Let’s talk about SOAR.
SOAR is not “I hurt my back and now I’m SOAR”. SOAR is not something eagles do either. SOAR stands for Security Orchestration Automation and Response. I think the two most important words within that acronym are Automation and Response. Why? Because the standard implementation of most security services lacks Automation and Response. To define that a bit more concisely, if your business isn’t utilizing SOAR, then its cybersecurity tools are passive.
Your next question might be: “How so?” Let’s look at one of the most common breaches a business experiences today, compromised credentials. If your response is: “We have MFA”. I’ll take your “MFA” and raise you “Token Theft”. I know we’re not at the poker table but if your bet is on MFA, you are gambling your company’s cybersecurity position.
If you know anything about information technology then you are surely familiar with terms like firewalls, spam filtering, security awareness training, intrusion detection/prevention, antivirus, and antimalware. While they may help in thwarting compromised credentials, they share a commonality amongst each other. They are powerless at protecting your business in the event of compromised credentials.
While they can be used in hindsight for the purposes of discovery during a postmortem, they won’t do anything to prohibit the impact caused once the credentials are stolen again, and they will be.
Enter SOAR.
With SOAR, cybersecurity experts can build workflows based on various indicators. For example, a user logs in from a different geographical location spanning a broad distance. That’s a single indicator. However, you can combine multiple indicators together and broaden the scope of indicators that must be met thereby eliminating false positives. Here, we see the ORCHESTRATION. At this point SOAR knows something is happening.
Next, we need SOAR to act on our behalf and correlate the indicators as we would ourselves. AI plays a significant role at this junction, and it is where we begin to see AUTOMATION in action.
The final piece is RESPONSE. With SOAR we will block sign-in, disable accounts, force a password change, and notify support. All this happens immediately upon the conditions of our properly configured workflow being met. If the intent of the attacker was to move laterally, they cannot. If the intent of the attacker was to monitor as a man-in-middle, they cannot. If the intent was to create rules, spam, and steal data they cannot.
Having the tools are one thing. Having experts credentialed in this field is something else entirely. Although no tool is guaranteed to be 100% effective, Auxzillium has extensive experience and credentialed staff that work with tools like SOAR every day. SOAR is offered by a variety of different companies. At Auxzillium, we use the best tools, implemented by professionals, by the book securing your business.