Security orchestration, automation, and response (SOAR) is a good practice of security operations that enables the integration, automation, and collaboration of people, processes, and technologies to respond to security incidents effectively. Which of the following is not true?
A. Security operations entail ongoing day-to-day execution of security activities to enforce the security policy.
B. Orchestration requires SOPs, playbooks, work instructions, and other process documents.
C. Playbooks provide procedures that can be executed manually or automatically.
D. A SOAR platform responds to security events through runbooks and requires no human intervention.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. A SOAR platform responds to security events through runbooks and requires no human intervention.
Some may treat runbooks as automated playbooks. However, the term playbook and runbook are often used interchangeably. Even though tasks can be automated by runbooks, they still may need human intervention.
In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use runbooks as a reference.
Runbooks can be in either electronic or in physical book form. Typically, a runbook contains procedures to begin, stop, supervise, and debug the system. It may also describe procedures for handling special requests and contingencies. An effective runbook allows other operators, with prerequisite expertise, to effectively manage and troubleshoot a system.
Through runbook automation, these processes can be carried out using software tools in a predetermined manner.
SOAR as Good Practice
Wentz defines SOAR as follows:
Security orchestration, automation, and response (SOAR) is a good practice of security operations that enables the integration, automation, and collaboration of people, processes, and technologies to respond to security incidents effectively.
SOAR as Technologies
Most people treat SOAR as technologies for security operations centers (SOCs) to automate their detection and response to events. They also tend to treat orchestration as the implementation of SIEM for the integration of devices, collection and analysis of logs, and automation of response. However, automation is enabled by the “orchestration” of people, processes, and technologies. Playbooks or runbooks are nothing without people and processes. Gartner holds this traditional view as their glossary shows:
SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team.
- For example, alerts from the SIEM system and other security technologies — where incident analysis and triage can be performed by leveraging a combination of human and machine power — help define, prioritize and drive standardized incident response activities.
- SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.
Source: Gartner Glossary
- What is SOAR?
- Security Orchestration, Automation and Response (SOAR)
- Splunk Phantom
- D3 SOAR: Security Orchestration and Automated Incident Response with MITRE ATT&CK
- Improving incident response with the NIST Cybersecurity Framework and security automation and orchestration (SAO)
- The top five pitfalls to avoid when implementing SOAR
- The Difference Between Playbooks and Runbooks in Incident Response
- SOAR Versus SIEM: The Fundamental Differences
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.