Security Orchestration Automation and Response (SOAR) Basics: Definition, Components, and Best Practices

Security Orchestration Automation and Response (SOAR) is a novel approach to incident response (IR) and post-incident recovery by using automated security processes and protocols. The SOAR concept was introduced by Gartner, who proposed a system aimed at reducing the workload of IR and SOC teams, bridging the MTTD (Mean Time to Detect) & MTTR (Mean Time to Respond) gaps, and providing companies with low-cost (and automatic) incident response and mitigation tools. In this article, we’re going to talk about what makes SOAR tick, the pros and cons of adopting a SOAR-type approach to prophylactic and reactive cybersecurity, best practices, and, of course, a couple of real-life examples. Enjoy!

What is Security Orchestration Automation and Response?

To begin with, let’s quote Gartner on this one. So, according to the Peer Insights section on Security Orchestration Automation and Response Solutions, SOAR is a technology that

(…) that enables organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These can be orchestrated via integrations with other technologies and automated to achieve the desired outcome and greater visibility. Additional capabilities include case and incident management features; the

Read More: