Security ebook Series

The value of security orchestration,

automation, and response (SOAR)
in cybersecurity
How to streamline security while improving your defenses against cyberattacks

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SOAR makes your workflows faster,
more accurate, and repeatable
Enterprises worldwide face serious challenges in identifying and
mitigating emerging and evolving threats—in both on-premises systems
and cloud environments like Amazon Web Services (AWS)—due to scarcity
of IT and security personnel, skills, and other resources.

These concerns are driving intense interest in how to make security

processes and workflows more effective, more efficient, and less reliant
on personnel-intensive manual processes.

One of the most promising solutions is security orchestration, automation,

and response (SOAR). SOAR implementation can significantly accelerate an
enterprise’s security workflows and make them more accurate. Crucially,
through automation, SOAR makes workflows more repeatable so that
organizations can develop scenarios to address future cyberthreats.

As a result, security organizations can make the most of their in-demand

resources and free up valuable personnel to address more urgent issues.

In this ebook from SANS and AWS, you’ll learn how SOAR helps
organizations streamline security and improve defenses against cyberattacks,
as well as how to realize the benefits of implementing SOAR.

2
What is SOAR?
SOAR is a set of integrated software applications that make it possible to collect data How is SOAR a new
on security threats and respond to security events—with little or no human interaction. approach to security?
• Security: Restricting a system to its intended use and protecting the confidentiality, While automation development
integrity, and availability of that system
is designed to work with
• Orchestration: Coordinating between many different systems systems operating normally
and predictably, cybersecurity
• Automation: Performing a task with minimal human interaction
deals with systems that are
• Response: Reacting to problems in information systems; often incident response behaving unexpectedly and are
or incident handling deviating from intended or
A key finding in a recent Gartner report shows that SOAR is becoming a popular authorized actions.
enabling technology in managed security services and is already a key element
in a majority of managed detection and response (MDR) services.1
Handling the unexpected
requires a distinct approach
to automations, and SOAR
tools are designed to help
cybersecurity professionals
construct these automations.

1
“Market Guide for Security Orchestration, Automation and Response Solutions,” Gartner, June 13, 2022.

3
3
How security organizations can
realize the full benefits of SOAR
SOAR is not a new concept, but it is an entirely new way of working that requires a notable
shift in organizational culture. Fortunately, recent technological developments make it
easier to reap the benefits of SOAR-written automations despite the challenge of staff
shortages. Here’s how.

Create your SOAR team

The challenge with most tools, including SOAR, is understanding their strengths, and
then deploying them in the most productive way possible. The best way to address this
challenge is to designate specific security team members responsible for the long-term
development of SOAR implementation.

Provide SOAR workflow training

Train the SOAR team in developing, diagramming, and modeling workflows—the
interconnected sequences of actions used to create response scenarios that can be
automated and continuously updated.
This ongoing cycle of repetition and workflow enhancement enables the collection of
knowledge and insights from the designers of the application architecture the SOAR
technology is intended to protect. This in turn makes it simpler, faster, and more efficient
to protect the enterprise against cyberthreats.

Leverage native SOAR capabilities in AWS

There are many product categories SOAR works in—for example, machine learning,
satellite services, robotics, and blockchain—but tuning SOAR for optimal performance
requires specific expertise. To optimize capabilities of the SOAR application and the AWS-
native SOAR, explore the many additional tools, partner solutions, and services available
in AWS Marketplace. Up next, you’ll read how customers accelerated their response times
to threats and increased efficiency in their security operations center (SOC) by using AWS
Partners solutions to implement SOAR.

4
UC Davis uses Sumo Logic SOAR to accelerate
threat response and improve SOC efficiency
As a top-tier research university, the University of California, Davis, deals with a host of unique
security challenges. The UC Davis campus is home to students, educators, and research professionals
pursuing a variety of activities, from conducting federally-funded research for government agencies
like the Department of Defense to streaming Netflix in on-campus housing.
“We were able to take our
The Challenge operations to the next
UC Davis needed to be liberal with open-access policies that support research across departments and users, level by going down the
but also needed to be airtight in their security policies and procedures to protect from potential attacks. SOAR route. Sumo Logic
The Solution Cloud SOAR was really
Sumo Logic Cloud SOAR now acts as the main control plane for UC Davis security operations center instrumental—it fits the
(SOC) workflows. Sumo Logic supplied the missing piece in their SOC workflows as it runs on-premises, university perfectly.”
works with all the existing technologies UC Davis uses, and satisfies their security requirements.
— Jeff Rowe,
The Results Security Architecture
UC Davis seamlessly orchestrated disparate technology and tools for better SOC workflows. The team for UC Davis
also reduced response times to cybersecurity threats. Sumo Logic was able to minimize the time the .
school spent triaging thousands of alerts hourly, which reduced alert fatigue. Automation helped the
UC Davis SOC cope with the large—12,000+—investigation workload. And over and above, Sumo Logic
Cloud SOAR brought the flexibility to implement new, custom logic effortlessly by editing the
implemented use cases with only a few clicks. Today, UC Davis is transitioning to SOAR for all its
standard SOC workflows.
.1
Sumo Logic empowers the people who power modern, digital business. Through its SaaS analytics platform, Sumo Logic enables
customers to deliver reliable and secure cloud-native applications. The Sumo Logic Continuous Intelligence Platform™ helps
practitioners and developers ensure application reliability, secure and protect against modern security threats, and gain insights into
their cloud infrastructures. Customers around the world rely on Sumo Logic to get powerful real-time analytics and insights across
observability and security solutions for their cloud-native applications. Learn more, or visit www.sumologic.com.

