastructure and puts them to tactical use to reduce organizational overhead and improve responsiveness. 

Ultimately, the selection of SOAR tools depends on your organization’s specific needs. There is no single correct choice for everyone, but understanding SOAR concepts will help you make the right decision.  

In this article, we’ll outline what SOAR is, why it matters to your organization, and provide the information you need to make an informed choice about SOAR tools. We’ll also highlight some of the major commercially available SOAR options today and their benefits.

Summary of key SOAR tools concepts

The table below summarizes the key SOAR tools  concepts we will review in this article. 

Concept	Description
Incident Response	SOAR tools must address the ability to respond to security incidents.
Orchestration and Automation	Aggregating data and automating responses to events or alerts generated from that data is a key element of SOAR functionality.
Threat Intelligence Platform Management	Identification, collation, and integration of threat intelligence should be integrated directly into the SOAR platform.
Threat Detection	The volume of information collected by a SOAR solution should facilitate the detection of atypical security and operational events.
Threat Hunting	In addition to detecting threats, the platform should also help analysts find the scope and impact of those threats.
Integrations	A SOAR solution should broadly integrate with your organization’s technology infrastructure.
Playbooks and Repeatability	Automation should be actionable and repeatable based on developing detailed playbooks.
Collaboration and Empowerment	The sum of SOAR functionality should drive team collaboration and empower the individuals who need to take action when they do.

What is SOAR?

Gartner coined the term “SOAR” in 2015 to describe Security Operations, Analytics, and Reporting. A few years later, Gartner updated the term to identify tools that combine:

1. Incident Response,
2. Orchestration and Automation, and
3. Threat Intelligence Platform Management.

While SOAR focuses on those core functions, its use and impact are much broader. Let’s dive into the Gartner definition and expand on it to highlight the criticality of SOAR to an organization.

A Venn diagram of SOAR contributing concepts.

Incident response

Incident response is an organization’s ability to identify and respond to potential or actual service disruptions. This definition is purposefully broader than information security incidents and threats. While a SOAR solution’s primary focus is on security incidents, the expanded nature of SOAR today allows for identifying and triaging network and endpoint infrastructure issues that an organization may face. 

Orchestration and automation

Orchestration and automation are two sides of the same coin. They build on incident response data to enable data integration and process automation. 

The orchestration component of a SOAR solution ingests information from disparate and potentially isolated sources within an organization. Those data sources include:

• Firewalls
• Routers and other networking equipment
• Endpoint detection and response (EDR) tools
• Vulnerability and asset data
• Threat intelligence feeds

Orchestration organizes these data sources to enable actionable and identifiable event alerting. 

This might sound like  traditional security event and information management (SIEM). Many SIEM providers layer in-house SOAR capabilities on top of the SIEM or allow customers to provide their own SOAR integrations. In this way, the SIEM also becomes a precorrelation engine and feeder for a SOAR solution. 

What a SOAR solution brings to the table that a traditional SIEM platform cannot is automation. Security automation takes the actionable and identifiable event alerting generated by the SOAR and acts upon it. Those actions can be the implementation of specific rules or the escalation of events for further review. Many of the solutions listed here offer great flexibility in what automation looks like and how to achieve it. 

Threat intelligence platform management

Gartner defines threat intelligence as “evidence-based knowledge…about existing or emerging menaces or hazards to assets.” The platform for the management of that, then, would include the identification of threat intelligence sources and how they’re integrated into orchestration and automation. 

Threat detection

The flip side and precursor to Incident Response–and the product of some of the alerts arising from threat intelligence–is threat detection. Threat detection is the ability to identify and triage threats to an organization. 

In the information security space, this is largely concerned with identifying indicators of compromise (IoCs), signature-based detection, behavioral analytics, and other threat identification metrics. In the IT operational space, this is focused mainly on identifying application and infrastructure issues that may lead to unexpected downtime. 

Threat hunting

Threat hunting bridges the gap between threat detection and incident response and largely leverages orchestration. Threat hunting is the capacity for a system or analysts to use alerts generated from threat detection to identify an active threat in an environment, where it originated, and what it might impact. 

This largely forensic analysis is ideally conducted ahead of an active incident but might occur during or afterward. This threat-hunting function works hand in hand with the technology and operational response to thwart an attack. It may look similar to incident response during or after an attack. 

Integrations

One of the major considerations to bridging threat detection, threat hunting, and orchestration is the integrations available to and facilitated by the SOAR platform. Being able to ingest source data for correlation is critical. 

Taking that a step further and actioning change in a system to halt an incident should be supported. The number of both inbound and outbound integrations should be considered, as should integrations with applications used by the organization implementing a SOAR solution. 

Playbooks and repeatability

Automation relies on the capacity to develop repeatable and actionable processes for the SOAR platform to implement. 

Typically, this is done by developing SOAR playbooks. SOAR playbooks are the steps the SOAR platform takes to act on events and alerts. They can also integrate elements of other security office and IT operational playbooks and, in turn, provide feedback for those broader processes. 

Collaboration and empowerment

A tangential benefit of implementing SOAR is that SOAR implementation requires a great deal of collaboration between information security, IT operations, development staff, and other applications management teams. All those teams need to contribute to assist with identifying material events and automating the response to those events. 

A benefit of that collaboration and involvement is the empowerment of staff to identify threats and act on those threats. SOAR implementation, management, and actionability require identifying individuals required to address and respond to threats–especially those deemed too significant for an automated response. 

How to select SOAR tools

Security engineers and managers make the hard choice of selecting specific SOAR tools to defend their organization. Let’s review the most important factors when selecting SOAR tools.

Find the right integrations

Ideally, you want a SOAR solution that seamlessly integrates with as many other services as possible. In practice, however, choosing  SOAR platform with the right integrations is more complicated than selecting whichever tool boasts the greatest number of integrations.

When it comes to shopping for a tool based on integrations, you want to ask yourself the following questions:

1. Does the tool integrate with the specific services in your company’s tech stack?
2. Are the integrations well-tested and mature?
3. How easy and seamless are the integrations to set up and deploy?

Most SOAR tools will offer a free trial you can set up to make sure the integrations work as advertised. If there is no free trial mentioned on the provider’s site, contact their sales team to see if you can try a hands-on demo before committing to purchasing anything.

Use intelligence and innovation to your advantage

Large organizations face a constant barrage of attempted breaches every day. To defend against this onslaught, you should select SOAR tools that use cutting-edge features. For example, sophisticated cloud security automation means that your cloud deployments can be protected against emerging threats.

Similarly, machine learning is becoming increasingly essential for successful SOAR adoption. For example, Devo’s Cloud SIEM offers advanced machine learning functionality to power next-generation automated threat detection.

Conclusion

There are numerous options for SOAR solutions, and the market is only growing. The definition of the concept continues to evolve, as evidenced by Gartner’s shifting measure of what constitutes a SOAR solution. As we’ve shown, a SOAR solution integrates with other elements of your tech stack to give you early detection and response to sophisticated threats.

Not all SOAR tools are created equal, and depending on the needs of your business, some solutions are preferable to others. Specifically, you want to consider integrations and innovation carefully. A good SOAR tool will integrate with a variety of other services. 

More crucially, it will integrate with the specific tech stack that powers your organization. Finally, you want to pick a solution that employs state-of-the-art, innovative techniques for rooting out threats. This should include playbooks for automating cloud security and modern statistical and machine-learning approaches.