security orchestration, automation, and response (SOAR) (noun) [Word Notes] - Hacking Humans

Summary4 min read

Podcast Summary: "Security Orchestration, Automation, and Response (SOAR)" Hacking Humans by N2K Networks | Released November 26, 2024

Introduction to SOAR

In this episode of "Hacking Humans," host Nyla Genoi delves into the intricacies of Security Orchestration, Automation, and Response (SOAR). She begins by breaking down the acronym SOAR:

Security
Orchestration
Automation
Response

Nyla explains that SOAR platforms are designed to help organizations automatically process and manage telemetry data from a myriad of IT and security tools. She articulates, “SOAR ingests and analyzes data, connects and integrates it, automates the low-level stuff, and then offers a single view into all of the terabytes of data that SOC analysts pore over every day” (00:58).

Evolution of SOAR in the Context of DevOps and DevSecOps

Nyla provides a historical perspective on the emergence of SOAR, tracing its roots back to the early 2010s with the rise of DevOps. She references Gene Kim's influential work, The Phoenix Project (2013), highlighting how major tech giants like Google, Netflix, and LinkedIn adopted DevOps practices, while the security community was slower to adapt.

She notes, “In the late 1990s, Security Operations Center analysts manually managed the monitoring of a small number of security devices like firewalls, intrusion detection systems, and antivirus systems. Fast forward to today, and the number of tools SOC analysts have to monitor can range anywhere from 15 to 300, depending on the organization’s size” (00:58). This exponential growth in tools led to SOC analysts feeling overwhelmed, necessitating the integration of automation within Security Operations Centers (SOCs), giving rise to the term DevSecOps.

Challenges Faced by SOC Analysts

Before the advent of SOAR, SOC analysts were burdened with manually monitoring a limited set of security devices. Nyla emphasizes the scalability issues, stating, “SOC analysts have become overwhelmed. In order to consume the telemetry of that many devices, the SOC requires automation” (00:58). This challenge underscored the need for sophisticated platforms like SOAR to streamline security operations and improve efficiency.

Adoption and Terminology of SOAR Platforms

Nyla discusses the timeline of SOAR’s conceptualization and market introduction. She mentions that security experts like John Olczyk from Enterprise Security Group began advocating for security orchestration as early as 2015. By 2017, Gartner formally coined the term SOAR, solidifying its place in the cybersecurity lexicon.

She recounts, “Security pundits like John Olczyk... started talking about the concept of security orchestration as early as 2015... Gartner coined the term SOAR in 2017” (00:58). This evolution reflects the security community’s recognition of the critical need for automation in managing complex security infrastructures.

Insights from a DevOps Advocate

At 03:44, a DevOps Advocate shares valuable insights into the broader DevOps movement, which intersects significantly with the principles underlying SOAR. The advocate reflects on studying high-performing technology organizations since 1999, emphasizing that these organizations excelled in project delivery, operational stability, security, and compliance.

He states, “Our mission was to study these organizations to figure out how did they make their good to great transformation so that the rest of us could replicate their journey” (03:44). He draws a parallel between the transformational impact of Lean principles in manufacturing and the urgent necessity of DevOps in addressing contemporary business challenges.

The advocate further elaborates on the practical applications of DevOps, noting, “How are organizations doing tens, hundreds or maybe even thousands of deployments per day while preserving world-class reliability, stability, security, and performance” (03:44). This discussion underscores the foundational role of automation and orchestration in both DevOps and SOAR, highlighting their synergistic potential in enhancing organizational resilience against cyber threats.

Conclusion

The episode effectively underscores the pivotal role of SOAR in modern cybersecurity frameworks. By automating the ingestion, analysis, and response to vast amounts of security telemetry, SOAR platforms alleviate the burden on SOC analysts, enabling them to focus on more strategic tasks. The discussion seamlessly integrates the evolution of DevOps into this narrative, illustrating how principles of automation and orchestration are indispensable in tackling the complex security landscapes of today.

