Jessica Groopman at TechTarget's SearchSecurity forum has a great short post about SOAR, what it stands for and what the potential benefits and pitfalls are. Here is an extract with a link to the full article at the bottom.
"As organizations around the world face a constant and dynamic barrage of cybersecurity threats, the development of tools to accelerate security operations, automation and response, or SOAR, has rapidly increased. SOAR tools are designed for the following functions:
- Security Orchestration connects and coordinates heterogeneous tool sets and defines incident analysis parameters and processes.
- Automation automatically triggers specific workflows, tasks and triages based on those parameters, including automated steps for lower-risk incidents.
Response accelerates general and targeted responses by enabling a single view for analysts to access, query and share threat intelligence.
There are two main business incentives for adopting SOAR tools in security programs.
- SOAR centralizes visibility and insights into threats.
- It simultaneously manages the more low-level incidents to support and scale human analysts.
Though adoption success may vary depending on the organization, security leaders can anticipate the following benefits of SOAR implementation:
- improved productivity;
- less tedious and repetitive work for humans;
- more strategic allocation for human analysts;
- process and operational efficiencies in alerts and triage;
- faster incident response and remediation;
- centralized and coordinated multivendor security tools and analytics; and
- increased resilience against growing threat landscape.
Read the full article here, where they also list the possible pitfalls. PhishER is a great example of a SOAR product.