One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2922886 |
| Date de publication | 2021-06-14 15:01:00 (vue: 2021-06-14 15:05:32) |
| Titre | SOAR is an Architecture, Not a Product |
| Texte | Over the past several years, the rising star of security orchestration, automation, and response (SOAR) tools keeps climbing higher. As organizations struggle to handle the crush of alerts surging out of their security controls with not enough cybersecurity professionals to manage the work, SOAR products promise to bring some sanity to the process.
The promise is that SOAR platforms can help security operations teams to sail through the massive volume of alerts they face and better coordinate their security incident response lifecycle with custom playbooks tailored to an organization’s response policies. Many organizations are already starting to reap these benefits.
But as SOAR use cases evolve to real world situations and industry analysts adjust their definition of the market, it's becoming increasingly clear that SOAR is less of a singular platform and more of a comprehensive architecture for tying a lot of threads in the security stack together in a meaningful fashion, including threat intelligence platform (TIP) capabilities.
What is SOAR?
SOAR is part of the cybersecurity industry's long-term push toward improved security automation. As the name suggests, there are three core functions that SOAR products have historically delivered to security teams:
Orchestration: Customized security orchestration helps integrate the dozens of best-of-breed security tools that the typical SOC has accumulated over the years. These tools often do very specialized tasks but teams struggle because they don’t play nicely with one another. Orchestration within a SOAR product is usually used to aggregate data from a number of different sources to enrich alerts, consolidate and deduplicate alert data, and initiate remediation actions on third-party systems.
Automation: In the context of SOAR, security automation executes a sequence of tasks related to a security workflow without requiring much human intervention. It’s typically implemented via ‘playbooks’ that script automated processes to replace time-consuming but relatively simple processes, leaving skilled analysts freed up to carry out more advanced threat mitigation activities.
Response: Incident response consists of alert triage, case management, security incident investigation, threat indicator enrichment, and response actions. For example, a security event or alert should automatically pull in contextual data like IPs, domains, file hashes, user names, and email addresses to provide the analyst a rapid understanding of the security scenario. Then the analyst should be able to issue investigative, containment or response actions against the data.
To accomplish these tasks, SOAR uses threat intelligence to prioritize and enrich the incidents that they manage.
TIP and Gartner's Latest Definition of SOAR
This vital role of threat intelligence management in SOAR has grown to such prominence that many SOAR tools have started building in limited threat intelligence capabilities that mirror some of what a more fully featured TIP would offer.
In fact, Gartner's latest definition of SOAR now names the operationalization of threat intelligence as "table stakes" for SOAR tools. Its 2020 market guide says that SOAR convergence is now not only roping in security incident response platform (SIRP) and security orchestration and automation (SOA) technology, but also TIP technology.
Soar architectures are comprised of a combination of proven technologies, with threat intelligence platforms (TIPs) and the integrations they provide serving as a cornerstone.
But here's the thing, while SOAR is certainly enriched by TIP and while SOAR tools depend on native threat intelligence functionality, true SOAR benefits f |
| Envoyé | Oui |
| Condensat | 'one 2020 ability able accomplish accumulated acquired actions activities actors addition addresses adjust advanced against aggregate alert alerts aligned all all' allow already also analyst analysts another any apart appears approach architectural architecture architectures are attack automated automatically automating automation automation: bake because becoming benefits best better beyond big breed bring building bullet but can capabilities carry case cases certain certainly clear climbing combination competing complex component comprehensive comprised consists consolidate consuming containment context contextual control controls convergence coordinate core cornerstone critical crush cultivates currates custom customized cybersecurity data deduplicate deep defenders definition deliver delivered depend deploy detect detection different domains don’t dozens dynamic edrs email enable enough enrich enriched enrichment enterprise enterprises equipped even event ever evolve evolving example executes expand extended face faced fact fashion featured file filled firewalls flexibility flexible freed from fully functionality functions fundamental gartner gartner's glues going greater grown guide handle hardest has hashes have headed help helps here's higher highlights historically how human implemented improved incident incidents including increasingly indicator industry industry's information initiate initiatives inputs instead integrate integrating integration integrations intelligence interoperability intervention investigation investigations investigative investments ips issue it's it’s its just keeps key large last latest leaving less level lifecycle like limited long looking lot maintaining majority manage management many market massive mature maximize maximum meaningful mirror mitigation modern more much name names native need never newer nicely none not now number off offer often one only operationalization operations operators orchestrate orchestration orchestration: order organization’s organizations organize other out over part parts party past pitch plane platform platforms play playbooks plug points policies practically prioritize problems process processes product products professionals prominence promise proven provide pull push rapid real really reap reason receive related relatively rely remain remediation replace replicate requiring response response: rip rising role roping rule sail sanity says scenario script security sees separately sequence serving sets settling several should siem siems silver simple singular sirp situations skilled soa soar soc soc’s sold solutions some sounds sources specialized sprawling stack stakes star started starting stop strategy struggle success such suggests support supported surging swaths systems table tailored tasked tasks teams teams: technological technologies technology term than that's them then there's these they're thing third threads threat threats three through time tinkering tip tips together too tool tools toward triage true truth try tying type typical typically understanding use used user uses usually vast vendors very vital volume want way well what where which why will within without words work workflow world would xdr years |
| Tags | Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.