SOAR is the acronym for Security Orchestration, Automation, and Response.
Why is it important to know what it is and how is it used? The definition of a SOAR SAP Security system is strategic.
SOAR, what does it mean?
It means the set of all the tools, policies and procedures that are used to manage the system's security, specifically:
- Management of threats and vulnerabilities
- Management of incidents (Incident response)
- Automatization of security actions
In other words, having an orchestra of tools that works in the best way, regarding the management of security aspects.
SIEM and SOAR. what's the difference?
It might be useful to identify the differences between a SIEM (Security Information and Event Management) and SOAR system.
- The SIEM lets you, mainly on a network and infrastructure level, correlate events that are managed primarily by the firewall, router etc.
They are tools that manage a huge amount of data, and often who receives events generated by these tools isn't always able to analyze all of them (not including false positive, which have to be analyzed anyway)
- SOAR's goal is similar (to that of SIEM) but it gives you a more centralized view that lets the operators analyze only the critical cases and direct them accordingly. Apply a SOAR in your company does not mean install a single tool.
Therefore, these are tools that must be used in a complementary way.
What's SAP's view (SIEM and SOAR) on this topic at the moment?
SAP created its own SIEM tool called SAP Enterprise Threat Detection (SAP ETD). This tool based on SAP HANA let you receive, correlate and manage many events, including the SAP specific ones.
Often the SIEMs on the market have a more technical view and require efforts that are not always indifferent to be able to integrate SAP's logics and build the rules to identify relevant cases/patterns for these tools too.
It often happens that even if present in the company, the SIEM systems aren't connected to SAP. Or maybe they are but in a superficial way, for example to keep track of logins and logoffs of certain users.
Usually the purely IT people (or IT Security), perfectly know the company's network infrastructure, the operating systems, the network devices etc. but don't have a view on the aspects of SAP system's security.
What shown above is also valide the other way, where the people that take care of SAP, often don't know or aren't integrated with IT security tools already present in the company.
Tha's also why SAP decided to build a SAP Enterprise Threat Detection system (which means having a SIEM tool able to collect data generated by SAP) and let the tools like Splunk's SIEM of native interactions in such a way to complete the SOAR drawing that these tools offer.