Threat Intelligence Best Practices for Your SOAR Integration

August 14, 2019 • Zane Pokorny

The name of the game in incident response these days is SOAR: security orchestration, automation, and response. Organizations struggling with an overwhelming amount of security event data and not enough human resources to deal with them are turning to solutions that automatically take care of tasks like data aggregation, enrichment, correlation, and even some stages of investigation.

But the foundation of it all is good data. Relying on data that’s redundant, irrelevant, or full of false positives will leave SOAR users in the same place they were before (namely, overworked and unable to effectively triage alerts). Integrating real-time, high-fidelity threat intelligence with your SOAR solution is essential for getting the most out of it.

Here, we’re rounding up many of our most accessible resources on getting started with threat intelligence for SOAR. But first, we’ll go over a quick definition.

Security Orchestration, Automation, and Response

What’s meant by “orchestration” and “automation” in SOAR?

Orchestration means using a series of defined playbooks that describe threats and explain how to handle them. These repeatable, automated workflows integrate multiple security technologies together in order to respond to threats, but they are only as smart and effective as the data used to construct them.

Automation, in general, is about machines taking over tasks usually done by humans. In this specific context, SOAR solutions aim to automate decision-making to free up time for humans to tackle more complex goals, like properly triaging alerts. This requires a full, integrated view of external threat information so the SOAR can have the full picture of what is happening and take the right steps to remediate threats.

Threat Intelligence for SOAR

Getting the most out of any security solution often comes down to understanding your organization’s unique needs and use cases. We’ve compiled a helpful list of resources here to help you better understand how to start integrating threat intelligence with your SOAR for faster investigation and response.

SOAR Needs Threat Intelligence to Fly High

In short, SOAR is a step toward the idealized “single pane of glass” security solution, where security incidents can be easily seen, correlated, triaged, dealt with, documented, and reviewed, all in one place.

Automation and orchestration are essential for getting what’s going on in your own internal network under control. But what’s going on in the threat landscape outside your network? Properly correlating and enriching internal network data with information on threats requires external context.

And if automation is necessary for dealing with huge amounts of internal network data, it’s even more a requirement for sorting through the truly fathomless amount of data on the internet. To be actionable, threat intelligence needs to be updated in real time, and to be updated in real time, its production needs to be automated as much as possible.

This short video further explains the value of running SOAR playbooks correctly and automating security processes:

Learn More

If you want to dive a little deeper into the benefits that SOAR users see from incorporating threat intelligence into their solutions, check out our new solution brief, “Supercharging SOAR Solutions With Threat Intelligence.”

It breaks down how threat intelligence helps with enrichment, correlation, monitoring, and threat hunting to help security practitioners achieve faster investigation and response and make decisions more confidently.