Too many alarms and too few security analysts? Think SOAR

Security automation, orchestration and response (SOAR) speeds up the incident response process by replacing manual tasks with automated workflows. We sat down with Swimlane CEO Cody Cornell to learn more about the benefits for all organizations.

What are some of the biggest misconceptions when it comes to security orchestration, automation and response (SOAR) solutions?

Automation takes the mountain of daily manual work that’s required to really leverage a full-scale defense-in-depth strategy and makes completing it much more attainable. If each of your security controls is a segment of your overall security strategy, you can’t have one segment be an extremely weak one. As with all things, you are only as strong as your weakest link. Automation allows you to free up time, get to tasks you never could by hand, and have time to focus on strengthening your weakest links.

I think when people think of automation, they think about what it is like when it is completed, how their lives are better, how they reduced the burden on their teams, and how automations makes them more vigilant and capable around the clock. These outcomes are absolutely true, but if you look at other places where automation has made huge impacts in productivity it didn’t happen overnight.

There was no single thing that drove manufacturing automation. But in the end, it revolutionized manufacturing. Security automation is similar. The advantage is that since it is software, iteration can happen more quickly, but value builds over time. As that value builds, you get to a point where you can’t imagine it any other way.

Because of this, there are companies that are much more secure than their peer group, and it’s because of the historical investments and daily decisions they make. They’ve made the investments to make it more difficult for actors to take their information or compromise the services they deliver.

Overworked security operations teams are increasingly leveraging SOAR tools. What can these solutions do in a SOC environment?

All companies deal with overworked security teams in some form or another, but in cybersecurity, this can lead to burnout, which has potentially dire consequences. If a SOAR platform is successful, it’s taking upwards of 80-90% of the highly repetitive work security teams have to do, doing it on their behalf, and managing it in a way that is making their lives better.

With a SOAR tool, organizations can also abandon the exclusive use of ‘prioritization’ as a solution for overloaded employees. A lot of time prioritization is a symptom for lack of capacity, doing the “most” important thing a lot of times means hundreds if not thousands of other important things are being deprioritized.

The reality is, every to-do list item in a security operations center must be completed every day. Investigating alerts ineffectively—or even missing them completely—can result in a costly breach, and the items that are the highest priority, probably started out as a low priority or informational notification that could have been actioned immediately, might have never escalated to your highest priority. Rather than asking employees to prioritize their daily tasks, organizations leveraging SOAR tools are investing in processes and technologies that help their employees complete their work.

By creating a situation where professionals can get their work done, and get it done well, a stronger sense of achievement is generated among personnel, and in the case of cybersecurity, this can help reduce the risk for the entire organization.

What advice would you give to a newly appointed enterprise CISO that wants to take full advantage of what SOAR solutions have to offer?

Acknowledge that the way that we’ve historically done security ops and engineering just isn’t going to work going forward. The whole mindset that we’re going to have a somewhat slowly changing infrastructure, with people-intensive change management processes, that we’re going to update it every once in a while, is gone. If that’s how you’re managing any facet of your enterprise, from endpoints to perimeter, from cloud infrastructure to IoT devices, you’re just plain exposed.

You have to accept that if your infrastructure isn’t already built to be constantly evolving and adapting, you’re behind. You need to be able to digest a constant stream of information, enrich it from a variety of disparate data sources, and use that to make real-time risk assessment decisions that drive the automated update to your security infrastructure. Along with all that, you’ve needed to select, implement and manage your technology stack to support that speed of change in an operational cadence.

When selecting a SOAR technology, organizations should be looking for a single platform with the flexibility to support the broadest set of use cases at the deepest technical levels. Other factors to consider are whether this tool is enabling their people to get more done, and orchestrate more technology, or just providing another case management system where you park some notes, upload some logs, and assign a user.

CISOs should be thinking about SOAR as a platform, not as a tool, and it should be a platform that doesn’t limit what they can interact with. The security solutions in your environment, the intelligence sources at your disposal, the infrastructure your company utilizes is going to be constantly changing, and a lot of times those decisions are not made by the CISO.

Acquisitions, mergers, and partnerships are driven by the business, which will force the security team to adapt and integrate with a whole variety of security apparatus, and you need to be leveraging a platform that supports the largest variety of integration points but also the most diverse set of use cases because what you need today is not what you’ll need tomorrow. And from a planning perspective, you need to try to future proof wherever you can.

How do you see the SOAR market evolve in the next few years?

SOAR as a named category by the analyst community (Gartner/Forrester) was needed to describe an automation solution that organizations could use for security operations, addressing their daily pain points when trying to keep their organizations secure from relentless bad actors. Now the problem is altering the mindset of security teams from thinking about automation as a specific product unto itself and more of a principle of applied automation across every facet of security.

More and more organizations are looking to secure their business by leveraging automation. Automation is not new. We use automation every day in manufacturing, shipping, and other sectors, and we have for decades. The SOAR market will continue to evolve in ways that help organizations apply automation and orchestration to every facet of security.

Rather than thinking about automation as a single product category, we should be taking automation and applying it across an organization’s technology stack, security or otherwise. The types of use cases organizations are implementing with SOAR are evolving as well, including technology integrations for cloud, IoT and DevOps.