Do More with Security Orchestration, Automation, and Response (SOAR)

Achieve Team Productivity and Sanity Without Hiring More Staff

Small Teams Doing Important Work

Security operations teams today are challenged with both getting the right staff and the right amount of staff. Most organizations are now just beginning to shift from a prevention-centric orientation1 to a detection and response-centric orientation. This reallocation of capital and budgets into different technology sets and staffing skill sets takes time. In this process, organizations have to rethink their security strategy. It can take years for an organization to reallocate their staffing mix.

But that’s just one challenge. Assuming that companies can reallocate their staff mix and open up positions to support more of the internal security operations analysts and incident responders, there’s also the challenge of being able to find and retain skilled people in a market where there is a profound shortage.

According to the most recent Cybersecurity Jobs Report, market expansion in this area will continue to add to the workforce shortage, which is expected to reach 1.5 million cybersecurity job openings by 2019.2 The market demand has outpaced the number of trained people who are coming out of universities. It’s a fundamental issue.

Obstacles to Security Operations Teams’ Ability to Detect and Respond to Cyber Threats Quickly

Security operations teams are dealing with serious resource constraints—and at the same time, they are under increasing fire from threat actors. Cyber attackers are becoming more sophisticated. The attack surface is expanding. And the cybercrime supply chain is becoming more organized and better funded. But these elements are just part of the big hairy problem.

Companies have invested in a plethora of security technologies, and those technologies raise a lot of alarms—thousands, if not tens of thousands, daily. Security teams are left to determine which alarms are real and which are false positives. This deluge leaves the team unsure of which alarms to investigate and with what urgency–creating organizational alarm fatigue.

Adding to this fatigue is the fact that analysts must often triage these alarms across five or six products. It’s a lot to ask of any team to learn and master six different products, correlate the information living within each, and to arrive at a decision of whether the alarm is real. Getting the complete picture requires the analyst to manually pull together different data silos—grinding their productivity to a halt.

Given security operations resource constraints combined with the increasing threat volume, organizations have not invested enough in automation—a missed opportunity to profoundly reduce triage, threat investigation, and incident response times. Automating common triage and investigatory tasks, such as looking up directory information on a user or asset, can provide critical decision context fast. Being able to automate even a basic set of responses (e.g., disable user account or quarantining a host) can eliminate hours or days a threat is left active in an environment. Automation is critical in collapsing the time to investigate and respond to a threat.

Realizing Threat Detection and Response ROI with the Resources You Already Have

The best way I have found to meet these challenges and still streamline your security operations team’s ability to detect and respond to threats quickly is to take a practical approach to what your staff can do from an end-to-end Threat Lifecycle Management (TLM) perspective. Effective TLM begins by determining what data and operational capabilities should be most protected as aligned with overall organizational risk management.

Once you’ve determined what you want to protect first, you can proceed with determining how best to detect threats against this data/infrastructure through analytics and security orchestration, automation, and response (SOAR)-enabled response. Ideally, an approach of holistic threat analytics can be employed that would allow your team to detect threats across the full Cyber Attack Lifecycle–from Reconnaissance through Exfiltration.

When deploying analytics-driven threat detection, it is advisable to focus on a small handful of analytics use cases, and take them end-to-end from a monitoring, investigation, and response capability. By taking this approach, you begin to realize more immediate advanced threat-detection capabilities with the ability to fully investigate and respond. This helps ensure you don’t end up in a situation with a lot of alarms and a staff that is immediately underwater. The following is a high-level project approach illustrating what this might look like:

Actions for the Data and Operational Systems / Capabilities You’ve Identified to Protect

  1. Collect security event data from the systems monitoring and protecting the data infrastructure.
  2. Centralize forensic log data across the relevant systems, applications, and databases housing data or delivering the operational capability.
  3. Deploy a handful of analytics use cases to detect threats. For instance, you might start with realizing analytics-qualified events from endpoints and perimeter protection technologies, combined with some behavioral anomaly detection to identify compromised credentials and abnormal internal traffic patterns.
  4. Develop procedures and playbooks for monitoring and qualifying alarms.
  5. For each unique type of threat, you are now able to detect, you will want to develop procedures and playbooks for:
    • Fully investigating that threat to determine if a security incident has or is occurring
    • Determining standard response and mitigation procedures
    • Post-incident recovery practices

Once you’ve implemented end-to-end TLM and realized success across a collection of threat detection use cases, you’ll be comfortable that your team is better protecting what is most important to the business. You’ll also better understand the capacity of your security team.

If you find capacity remains, you can move on to protecting additional data/infrastructure, or implementing deeper analytics in the area already protected. Regardless, you are realizing ROI, and you are in a much better position to go back to the organization with proven results to acquire more budget and support.

Do More Faster with Security Orchestration, Automation, and Response

Security orchestration, automation, and response has become a bit of a buzzword in the security space. And it is a silver bullet in terms of solving certain challenges. SOAR helps a security operations team realize a very quick return on investment by providing technology-and automation-enabled workflows that accelerate threat qualification and investigation capabilities.

Case Management facilities provide a place where analysts and incident responders can quickly and efficiently collaborate with each other. Integrated playbooks can provide standard procedures and access to automation within the natural workflow of the security operations team. These capabilities can dramatically increase productivity while also ensuring threats don’t slip through the cracks or what was likely a previously disjointed workflow.

The automation piece of SOAR can also realize quick returns, but it will require more upfront investment. Automation will require buy-in, collaboration, and cooperation with the broader IT organization, because SOAR automates responses across the IT infrastructure. A key responsibility of IT teams is to effectively manage change. If the security operations team is going to be effecting change via automated responses, they have an organizational responsibility to ensure it is done safely and under appropriate governance. Making sure not only your team, but also your IT organization, has comfort and confidence in your SOAR platform to automate these actions in a responsible way is critical.

Choosing a SOAR Platform

There are a few things you should consider when you are evaluating a SOAR platform. First, look for a product with a test harness. You want to make sure you can test automated actions and scripts before they are implemented in production. Second, look for capabilities such as multi-party approval where the action can only be initiated by multiple people, interdepartmentally.

Consider that a huge part of IT is change control. In production IT environments, every change should be managed with a change request and change reviews. Because automation is affecting changes in the IT environment, buy-in from IT stakeholders is critical because the security team is now affecting IT-level changes. Not achieving buy-in from your IT organization will be your biggest SOAR adoption risk. You can’t do it alone—you have to do it in partnership with IT to be effective. But having a solution that includes multi-party approvals can provide your IT organization with a degree of comfort that, even if a change is automatically pre-staged, they can look at it first and approve or deny it.

The cost of integration is another important element to consider when selecting a SOAR platform. Ultimately, the value that SOAR is going to enable and automate will be delivered with data from and through other systems. If you’re looking at a stand-alone SOAR solution, the events are probably going to be coming from a security intelligence and event management (SIEM) platform.

It’s important to determine what the cost of integration will be, as well as what the user experience will be to effectively realize workflows across both a SIEM and a SOAR solution. Will the workflows realized still be efficient? What will your team’s ability be to build their own automated playbooks? Will your team be able to integrate the SOAR solution into your other systems (e.g., ticketing, enterprise systems, etc.) via APIs? How long will it take your team to stand up those integrations? What will the cost of maintaining integrations be? These are all important questions to consider during the evaluation phase.


Ultimately, SOAR can help streamline your security operations’ team’s ability to detect and respond to threats faster, quantify key performance indicators like MTTD and MTTR, and save your team some sanity in their day-to-day through streamlined workflows and playbooks for automated response actions. SOAR can be a valuable tool for your team that empowers them to focus on the more important work, without getting bogged down in the manual and menial.

To see the LogRhythm SOAR feature set in action, watch our on-demand video demo now!

1 Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016
2 Source: Cybersecurity Jobs Report,