SOAR systems are solutions that combine incident response, orchestration, automation and threat intelligence (TI) management capabilities in a single platform (Gartner).
These enterprise-grade security operations platforms help organizations utilize their resources more efficiently and effectively to shut down threats before they cause serious damage.
SOAR tools are mostly used within a Security Operations Center (SOC) for incident response and the workflow, automation and orchestration of workflows, or the combination of the two.
They are also used to document and implement processes (aka playbooks, workflows and processes); support security incident management; and apply machine-based assistance to human security analysts and operators.
An advantage of SOAR solutions lies in their ability to automatically investigate many low-level alerts. By automating the handling of these alerts, analysts can devote more of their time and attention to situations where human intervention really is required while the software handles the rest.
There are multiple challenges that a SOC needs to handle, including the skills shortages, huge data volumes, data aggregation, disparate toolsets, case management and custom client reporting.
In order to overcome these challenges, Security Information and Event management (SIEM) vendors are adopting and acquiring/integrating SOAR solutions in their ecosystems, usually as premium applications that operate in tandem with SIEM solutions.
The SOAR systems offer comprehensive integration, rapid response, consistency and compliance, focused attention of staff and lower costs.
A SOAR solution reduces the amount of work in an SOC that needs to be done manually, increasing efficiency and productivity. The organizations can take advantage of that efficiency and productivity to reduce some of the security-related operational costs.