SOAR (Security Orchestration, Automation and Response)

Contributor(s): Cathy Gagne

SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats, and respond to low-level security events without human assistance. Data about these threats can be collected from multiple sources. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations. The term was coined by the research firm Gartner and can be applied to compatible products and services that help define, prioritize, standardize and automate incident response functions.

While both security information and event management (SIEM) and SOAR stacks aggregate relevant data from multiple sources, SOAR services integrate with a wider range of internal and external applications. Many companies use SOAR services to augment in-house SIEM software. In the future, it is expected that as SIEM vendors begin to add SOAR capabilities to their services, the market for these two product lines will merge.

Important SOAR Capabilities

According to Gartner, the three most important capabilities of SOAR technologies are:

Threat and vulnerability management: These technologies support the remediation of vulnerabilities. They provide formalized workflow, reporting and collaboration capabilities.

Security incident response: These technologies support how an organization plans, manages, tracks and coordinates the response to a security incident.

Security operations automation: These technologies support the automation and orchestration of workflows, processes, policy execution and reporting.

SOAR Vendors

Vendors that currently promote their ability to provide SOAR capabilities include:

  • LogRhythm
  • Rapid7
  • Cybersponse
  • Rapid7
  • Demisto
  • Cyberbit
  • D3Security
This was last updated in November 2020

Continue Reading About SOAR (Security Orchestration, Automation and Response)

Dig Deeper on Real-time network monitoring and forensics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is SOAR real or just some marketing hype for SIEM software on steroids?
It's an interesting space, which started as an independent product offering, and is acquired by many SIEM vendors to complete their portfolio. Example, IBM Qradar has IBM Resilient, Splunk has Phantom. Interestingly some of the  vendors such as Demisto are acquired by Palo Alto which isn't the typical SIEM story .. but may be there is something better/bigger in the future.

So my definition/perspective of SOAR is -- We always talked about, Prevent > Detection > Response as three phases. SOAR products are Response Category software. Some easy, and value-add use cases are Triage, False Positive Filtration -- all these can be playbooked an fully automated as well.

In addition to Tier 1 Automation, SOAR product also offers lot of distinguishing features. For example CyberSponse (and in full disclosure, I am an employee of CyberSponse) has unique capabilities that allows analyst to free up time from repetitive tasks, and utilize that time for advance threat hunting.
All the existing siems are unfinished products, including splunk (with addon app, it's not made as a siem on its own), worse when you deal with ELK and the rest. The hype came from the fact that they are better than command line stuff we used to have, but nowhere near the finish line. Big money are involved due to compliance requirements and the fear of being accused not doing anything about security. That's why you get SOAR, SOAP, SOAPA and many more to come. We are not there yet. People tend to believe if someone invested so much in it, they must have bought a product so perfect and so fantastic. This is not the case in reality. It's only the beginning and we can already see the shortcoming of doing cyber security mostly as a technical event. The industry can lift its game by attracting talents from other fields. - CSOC365