Black Hat insights: The retooling of SOAR to fit as the automation core protecting evolving networks

By Byron V. Acohido

In less than a decade, SOAR — security orchestration, automation and response — has rapidly matured into an engrained component of the security technology stack in many enterprises.

Related: Equipping SOCs for the long haul

SOAR has done much since it entered the cybersecurity lexicon to relieve the cybersecurity skills shortage. SOAR leverages automation and machine learning to correlate telemetry flooding in from multiple security systems. This dramatically reduces the manual labor required to do a first-level sifting of the data inundating modern business networks

However, SOAR has potential to do so much more, observes Cody Cornell, chief strategy officer and co-founder of Swimlane. SOAR, he argues, is in a position to arise as a tool that can help companies make the pivot to high-reliance on cloud-centric IT infrastructure. At the moment, a lot of organizations are in this boat.

“Covid 19 turned out to be the best digital transformation initiative ever,” Cornell says. “It forced us to do things that probably would’ve taken many more years for us to do, in terms of adopting to remote work and transitioning to cloud services.”

Swimlane, which launched in 2014 and is based in Denver, finds itself in the vanguard of cybersecurity vendors hustling to retool not just SOAR, but also security operations centers (SOCs,) security information and event management (SIEM) systems, and endpoint detection and response (EDR) tools. A core theme at RSA 2021 earlier this year – and at Black Hat USA 2021, taking place this week in Las Vegas – is that the combining of these and other security systems is inevitable and will end up resulting in something greater than the parts, i.e. not just more efficacious security, but optimized business networks overall.

I had an informative discussion with Cornell about this. For a drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Comprehensive correlations

Quicker incident response remains the core functionality of SOAR. Traditionally, a human analyst would be tasked with staying abreast of threat intelligence feeds and correlating that intel to security alerts coming in from a SIEM.

Before SOAR came on the scene, human security analysts toiling in a company SOC or in the control room of an MSSP were getting overwhelmed by alerts. So they naturally focused on alerts tending to reveal traces of intruders already deep into a breach lifecyle, Cornell noted.

“We’ve moved to a world where we have so much data that we have to work on the most critical task first, like signs of data exfiltration,” Cornell says. “There generally are leading indicators of malicious activity happening in your environment that tend to get overlooked because of limited resources and a shortage of talent.”

SOAR applies automation to vet the ground-level alerts than human analysts simply can’t get to. Automating these mundane tasks allows threat intelligence feeds and security telemetry to be reviewed more comprehensively and correlated at very high scale, thus keeping pace with the rising tide of alerts kicked out by SIEMs and EDRs.

“Now that I have all of this information, I can start building very high throughput use-cases, and tasks that used to be point in time I can do continuously, like threat hunting” Cornell says. “I can validate my visibility, test hunt hypotheses, and search for IOCs, and because of that you can even detect things that might not get caught by a typical SIEM rule, enabling me to start actioning more things, really quickly, to reduce the likelihood of something negatively impacting my organization.”

Cumulative intelligence

SOAR essentially brings leading-edge data analytics to bear on protecting modern business networks. It lets security teams leverage cloud data lakes and application performance management (APM) data to implement security best practices. These are – tools and methodologies perfected in the finance and science sectors, and even by the social media and online advertising tech giants, are now available to security teams.

To achieve proactive incident response, SOAR solutions must easily integrate with a wide variety of security and IT tools; flexible interoperability is part and parcel of SOAR solutions. And so is robust case management. Freed from ground-level vetting, security analysts can focus on deciphering and triaging incidents, managing them very quickly in a coordinated manner.

Case management, done well, can translate into useful cumulative intelligence. This is because as a skilled analyst customizes and then monitors SOAR all related data and artifacts spinning out of this workflow gets preserved in a data lake. This data then remains readily available to contribute not just to real time threat hunting, but also to IT operations as a whole. Here’s how Cornell describes what this looks like:

“A lot of times I’m enriching the data with additional information to get context, and as I’m doing that, SOAR is keeping track of everything and creating an audit trail. It is identifying what decisions were made; what analysis was used to decide if something was benign or malicious, escalated or not escalated, or unknown, I’m capturing all of those data points automatically.

“So that when you come back 24 months from now, and you don’t remember what decisions you’ve made, or why your system was built a certain way . . . as an analyst, you can come back and review what was done and you can leverage that for audit purposes, or for compliance, or even to train new staff.”

Beyond incident response

SOAR solutions were gaining traction just fine, thank you, when Covid 19 hit. Overnight, remote work became the norm – and overnight the complexities enterprises faced transitioning their legacy on-premise systems to cloud infrastructure increased exponentially.

Bad actors, of course, wasted not one second. Phishing scams, supply chain attacks and ransomware extortion — all pivoting, in one way or another, off the shifting operating environment – spiked. In this environment, SOAR solutions stood out as an effective means to better contain these surging threats. Research firm Gartner now predicts that by the end of 2022, some 30 percent of organizations with a security team larger than five people will embrace SOAR solutions up from less than 5 percent at the start of 2020.

Swimlane is in a lead pack of SOAR solution providers, including the likes of IBM, Rapid7 and ThreatQuotient, who view a future for SOAR beyond incident response. They are rethinking SOAR, and adapting its intrinsic flexibility and scalability to tasks far beyond repelling phishing and ransomware.

Looking ahead, SOAR’s data crunching and case-management capabilities seems particularly well-suited to helping human and non-human components come together more efficiently in the post-Covid 19 world. Cornell points to how Swimlane, for instance, has begun adapting its SOAR platform to support DevOps teams collaborating to deploy new apps in hybrid workplaces.

By centralizing collaboration on a single, highly-secure, highly-automated platform, historical baselines can be built, nurtured and tapped into; recurring themes and patterns get discovered and innovation results. Company leaders can then make more informed decisions, not just about cyber risk mitigation, but also how to run their organizations more efficiently, overall.

“There’s a parity that is needed between the ability to collect information and the ability to take action on information,” Cornell says. “Having a system of record shows what you did, why you did it, and how you can improve on it in the future.”

It’s encouraging that SOAR solution providers, Swimlane among them, have begun repositioning security-centric automation, not just as a ground-level detection mechanism, but also as a pivotal business tool. Companies are going to need all the help they can get as hybrid networks take center stage. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW supplies consulting services to the v

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone