Security orchestration and automation checklist: How to choose the right vendor

Faced up against the well-chronicled global skills shortage, the ceaseless bombardment of security alerts and the hodgepodge of security tools unable to communicate with each other, security operations professionals likely feel as if the deck is stacked against them.

But security orchestration, automation and response (SOAR) platforms have arrived on the scene to address this burgeoning problem of having too many disparate security tools firing off alerts without the adequate in-house talent to address them.

SOAR enables SecOps teams to integrate disconnected technologies and processes into a more cohesive security ecosystem, allowing staff to work more efficiently against the growing onslaught of cyber threats.

And if you aren’t already an adopter, you may be soon. Gartner predicts that “[b]y year-end 2020, 30% of organizations with a security team larger than five people will leverage SOAR tools for orchestration and automation reasons, up from less than 5% today.”

As a result, companies should exercise due diligence and have a clear criteria list when selecting a security orchestration vendor to ensure maximum value from their investment. While most providers likely have their own unique features, there are several core pieces of functionality you’ll want to look for in choosing the optimal solutions for your needs.

1. Integration of disparate security solutions

The ability to integrate disparate security solutions is a basic characteristic of security orchestration, though not all SOAR solutions are created equal. As the SOAR market consolidates due to acquisitions, some SOAR products may lose their value if their available integrations become limited.

Vendor neutrality is key here. Look for a SOAR provider that not only supports many of the widely used security tools but also makes the integration of the tools fast and easy. In addition, consider a platform that allows you to create orchestrated and automated processes for these tools you have already invested in, from alerting and triage to investigation to remediation and collaboration.

Here are some specific questions you should ask a prospective SOAR vendor:

• How many integrations do you support?
• Do you support both on-premises and cloud-based environments for those integrations?
• How quickly can you add or build new integrations?
• Will we be able to create/customize our own integrations?

2. Automated processes with playbooks

The right technologies are crucial to the success of security operations teams, but their effectiveness is only as good as the processes in place for using them. A key ingredient to any successful SecOps program is having a good set of playbooks that help security analysts create consistent, repeatable and automated response processes for accomplishing tasks and determining tools that come into play if a threat alert is raised. For example, the process for malware alerts is likely different than one for phishing alerts or data exfiltration, etc.

While the basis behind playbooks is to allow for the automation of various use cases, their functionality should be used for more than just putting tools into automated processes. Try to partner with a vendor that provides a breadth of features for playbook creation and customization.

Questions to ask:

• Do you include standard playbooks to help get our team started?
• Can your playbooks be customized to meet our organization’s needs and desired levels of automation?
• How easy will it be for our team to create new playbooks?
• Does your platform support tests and simulations to ensure playbook effectiveness?

3. Visual investigations

While some alerts and cases can be fully automated and then closed, most require human analysis. To understand a threat, security analysts normally draw out key pieces of information from the huge pile of raw data they’ve manually collected from alerts, logs, threat intelligence and other sources. These analysts then lay the pieces out to obtain an overview of the situation, build a storyline and perhaps discover relationships among events.

While this investigation technique is effective in visualizing a threat storyline, the common practice relies heavily on manual and time-consuming methods, such as laying things out on a whiteboard. Look for a security orchestration vendor whose solution mirrors an analyst’s visual investigation process: reinforced with graphs, timelines, flows and representations of relevant entities, which can significantly speed up investigation and response times.

Questions to ask:

• What is your solution’s visual investigation capabilities?
• Does the solution just run the playbook and hope the analyst figures things out or does it also provide insights and guide the analyst toward solving the puzzle?
• How would our analysts build the timeline of a security event?
• How are relationships among entities (IPs, users files, etc.) represented?
• What level of detail is provided about each entity and how?

4. The SOC workbench

Console switching is unavoidable in security operations, especially because analysts typically run multiple tools and handle different cases at the same time. Depending on the moment, one screen might be isolating hosts, while another screen might be blacklisting executables, with a third screen focusing on correlation and trending, and so on. Having to switch from console to console while prioritizing cases is not only time consuming, but also confusing.

Hunt for a vendor with an interface that minimizes the amount of switching required and that pushes the most critical cases to the top so your team can improve its focus and prioritize bringing down response and resolution times.

Questions to ask:

• What is the breadth of activity our team can manage through the interface?
• How does the platform prioritize and assign cases?
• How difficult is it to understand the user interface? Is there a certain skill level required or can our analysts become expert users quickly?
• Are there any collaboration capabilities included in the platform?

5. Case management and alert grouping

While advanced log aggregation tools and SIEMs can help bring together the data you need in one place, you still may be challenged to extract the true positives and weed out the false negatives. Plus, on any given day, a security operations center might be besieged with hundreds or even thousands of alerts.

If each alert becomes its own case to be worked by an analyst, think about the management impact and collaboration required to effectively handle them. Analysts working cases containing multiple related alerts can manage, triage and close these as a single effort. At the very least, alerts need to be correlated using threat intelligence and other data sources to understand what’s really happening before being able to proceed with incident response and remediation.

Questions to ask:

• Does your platform group related alerts into manageable cases?
• How do you determine if alerts are related or not?
• How are cases created from alerts?
• Does the solution use machine learning for alert prioritization and analyst assignment?

6. Reporting

Your SOAR vendor should be able to help you understand how your SOC is performing. From there, you can make informed decisions about everything from processes and tooling to caseloads and staffing. Because different stakeholders will want to look at different metrics and KPIs depending on their role, your chosen solution should be able to provide the information they require without burdening your security analysts.

Questions to ask:

• Do you support turnkey and automated reporting?
• What are your dashboarding capabilities? Do they offer templates or the ability to customize?
• Can we schedule reports to automatically run and be distributed on a set schedule?

Security orchestration solutions can elevate a SOC’s capabilities, efficiency and effectiveness. However, careful examination in selecting your ultimate partner can maximize the value of your investment.

In summary, look for a vendor that will streamline your security operations, reduce missed and uninvestigated alerts, speed up response, enable the creation of consistent and predictable processes, allow better transparency of metrics, and increase your SOCs ability to improve over time.