Texture Side Right Yellow 02

What is SOAR? Definition and Benefits

SOAR Defined

SOAR stands for Security Orchestration, Automation, and Response. SOAR platforms are a collection of security software solutions and tools for browsing and collecting data from a variety of sources. SOAR solutions then use a combination of human and machine learning to analyze this diverse data in order to comprehend and prioritize incident response actions.

The term is used to describe three software capabilities – threat and vulnerability management, security incident response and security operations automation. SOAR allows companies to collect threat-related data from a range of sources and automate the responses to the threat. The term was originally coined by Gartner, who also defined the three capabilities. Threat and vulnerability management (Orchestration) covers technologies that help amend cyber threats, while security operations automation (Automation) relates to the technologies that enable automation and orchestration within operations.

What security operations teams are looking for: 

  • Automate Repeated Response Workflow​ 
  • Save Time for Higher Priority Triage Tasks​ 
  • Easy Standardized Response to follow

The benefits of SOAR

Many security operations teams are struggling with connecting the noise from disparate systems​, resulting in too many error-prone manual processes, and lacking the highly skilled talent to solve for all of this. The result of this current way of addressing problems is the increased probability of missing an alert that matters, wasting time and resources due to manual processes, and slow response times due to lack of standardized response​​ capabilities. All resulting in minimizing the impact of security incidents of all types​, maximizing value of existing security investments​, and an overall reduced risk of legal liability and business downtime​ To achieve this:

  • Consolidate process management, technology and expertise​
  • Centralize asset monitoring​
  • Enrich alerts with contextual intelligence ​
  • Automate response and perform inline blocking 

FireEye approach with SOAR

FireEye Helix is a security operations platform that allows organizations to take control of any incident from detection to response. FireEye Helix integrates disparate security tools and augments them with advanced SIEM, Orchestration, and threat intelligence capabilities to capture the untapped potential of security investments.

FireEye Security Orchestrator accelerates and simplifies the threat detection and response process, delivering real-time guided responses to improve response times, reduce risk exposure, and maintain process consistency across security operations. Security orchestration is offered with the purchase of the FireEye Helix platform.

Security Orchestrator features:

  • Process automation
    Implement custom incident response workflow automation between your security appliances

  • Incident response playbooks
    Upskill your analysts and accelerate investigations with pre-built courses of action developed by our Mandiant incident responders 

  • Open plugin framework
    Integrate more than 150 third-party tools and data sources for seamless, single-pane management of your security stack 

  • Case management
    Collaborate between analyst and incident response teams by storing correlated alerts and artifacts in an intuitive case management system. Create role-based groups and assign granular permissions for enhanced workflow management 

  • Intuitive user interface
    Enable security teams to easily connect to security tools with a simplified abstraction layer to retrieve and push information. Affect changes at the network, host and application levels and even physical access control systems with the click of a button 
     

Read more about Helix and its capabilities.