Security Operations Centers (SOCs) are putting SOAR tools to work in a rich variety of use cases. By automating security incident response workflows, Security Orchestration Automation and Response (SOAR) solutions enable SOC teams to work faster, and, in most cases, more effectively. SOAR machine learning is often part of the story, with algorithms helping SOAR solutions improve response processes over time. SOAR use cases for cybersecurity depend on many organization factors, but some of the most common applications of SOAR include vulnerability management, phishing and malware mitigation and responding to malicious network traffic—among many others.
There have been inquiries about the difference between SOAR and SIEM, but you'll see below that SOAR and SIEM have a unique relationship and can create a great synergy.
Here are the common use cases of SOAR:
-
Handling Alerts Related to Malicious Network Traffic. SOCs get inundated with alerts related to suspicious network traffic. Frequently, the SOAR solutions get their alerts forwarded to them by a SIEM tools. The SOAR solution then typically enriches the alert data by automatically researching the suspected threat through using a threat intelligence source. The analyst reviewing the alert will then have more information to work with as he or she determines if the alert is worthy of further response. In that case, the SOAR solution can orchestrate the process of detecting similar occurrences in the network, which may have been missed, and blocking IP addresses to prevent the threat from doing further damage.
- Protecting Endpoints. Able to ingest high-volume threat feeds from EDR solutions, it may then compare the feeds with SIEM data and cross-reference any relevant hashes. In this way, SOAR can automatically spot potential problems while quickly moving past unimportant “noise” in the feeds. Upon identifying a serious threat, the SOAR tool can automate the EDR tool’s response processes across multiple endpoints. As the SOAR solution spots problems like unmanaged endpoints, it is able to add contextual data and automatically open a ticket on ITSM software like ServiceNow to resolve the issue.
- Managing Vulnerabilities. SOAR solutions can augment the data from vulnerability scanning tools by automatically correlating data from newly discovered vulnerabilities with information from other security tools—enriching the vulnerability data set. As incidents are traced to vulnerabilities, SOAR can add notations about context to the incident response workflow. Security analysts can be informed, automatically, about the severity of the vulnerability and how it might affect the way an incident is handled. This way, analysts can work more quickly, and with greater impact, to mitigate problems before they grow serious. SOAR can also trigger patching processes to remediate vulnerabilities.
- Stopping Phishing Attacks. As phishing attacks proliferate, SOAR tools can mitigate the risks they pose by automating the phishing triage process. This is a significant countermeasure, as phishing attacks are becoming more sophisticated and thus harder to detect. The SOAR solution can analyze suspected phishing messages and extract artifacts like words contained in the header and compare them to known phishing signatures. SOAR is also useful for speeding up the process of reviewing emails flagged by email filters. The SOAR solution can submit the suspected message to threat reputation services and so forth. If the message is determined to be a risk, SOAR can orchestrate the response processes of blocking the sender’s email address and related IP addresses.
- Managing SSL Certificates. A SOAR solution can be configured to query a certificate management tool to check endpoints for expired or about-to-expire SSL certificates. The solution can also extract user details for problematic certificates from directory stores like Microsoft Active Directory. It can then send the endpoint user, along with his or her manager, an automated email letting them know that the certificate has a problem and sharing information on how to fix the problem. The SOAR workflow may also be set up to re-check certificates that received this treatment, potentially escalating the matter if it is not handled.
- Investigating Failed User Logins. A series of failed log in attempts may be a signal that an attack is underway. SOAR responds to this suspicious activity by automatically asking the user to confirm if they have actually been attempting to log into their device. The SOAR solution is able to reset the password automatically and notify the user if that is required by the workflow. The same process can unfold if the system detects log in attempts from unusual locations (e.g., out of the country) or from unrecognized devices. The SOAR solution can automatically query the VPN service to determine the originating IP address and then check the GeoIP lookup for timestamp on those addresses.
- Hunting Compromised Indicators. Compromised indicators include things like URLs, IP addresses and hashes. A SOAR solution ingests a list of such compromised indicators, often in the form of csv file. It is then capable of hunting for threats based on information from threat intelligence tools, updating watch lists as it discovers serious threats.
- Analyze Malware. SOAR solutions can be set up to ingest data from threat intelligence feeds, SIEMs, malware analysis tools and email boxes. In the process, they are able to extract files that need to be “detonated” (opened) in a safe area away from the network and other digital assets. SOAR can also automatically send suspicious files to malware analysis tools and forward the resulting report to relevant stakeholders. The solution can also automatically establish quarantines for endpoints that may have been infected by malware.
- Managing Cases. Some SOCs use their SOAR tools for case management. It’s not an orchestration or automation use case, but it’s still a common use of the technology. SOAR can help streamline case management by providing case stakeholders with enriched information about security incidents and automating case management workflow steps. The solution can also aid users in tracking digital assets affected by security incidents.
