SOAR stands for Security Orchestration, Automation, and Response.
SOAR is a cloud-based service designed to help organizations automate some of their manual processes, such as monitoring, alerting, investigation, remediation, reporting, and compliance. It provides real-time visibility into your network and endpoint detection across all devices and applications.
SOAR platforms are a collection of security software solutions that can be used for browsing and collecting data from a variety of sources.
The term was originally created by Gartner, who defined the three capabilities of a SOAR platform - threat and vulnerability management, security incident response, and security operations automation. SOAR allows companies to collect threat-related data from a range of sources and automate the responses to the threat.
Security operations automation (Automation) relates to the technologies that enable automation and orchestration within operations, while threat and vulnerability management (Orchestration) covers technologies that help amend cyber threats. The data is analyzed using a combination of human and machine learning in order to comprehend and prioritize incident response actions.
“SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies where incident analysis and triage can be performed by leveraging a combination of human and machine power help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.”
Gartner definition of SOAR
Gartner defines the security and information event management (SIEM) market by the customer’s need to analyze event data in real time for early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance.
SIEM products first emerged in 2005, initially driven by compliance reporting and aggregating log data generated by applications, endpoints, and network devices.
While some SIEMs provide both security information management (SIM) and security event management (SEM), they offer limited incident response and visualization capabilities. SIEM's analyze event data from preventive technologies, like anti-virus software, IDSs, and firewalls, making it difficult to detect sophisticated attacks from sources not correlated. Threat analysis was often difficult and time-consuming as well, driven by manual processes and analysis.
Next-gen SIEM technologies added support for big data analytics and real-time event detection, as well as machine learning and behavioral analysis plug-ins to create baseline models for normal user and device behavior patterns. This helped make it easier to identify security issues sooner to reduce the window in which organizations were vulnerable to attack.
Despite advances, the sheer volume of alerts from SIEM platforms still overload security teams today, often embracing additional tools to reduce false positives and help automate responses.