Podcast Summary: "Security Orchestration, Automation, and Response (SOAR)" Hacking Humans by N2K Networks | Released November 26, 2024

Introduction to SOAR

In this episode of "Hacking Humans," host Nyla Genoi delves into the intricacies of Security Orchestration, Automation, and Response (SOAR). She begins by breaking down the acronym SOAR:

• Security
• Orchestration
• Automation
• Response

Nyla explains that SOAR platforms are designed to help organizations automatically process and manage telemetry data from a myriad of IT and security tools. She articulates, “SOAR ingests and analyzes data, connects and integrates it, automates the low-level stuff, and then offers a single view into all of the terabytes of data that SOC analysts pore over every day” (00:58).

Evolution of SOAR in the Context of DevOps and DevSecOps

Nyla provides a historical perspective on the emergence of SOAR, tracing its roots back to the early 2010s with the rise of DevOps. She references Gene Kim's influential work, The Phoenix Project (2013), highlighting how major tech giants like Google, Netflix, and LinkedIn adopted DevOps practices, while the security community was slower to adapt.

She notes, “In the late 1990s, Security Operations Center analysts manually managed the monitoring of a small number of security devices like firewalls, intrusion detection systems, and antivirus systems. Fast forward to today, and the number of tools SOC analysts have to monitor can range anywhere from 15 to 300, depending on the organization’s size” (00:58). This exponential growth in tools led to SOC analysts feeling overwhelmed, necessitating the integration of automation within Security Operations Centers (SOCs), giving rise to the term DevSecOps.

Challenges Faced by SOC Analysts

Before the advent of SOAR, SOC analysts were burdened with manually monitoring a limited set of security devices. Nyla emphasizes the scalability issues, stating, “SOC analysts have become overwhelmed. In order to consume the telemetry of that many devices, the SOC requires automation” (00:58). This challenge underscored the need for sophisticated platforms like SOAR to streamline security operations and improve efficiency.

Adoption and Terminology of SOAR Platforms

Nyla discusses the timeline of SOAR’s conceptualization and market introduction. She mentions that security experts like John Olczyk from Enterprise Security Group began advocating for security orchestration as early as 2015. By 2017, Gartner formally coined the term SOAR, solidifying its place in the cybersecurity lexicon.

She recounts, “Security pundits like John Olczyk... started talking about the concept of security orchestration as early as 2015... Gartner coined the term SOAR in 2017” (00:58). This evolution reflects the security community’s recognition of the critical need for automation in managing complex security infrastructures.

Insights from a DevOps Advocate

At 03:44, a DevOps Advocate shares valuable insights into the broader DevOps movement, which intersects significantly with the principles underlying SOAR. The advocate reflects on studying high-performing technology organizations since 1999, emphasizing that these organizations excelled in project delivery, operational stability, security, and compliance.

He states, “Our mission was to study these organizations to figure out how did they make their good to great transformation so that the rest of us could replicate their journey” (03:44). He draws a parallel between the transformational impact of Lean principles in manufacturing and the urgent necessity of DevOps in addressing contemporary business challenges.

The advocate further elaborates on the practical applications of DevOps, noting, “How are organizations doing tens, hundreds or maybe even thousands of deployments per day while preserving world-class reliability, stability, security, and performance” (03:44). This discussion underscores the foundational role of automation and orchestration in both DevOps and SOAR, highlighting their synergistic potential in enhancing organizational resilience against cyber threats.

Conclusion

The episode effectively underscores the pivotal role of SOAR in modern cybersecurity frameworks. By automating the ingestion, analysis, and response to vast amounts of security telemetry, SOAR platforms alleviate the burden on SOC analysts, enabling them to focus on more strategic tasks. The discussion seamlessly integrates the evolution of DevOps into this narrative, illustrating how principles of automation and orchestration are indispensable in tackling the complex security landscapes of today.

Listeners are left with a comprehensive understanding of SOAR’s significance, its historical development, and its intersection with broader technological movements like DevOps and DevSecOps. This episode serves as an essential resource for cybersecurity professionals seeking to enhance their operational efficiency and resilience through advanced orchestration and automation strategies.

Notable Quotes

• Nyla Genoi: “SOAR ingests and analyzes data, connects and integrates it, automates the low-level stuff, and then offers a single view into all of the terabytes of data that SOC analysts pore over every day.” (00:58)

• DevOps Advocate: “Our mission was to study these organizations to figure out how did they make their good to great transformation so that the rest of us could replicate their journey.” (03:44)

• DevOps Advocate: “How are organizations doing tens, hundreds or maybe even thousands of deployments per day while preserving world-class reliability, stability, security, and performance.” (03:44)

Timestamp Reference

• 00:58: Nyla Genoi discusses the fundamentals and evolution of SOAR.
• 03:44: DevOps Advocate shares insights on the importance and implementation of DevOps practices.