What is Security Orchestration, Automation and Response (SOAR)?

A couple of years ago, industry research firm Gartner introduced a new acronym—SOAR—into the cybersecurity nomenclature. SOAR stands for “security orchestration, automation, and response.” It’s not an individual tool, or even set of tools. Like ISO 27001, GDPR, FISMA, and others, SOAR is a cybersecurity framework organizations can use to create an effective cyber risk mitigation strategy.

While SOAR in itself is not a specific technology, technology is certainly key to creating a good security orchestration blueprint. Indeed, the security orchestration component of SOAR is all about using technology to automate cybersecurity and make it easier for organizations to monitor and assess risk from a centralized location. SOAR’s primary intent is to make cybersecurity management more efficient, from the initial capturing of risk data to sharing that information with senior leadership. Technologies such security performance management (SPM) tools and security ratings assist in this effort.

How do SPM tools support security orchestration?

SPM tools are an excellent complement to the SOAR framework because they provide CISOs with more efficient ways to manage and monitor risk while providing deep and accurate cybersecurity insights.

A core element of SOAR is being able to orchestrate the many sources of data organizations rely on to provide a complete and accurate picture of their risk potential, which has become increasingly challenging given the current remote work environment. That environment has significantly broadened the attack surface for most organizations as more employees connect to company networks from endpoints at home. As Gartner puts it, “remote working is now just work” and it “requires a total reboot of policies and tools to better mitigate the risks.” 

An SPM tool like Attack Surface Analytics is critical in managing risk in this climate. It allows organizations to gain visibility into all of their digital assets (including ones they may not realize are being used), exposing potential shadow IT, identifying areas of risk, and providing a clear view of a company’s entire digital ecosystem.

All of this can be automated and orchestrated from a centralized dashboard. This makes it easier for CISOs to manage all of the different points that comprise their attack surfaces. Gaining complete visibility also helps them prioritize their threat responses. All of these factors make security performance management solutions like Attack Surface Analytics ideal for checking off all of the SOAR boxes.  

How do security ratings help with security orchestration?

Security ratings are an essential component of a good SPM toolkit––and, therefore, also play a key role in supporting the SOAR framework. Security ratings provide daily, metric-driven, easy to understand measurements of a company’s overall cybersecurity posture. A higher rating indicates a better security program with a lower likelihood of experiencing a data breach, while a lower rating signifies a need for improvement. In either case, an organization can know where they stand quickly and at any given point in time, benefits that reflect SOAR’s call for expediency and a targeted response.

Security ratings can also be used to address one of the primary reasons companies consider implementing SOAR: the desire to minimize the overwhelming number of alerts CISOs are subjected to on a regular basis. SOAR aims to funnel incoming data from multiple sources into a more manageable process that allows teams to cut through the noise, prioritizing important information while disregarding false positives.

While security ratings still provide CISOs with alerts, those alerts can be highly customized to only provide intelligence on risks that are vitally important to the business. For example, a CISO can set parameters for alerts to be sent when their organization’s security rating falls below a certain acceptable level or if a particular area of risk pops up. Or, they can do the same for any third or fourth parties they may be monitoring. They can monitor multiple sources and be notified only when they absolutely need to take action.

In fact, security ratings can be instrumental in fostering more efficient third-party risk management because they provide data-driven insights in a way that is easily understandable. It’s much easier to have a conversation with a vendor about cyber risk mitigation when that vendor is presented with a simple “score” that shows how well (or not) their organization is performing. CISOs can use the rating as a baseline and work with the vendor to address concerns and discuss ways they can improve their cybersecurity standards.

SOAR and SPM: An ideal combination

SOAR is a great framework for CISOs who want to make their security monitoring processes more streamlined while strengthening their overall risk profiles. That’s going to become more important as people continue to work remotely and use more applications, and adversaries continually seek to exploit this landscape. SPM and security ratings are ideal supporting tools for supporting SOAR and fortifying against these would-be attackers.