Overview of SOAR

ArcSight SOAR delivers an automated case response solution for repetitive security events and imparts a seamless security management experience by performing faster threat detection and remediation.

The main value proposition of SOAR lies in assisting your organization for human and machine-led analysis of the alerts, and leveraging an automated solution for threat response and remediation.

SOAR is fully programmable and can easily integrate with the existing technology stack of your organization. This application is capable to meet security teams’ unique needs, and enables multiple forms of automation, analyst augmentation, collaborative investigation and response through an intuitive interface.

SOAR Features

Some of the key features of SOAR includes:

Case Management: SOAR enables you to manage and collaborate data to resolve case efficiently on a single pane of glass. The case management helps streamline investigations and expedite case resolution.

Consolidation: You can aggregate alerts from different sources based on configured time-span or common conditions. This helps in gathering all the correlated information for the suspected threat and further helps in finding the optimized solution for case handling.

Orchestration: The automated solutions provided by SOAR can seek information from the SOC or pass the control to the security operations center (SOC) for decision making and then take the control back to automation. Depending on the case scenario, ArcSight SOAR can orchestrate the control flow from automation to human analyst.

Enrichment: The system uses enrichment feature to gather additional information about the event contexts. These additional insights act as guides to carry on the detailed threat investigation.

Automation: The system leverages both fully automatic and semi-automatic solutions for threat remediation and response. You can automate mundane repetitive tasks, prioritize events and streamlines security processes to deliver accelerated case response.

Response: SOAR automation can execute protective actions, stored in playbooks, to prevent any threat impact to your organization. This capability offers unique solution to respond to events in a quick and effective manner.

Reporting and Analytics: You can generate reports to view detailed information about cases. SOAR offers a pre-defined report template for data presentation or you can create your own template to specify which data you want to include. To analyze the data further, you can view all data statistics in the form of tables and charts in Dashboard.

Challenges Faced by Organizations:

Existing cybersecurity landscape presents lots of challenges to the organizations including:

• Attack speed: Attacks keep getting faster every day. Modern attacks are almost entirely automated.

• Attack volume: An average organization gets more than 300 cyber alerts per day (IDC). Investigating and responding to an alert takes around 8 full hours.

• Disparate tools: SOC analysts use 15- 20 different tools throughout their daily jobs to investigate and respond to attack alerts. Tier-1 analysts are not able to investigate (and use the tools) and they are merely expensive human filters.

• No single pane of glass: There is no trail of investigation and response activities and there isn’t a proper answer to “who is working on which case and doing what” at any point in time on the SOC floor.

• Lack of KPIs and metrics: As most SOCs lack the practice of investigation and response, it is almost impossible to come up with relevant, easy-to-collect KPIs and metrics. Getting a grip on who needs more training, SLA adherence, case backlog trends, etc. is difficult and intuitive-only.

• Cyber Security Skill Shortage: Currently, the cybersecurity sector is facing a severe expert shortage. Currently, there are 350,000 vacant positions in the U.S. alone and the industry shortfall is expected to rise to 3.5 million cyber expert vacancies.