SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats, and respond to low-level security events without human assistance. Data about these threats can be collected from multiple sources. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations. The term was coined by the research firm Gartner and can be applied to compatible products and services that help define, prioritize, standardize and automate incident response functions.
While both security information and event management (SIEM) and SOAR stacks aggregate relevant data from multiple sources, SOAR services integrate with a wider range of internal and external applications. Many companies use SOAR services to augment in-house SIEM software. In the future, it is expected that as SIEM vendors begin to add SOAR capabilities to their services, the market for these two product lines will merge.
Important SOAR Capabilities
According to Gartner, the three most important capabilities of SOAR technologies are:
Threat and vulnerability management: These technologies support the remediation of vulnerabilities. They provide formalized workflow, reporting and collaboration capabilities.
Security incident response: These technologies support how an organization plans, manages, tracks and coordinates the response to a security incident.
Security operations automation: These technologies support the automation and orchestration of workflows, processes, policy execution and reporting.
Vendors that currently promote their ability to provide SOAR capabilities include:
- IBM SOAR