Top benefits and challenges of SOAR tools How to conduct incident response tabletop exercises

Top 6 SOAR use cases to implement in enterprise SOCs

Automating basic SOC workflows with SOAR can improve an organization's security posture. Explore six SOAR use cases to streamline SOC processes and augment human analysts.

Given the value of digitized business assets and the widening topology of IT infrastructure and big data, organizations face a pressing question: How should they respond to the increasing volume and variety of threats?

Many companies are starting to automate foundational security operations center (SOC) tasks. Automation helps increase the speed and agility of identifying and remediating threats, while simultaneously reducing the amount of human time and effort required to accomplish these tasks. Security orchestration, automation and response (SOAR) is a class of technologies designed to automate these types of security workflows.

SOAR encompasses the following functions in a SOC context:

  • Security orchestration connects and coordinates with multiple heterogeneous tool sets -- both internal and external to the organization -- in the SOC for more efficient threat ingestion, enrichment, monitoring and incident identification.
  • Automation helps SOCs take a more proactive security stance by automatically triggering workflows, tasks and alert triages based on predefined parameters.
  • Response accelerates general and targeted SOC reactions to lower-risk incidents and supports analyst retort by enabling a single view to access, query and share threat intelligence.

Within these three categories are scores of ways automation accelerates what were manual tasks at one time. The primary value of SOAR tools is in supporting human analysts to scale and automate repetitive and tedious tasks so SOC staff can focus on higher-level and more complex threats.

Below, examine six SOAR use cases that augment security analysts in enterprise SOCs.

1. Threat intelligence coordination

Each day, SOAR platforms ingest hundreds of thousands of indicators of compromise (IOCs). IOCs are collected from internal and external threat intelligence feeds, malware analysis tools, endpoint detection and response platforms, SIEM systems, network detection and response tools, email inboxes, RSS feeds, regulatory bodies and other databases. SOAR platforms can coordinate, aggregate and surface alerts from those tools, as well as detect suspicious IOCs that emerge across them.

2. Case management

Potential security threats can be detected by multiple tools. Thus, it can consume precious amounts of time for analysts to parse through disparate data associated with the same threat. SOAR in the SOC collates all the data toward a single story consisting of multiple correlated events. This enables case managers to identify the most important threats so they can be handled rapidly, which accelerates overall mean times to detect and respond, whether through automation or human intervention and analysis.

3. Vulnerability management

In the past, SOC analysts relied on manual management and inventory of security vulnerabilities. But by implementing SOAR, several SOC tasks can be automated to handle volume, monitoring and simple responses. Specifically, SOAR correlates data on threats across multiple security tools to calculate risk and prioritize the threat accordingly.

4. Automated enrichment for remediation

SOAR platforms accelerate the IOC enrichment process by tapping multiple enrichment databases or querying different threat intelligence tools for context. This enables SOC analysts to more accurately and efficiently parse, verify, triage and respond. This SOAR use case saves analysts significant time by more rapidly enriching huge volumes of IPs, URLs and hashes to check for malice -- without compromising on the depth of inquiry needed.

5. Threat hunting

Beyond ingestion and enrichment, SOAR platforms' detection of IOCs effectively serves as a form of proactive threat hunting. Threat hunting is a crucial task for human analysts -- but a time-consuming one, given the widening scope of threats. SOAR helps with tedium and scale by adding data sets for continual analysis. Additionally, SOAR assists with the threat hunting scope by probing for malware or suspicious domains and incorporating human-in-the-loop decisioning at strategic points.

6. Incident response

Automating incident remediation and response processes is intended to target threats upstream to prevent downstream costs. SOAR in the SOC handles remediation and response for several common security threats, such as phishing, malware, DoS, web defacement and ransomware.

Automated responses take myriad forms depending on the nature of the threat, including the following:

  • Auto-adding indicators to watchlists.
  • Auto-blocking malicious indicators.
  • Auto-quarantining indicators or compromised endpoints.
  • Auto-patching of infrastructure hardware/software.
  • Auto-generating tickets.
  • Auto-blocking a suspicious email or IP address.
  • Auto-deleting suspicious emails from other mailboxes.
  • Auto-terminating user accounts.
  • Auto-triggering an antivirus scan or security compliance check.
  • Auto-alerting specific analysts, employees, vendors, partners or customers.

Among the benefits of SOAR is the threat information coordination across vast security topologies, freeing up human analysts to focus on more complicated threats and supporting the entire lifecycle of threat intelligence. From ingestion and enrichment to detection, triage, response and containment, SOAR in the SOC is instrumental in gaining greater oversight and context.

Expect SOAR to expand soon to reduce the need for machine-to-human orchestration even further. As it stands today, SOAR systems still require input from SecOps teams to help make complex decisions and to kick off automated tasks. As AI within SOAR systems gets stronger, and as SecOps teams grow comfortable with allowing AI and automation to take on more complex decision-making tasks, SOAR platforms will continue to move toward an autonomous state.

It's worth noting that SOAR is useful not only for automating security playbooks but also for optimizing them. Not only can SOAR improve an analyst's individual experience, but it can also improve the SOC team's ability to communicate across the organization as well by way of a centralized and highly sharable platform. With proper implementation, in addition to cultural and industry considerations, implementing SOAR use cases can strengthen the foundation of an enterprise's security posture.

Next Steps

SOAR vs. SIEM: What's the difference?

CERT vs. CSIRT vs. SOC: What's the difference?

Top benefits of SOAR tools, plus potential pitfalls to consider

How to fix the top 5 cybersecurity vulnerabilities

10 types of security incidents and how to handle them

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing