SOAR stands for Security Orchestration, Automation and Response.
Now SOAR is not that much of a buzzword in the security world, a lot of companies don’t even have SOAR Engineers in their security teams, but is it worth making a buzz about?
Let’s start with the basics. If you’re not sure what a SOAR Engineer does in a Security Team, let me try and explain this to you from what I like to call “The 5 Year Old Perspective”.
As a SOAR engineer, your main duty is to build special tools that help the people who protect computer systems from bad things happening. You create these tools to make it easier for the people to respond quickly and effectively when something goes wrong with the computer systems.
Imagine you have a magical box that can talk to different tools and systems that monitor the computers. Your job is to teach the magical box how to understand and talk to all these different tools. This way, when something bad happens, the magical box can gather all the important information from these tools and tell the people what’s going on.
But that’s not all! You also help the magical box do things automatically. For example, if the magical box sees something bad happening, it can automatically do certain actions to stop or fix it. You teach the magical box these actions, almost like giving it superpowers, so it can protect the computers better and faster.
In simpler terms, you’re like a teacher for a magical box that helps people protect computers. You teach the box to understand and talk to different tools, and you give it special powers to take action and keep the computers safe.
Now, there are two main parts of that box: cases and playbooks. Of course it is much complex than that, but what you would like to do when you meet a SOAR is to introduce yourself to these two components first. Get to know them better.
Cases in SOAR are containers used by the security analytics platform to group and handle relevant security incidents or alerts. A case is a collection of events, alarms, logs, and related data that is organized according to how well they relate to a particular security incident or inquiry.
On the other hand, the incident response process within cases is guided and automated by playbooks, which are planned sequences of events or tasks. Playbooks give analysts a well-organized framework to work within while looking into and handling security events. In order to ensure uniform and effective management of occurrences, they aid in streamlining and standardizing incident response processes.
Let’s stop here for now and continue with more details about SOAR systems the next time.
This is gonna be a longer series and we’ll explore different SOAR vendors, so stay tuned bugs!