
SOAR solutions are tools that offer three key features. First, case management and workflow capabilities:
Just as IT support teams and help desks use IT service management tools to track and control their work, security operations centres (SOCs) also need tools to manage and control the work of triaging alerts, [as well as] collecting, investigating and resolving incidents. Second, automate the tasks arising from these activities through the orchestration of multiple tools, such as endpoint detection and response (EDR), security information management (SIEM) and network detection and response (NDR). And thirdly, to provide a centralised means of accessing, querying and sharing threat intelligence, a vital resource for threat detection and response activities.
When a security incident is identified, organisations must contain the damage, preserve evidence and restore business functions. As many previous incidents have shown, the first few hours of response to an ongoing attack are catastrophic, whether it is identifying the significance of a threat or considering the trade-offs between containment and business disruption. The idea behind SOAR is to make security incident response more efficient through automation.
When do SOAR tools make sense?
It is important to consider where your organisation is in terms of security maturity. While automation brings a set of well-established values, such as mitigating human error, reducing work time and increasing the ability to manage a large-scale, multi-vendor infrastructure, a self-analysis exercise is necessary when introducing this family of technologies into security operations. Each organisation should assess its level of maturity to avoid implementing advanced tools at an early stage.
Global Solutions Servies proposes a complete portfolio through the leaders due its partnership with the compagnies IBM and D3.