5
IBM SOAR helps BJ’s Wholesale
increase visibility and response time
BJ’s Wholesale is a leading operator of membership warehouse clubs offering
groceries, general merchandise, gasoline, and ancillary services in 235 clubs across
18 states. The BJ’s shopping experience is further enhanced by its omnichannel
capabilities, tasked with safeguarding the data of 6.5 million members.

The Challenge
BJ’s Wholesale needed to refocus their SOC team on high-level investigations instead
of monitoring visibility on multiple integrations, including logs from AWS CloudTrail,
Amazon GuardDuty, Amazon EC2, Amazon S3 buckets, Amazon Route 53, and AWS
Identity and Access Management.

The Solution
BJ's is now able to control the network traffic by correlating Amazon EC2 integrations
with Amazon GuardDuty alerts that are being logged through IBM QRadar SIEM. IBM
QRadar SOAR then automates the threat remediation process by streamlining manual
and repetitive tasks such as incident enrichment, leveraging a wide array of threat-
intelligence integrations.

The Results
By deploying IBM QRadar SOAR, BJ's Wholesale reduces time to respond and
remediate to complex cyberthreats, decreases siloed workflows between teams,
and automates repetitive tasks through the remediation process.
.1
IBM Security—Savvy companies know that in today's data-driven, highly distributed
world, there are serious threats that must be addressed head-on. IBM Security delivers
an integrated system of analytics, real-time defenses, and proven experts, so you can
make strategic decisions about how to safeguard your business. Learn more

6
Improve your security posture
even without a sophisticated SOC
If your organization oversees cybersecurity but isn’t an operational SOC, you should
consider effective ways to drive toward repeatability, accuracy, precision, expedience,
and stable transitions. Any gaps in headcount and advanced technical skills you might
have can be remedied and overcome by the SOAR tool.
As you’ve seen with UC Davis and BJ’s Wholesale, implementing SOAR helps
organizations improve SOC workflows, increase visibility to cyberthreats, and reduce
response times to attacks. Find more examples of SOAR in action as well as sellers
with products and services to address your security needs in AWS Marketplace.

“If you’re truly embracing the power

of SOAR, you’re thinking about no
longer what’s good enough, but now
that a lot of things are available to us,
what can we do?”
– Christopher Crowley,
Senior Instructor,
SANS

7
AWS Marketplace
Simplify the procurement, provisioning, and governance of third-party software, services, and data.

Why use AWS Marketplace? AWS Marketplace benefits

AWS Marketplace is a curated digital catalog that simplifies
software discovery, procurement, provisioning, and management.
With AWS Marketplace, customers can also utilize features that
speed up production evaluation, improve governance and cost
transparency, and enhance control over software spend. AWS
Marketplace offers third-party solutions across software, data,
and machine-learning tools that enable builders to find, test,
and deploy solutions to expedite innovation.
Explore and deploy solutions
IT decision-makers (ITDMs) cut their time in half using AWS
Marketplace compared to other sources.
Customers can launch preconfigured solutions in just a few clicks in
both Amazon Machine Image (AMI) formats and SaaS subscriptions,
with entitlement options such as hourly, monthly, annual, and
multi-year contracts.
AWS Marketplace is supported by a global team of solutions
architects, product specialists, and other experts to help IT teams
connect with the tools and resources they need to streamline
migration journeys to AWS.
Make more-satisfying purchases
ITDMs feel 2.4 times better about purchasing using AWS
Marketplace compared to other sources.

Cloud readiness of the solution

Finding Solution Buying & Deploying Solutions

Procurement ease Time to value

IT Solutions Purchasing Process

Software license terms Deployment options

Software governance Return on investment (ROI)

Relative Time to Value

Pricing flexibility Contract execution
0 10 20 30 40 50
With AWS Marketplace
Average Time (Hours) Spend management Other Sources

With AWS Marketplace Other Sources

* Amazon Web Services (AWS) Marketplace surveyed 500 ITDMs and influencers across the US to understand software usage, purchasing, consumption models,
and compared savings.

8
Getting Started

AWS Marketplace Security Solutions

Helping buyers, sellers, and consulting partners reach favorable
agreements, cut down negation time, and reduce sales cycles by 49%
Innovative AWS Marketplace features enable you to reduce software purchasing inefficiencies
with cloud-based procurement. One way is through AWS Marketplace seller private offers, which
enable you to receive product pricing and terms that are not publicly available from sellers in a
centralized portal.

To help govern purchasing, you can establish Private Marketplaces to control which products
users in your AWS account can purchase from AWS Marketplace. This can help ensure that
products purchased comply with your organization’s internal policies.

You can also purchase software solutions in AWS Marketplace directly from Consulting Partners
who have industry expertise and can offer specialized support. Many Consulting Partners offer
both software and professional services on AWS Marketplace to provide you with comprehensive
solutions via a fast and friction-free purchasing experience.

“AWS Marketplace makes it easier to do business with our

vendors in everything from simplifying our licensing to
streamlining billing to accelerating procurements. This has
alleviated a major operations burden and given us time back
to focus on more innovative tasks.”

– Stephen Pearson,
Head of IT Vendor Management,
Agero

9
AWS Marketplace

Discover security products to meet your business needs

Learn how SOAR helps you streamline

security while improving your defenses
against cyberattacks
Product Overview | Solution Brief Product Overview | Data Sheet Webinar | Whitepaper

Find, buy, deploy, and govern software

solutions on AWS Marketplace

Visit AWS Marketplace

Product Overview | Data Sheet Product Overview | Data Sheet Get connected with a solutions architect
who can share best practices and help
solve unique challenges

Get in touch with an AWS Expert

Download this infographic to learn

Product Overview | Video Product Overview | Video about the key takeaways shared in
the SOAR webinar

1-Minute Webinar

10