Listeners are left with a comprehensive understanding of SOAR’s significance, its historical development, and its intersection with broader technological movements like DevOps and DevSecOps. This episode serves as an essential resource for cybersecurity professionals seeking to enhance their operational efficiency and resilience through advanced orchestration and automation strategies.

Notable Quotes

Nyla Genoi: “SOAR ingests and analyzes data, connects and integrates it, automates the low-level stuff, and then offers a single view into all of the terabytes of data that SOC analysts pore over every day.” (00:58)
DevOps Advocate: “Our mission was to study these organizations to figure out how did they make their good to great transformation so that the rest of us could replicate their journey.” (03:44)
DevOps Advocate: “How are organizations doing tens, hundreds or maybe even thousands of deployments per day while preserving world-class reliability, stability, security, and performance.” (03:44)

Timestamp Reference

00:58: Nyla Genoi discusses the fundamentals and evolution of SOAR.
03:44: DevOps Advocate shares insights on the importance and implementation of DevOps practices.

Loading summary

Transcript7 lines

[00:02]
Cyberwire Host
You're listening to the Cyberwire network, powered.
[00:05]
N2K Representative
By N2K.
[00:13]
Cloudflare Representative
And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN, designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to wwpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that.
[00:59]
Nyla Genoi
The word is Soar, spelled S for security, O for orchestration, A for automation, and R for response. SOAR platforms or security Orchestration. Automation and response platforms allow organizations to automatically process telemetry from various IT and security tools. Example Sentence Soar ingests and analyzes data, connects and integrates it, automates the low level stuff, and then offers a single view into all of the terabytes of data that SOC analysts pore over every day. Origin and context around 2010, the IT community started thinking about DevOps, or infrastructure as code. By the 2013 publication of Gene Kim's Cybersecurity Canon hall of Fame book about DevOps, called the Phoenix Project, most IT groups had some sort of DevOps project on the books. Big Internet giants like Google, Netflix, and LinkedIn, to name three, had completely embraced the model, but the security community lagged behind in the early days, circa late 1990s Security Operations center analysts. SOC analysts, for short, manually manage the monitoring of a small number of security devices like firewalls, intrusion detection systems, and antivirus systems. Fast forward to today though, when the number of tools SOC analysts have to monitor can range anywhere from 15 to 300, depending on how big the organization is. SOC analysts have become overwhelmed. In order to consume the telemetry of that many devices, the SOC requires automation, and practitioners started talking in terms of DevSecOps. Security pundits like John Olczyk, the principal analyst at Enterprise Security Group, started talking about the concept of security orchestration as early as 2015. In other words, automating the process and handling of security tool telemetry tools started to appear on the market designed specifically to automate SOC tasks, and Gartner coined the term soar in 2017. Nerd reference at the 2015 Dynatrace perform user Conference, the author of the Phoenix Project, Gene Kim, explained why DevOps is so important.
[03:44]
DevOps Advocate
I've had the privilege of studying high performing technology organizations since 1999. These were the organizations that had the best project due date performance and development. They had the best operational stability, reliability and performance in operations. These were the organizations that had the best security and the best posture of compliance. And so our mission was to study these organizations to figure out how did they make their good to great transformation so that the rest of us could replicate their journey. You know there were many surprises on that journey and perhaps the biggest one is that led me straight into the heart of the DevOps movement, which I think is urgent and important because it is a solution to what I believe is the largest business problem of our generation, the likes of which we have not seen in 30 years when manufacturing was transformed by the Lean principles. So in the next 44 minutes what I would like to do as your self appointed ambassador from the DevOps community is share with you two things why I think DevOps is so important and two is more importantly maybe the how of DevOps. How are organizations doing tens, hundreds or maybe even thousands of deployments per day while preserving world class reliability, stability, security and performance. Something that we didn't even think possible five years ago.
[05:03]
Nyla Genoi
Credits wordnotes is written by Nyla Genoi, executive produced by Peter Kilpie and edited by John Petrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[05:38]
Cloudflare Representative
The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business Everywhere you do business.