Incident response

Security Orchestration, Automation and Response (SOAR)

Fakhar Imam
March 12, 2019 by
Fakhar Imam

Gartner describes SOAR as the collection of disparate technologies that enable businesses to gather data and security alerts from different sources. The business can then conduct threat analysis and remediation processes by utilizing both machines and manpower together to assist in defining, prioritizing and driving standardized Incident Response (IR) activities according to a standard workflow. Using SOAR tools, businesses define response procedures and threat analysis, also known as Plays in the Security Operation Playbook, in a digital workflow format so that a variety of machine-driven activities can be automated.

SOAR combines three previously different technology sectors — security orchestration and automation, threat intelligence and incident response.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

In the world of cyberwarfare, cybersecurity threats are growing by leaps and bounds and organizations are unable to protect their IT infrastructure from these threats. To help businesses grow, technical innovations in IT infrastructure are being introduced. However, securing this infrastructure is a daunting task.

To deal with this problem, organizations look for security personnel and security tools as a last resort. Training and retaining these IT practitioners is also a challenging task. According to The Demisto State of SOAR Report, 2018: “it [takes] an average of 8 months to train new security analysts; despite this, a quarter of employees were likely to end up leaving within 2 years.

The problem of hiring and training new employees can be resolved with the help of SOAR tools, as they can help to fill the personnel gap and make the existing workforce more productive. In addition, SOAR has become a vital part of Security Operation Center (SOC) and enable incident resolution with the most robust documentation, highest fidelity and least dead time.

The Demisto State of SOAR Report also reveals that the research respondents accept that their SOAR solution helps them with both the reactive and proactive spheres of day-to-day operations. More than 62 percent of respondents agreed with the fact that threat-hunting was an expected benefit of the SOAR. The functional components of SOAR will be discussed in the following sections.

What are the functional components of SOAR?

The functional components of SOAR are security orchestration, automation, incident management and collaboration, dashboard and reporting. These components perform different activities and functions within a SOC. In the following sections, you will gain insight into each functional component of SOAR in greater details.


Security orchestration is the act of integrating disparate technologies and connecting security tools, both security-specific and non-security specific, in order to make them capable of working together and improving incident response.

Nowadays, cyber-incidents are complex and more common than before. However, the ability of organizations to respond to these incidents is poor and inefficient. To prevent a nightmare, security orchestration helps businesses to improve response actions in the face of cyberthreats based on the measurement of their defensive measures and risk posture. Security professionals like a CSIRT team are empowered to replace slow and manual activities with machine-driven decision-making and remediation processes. Doing so helps organizations to thrive and survive in the marketplace and avoid penalties and reputational damage.

Involving manpower is also indispensable in security orchestration. Automated systems alone are not sufficient to spot the subtle signs of a hack. For instance, the alert system of your SOAR cannot determine whether an email is malicious or not. Instead, the analysts have to put on their detective hats and look for many other clues, including:

  • What does threat intelligence tell us?
  • Was such an email received by any other system?
  • What IP address did it come from?

And innumerable other potential questions.

How does security orchestration work? We will answer this question by discussing the example of a malicious email. Assume that one of your employees reports an email to the SOC. The analysts at SOC will check the validity of the sender through threat intelligence and the origin of the email through a DNS tool. After that, hyperlinks are extracted from the email to check their validity via URL reputation. The analysts either run all email attachments on a sandbox or destroy a link in a secure environment. This process is done for every reported email.

Organizations may receive hundreds of malicious emails every day. Is it possible to analyze each reported email manually? This is a case when security orchestration comes into place. It automates data collection for each malicious email in a single place.

Based on the data, analysts can decide whether the email is malicious or not. In the event of detection, the security orchestration playbook will respond to the incident and performs remediation.

Below is the list of some other use cases of security orchestration:

  • Automating threat-hunting
  • Automating malware analysis
  • Automating VPN checks
  • Automating IOC enrichment
  • Automating vulnerability management
  • Responding to phishing attacks
  • Automate incident severity assignment


Detecting and responding to cyber-incidents manually is a time-consuming and daunting task. During the incident response phase, there are hundreds of repetitive actions that need to be automated. For example, it is impossible for analysts to manually deal with the sheer number of security alerts received every day. If all these alerts are not addressed properly, the chance of a new incident will be greater.

Automation is machine-driven execution of actions on IT systems and security tools as a part of incident response. These tasks were previously performed by humans. With the automation feature of SOAR tools, a CSIRT team can describe standardized automation steps, decision-making workflow, enforcement actions, status checking and auditing capabilities.

For effective automation, the response tasks that the automated systems perform must be defined properly, preferably in a sequence.

Automation supports both reactive and proactive security measure. Reactively, the automation playbook can perform incident response, track incident response metrics and perform case management. Proactively, the automation playbook can carry out threat-hunting and security operations that help analysts to identify threats and vulnerabilities prior to the occurrence of a real incident.


As the name implies, response helps analysts to manage security incidents, collaborate and share data for incident resolution.

  • Alert Triage and Processing: The SOAR collects data from other security tools such as SIEM. After that, security teams perform analysis on such data to verify whether any threat exists or not. If a threat is found, security teams extend their investigation parameter across other potential vulnerabilities to prevent further attack. Finally, the remediation process is initiated to resolve the incident
  • Case Management Modules: This feature supports collaboration, communication and task management with the SOC and possibly beyond
  • The Management of Threat Intelligence: Using this property, SOAR tools gather all necessary information regarding a threat. Afterwards, the security teams process it and turn that information into intelligence in order to take proactive actions

Dashboard and Reporting

The dashboard and reporting capabilities of SOAR generate reports for various stakeholders such as analysts, the Chief Information Security Officer (CISO), SOC managers and other security experts associated with the SOAR. The purpose is to gain better security intelligence and learn lessons from the previous reports to improve further. The dashboard and reports include SOC manager reports, analyst-level reporting and CISO-level reports.

How SOAR can be helpful in 2019

Since cybersecurity threats are constantly growing in number and sophistication, curtailing them with effective security solutions is the need of the hour. In addition, accuracy and speed are two important requirements in every security expert’s mind in 2019. How can you provide maximum results with minimum resources? It seems impossible. However, it is possible with a SOAR.

According to the Swimlane, a SOAR vendor, one of their customers received 200 phishing alerts in just a one week. Analysts need four hours to remediate each alert without a SOAR. However, using a SOAR can decrease this time to 15 minutes for each alert.

Reportedly, 2019 will witness a paucity of security professionals. A recent report published by Frost & Sullivan discovered that there will be a shortage of 1.8 million security personnel by 2022. Since SOAR fills the personnel gap, organizations are likely to look to this solution in 2019.

According to Andrea Fumagalli, a Vice President of Engineering at DFLabs, the SOAR solution in 2019 will be utilized not only for security events but also for alerts where automation could help in dealing with fraud and IT incidents.


As a result, it has been realized that the SOAR solution is helpful for every type of organization — especially for those having fewer security personnel and a shrinking budget for IT security. SOAR technology can help analysts within a SOC to save time, money and resources.

Cybersecurity is an evolving field. Therefore, the need for a security solution such as SOAR is always present.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.


Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.