Security Orchestration, Automation and Response (SOAR) products offer an appealing solution, promising efficiencies in detecting and responding to threats. However, organizations need to understand how these solutions can also introduce new challenges if not implemented correctly. Without proper planning, organizations adopting security automation tools can fall victim to common missteps that quickly lead to less efficiency and a weaker security posture.
To select a suitable SOAR solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Rishi Bhargava, VP, Product Strategy, Palo Alto Networks
Implementing security orchestration usually isn’t a simple journey from “I don’t have it” to “Okay, now I have it.” Organizations need to evaluate their security tool stack and existing processes, then choose their method of deployment accordingly.
Ecosystem is critical: Look for a solution with broad, deep integrations covering the vendor tools you currently use. There should be an option to build in-house or custom integrations. You also want to invest in a SOAR solution that can mature with you as you grow. You want a good mix among integrations with detection, enrichment, enforcement, and allied tools.
Strong ticketing and case management capabilities: Rarely does incident response start and end with automation. Invariably, analysts will be involved in incident investigation. Ask: Does the platform have native case management or integrate with relevant tools? Can you reconstruct incident timelines? Can you easily customize playbooks without extensive coding?
Integrated threat intel management: Manual threat intel workflows are time sinks and do not scale, so integrated threat intel management automation capabilities will dramatically reduce your mean time to respond.
Flexible deployment: A SOAR platform should support both on-premises and cloud-hosted deployments. For distributed environments, look for one that scales and supports full multi-tenancy.
Wherever you are on the SOAR journey, these considerations will ensure you’re on the best path for your organization.
Gamze Bingöl, Product Manager, SecOps, Micro Focus
The aim of a SOAR platform is to empower the security staff efficiently and confidently with automation and orchestration while detecting and responding to evolving cyber threats.
Automation for cybersecurity: SOAR’s automation capabilities should handle most of the threats automatically by eliminating false positives and automating repetitive activities. Automating time-consuming, repetitive tasks with SOAR gives analysts more time to focus on the cases that need human intervention.
Out of the box playbooks: Scenario driven, ready to use automated playbooks should be an out of the box feature that a SOAR should bring to the table. Ready to use playbooks can help teams to shrink response times from hours to minutes and will improve analyst productivity.
Integrating with existing tools: Desperate tools working independently are not as useful as an integrated suite of tools that complement each other. A focus SOAR should integrate with the existing security solutions, IT infrastructure and technology in an organization and act like a centralized hub for the whole security environment by increasing collaboration and orchestrating all the elements as if they are all part of the same solution.
KPIs and metrics: SOAR’s detailed reporting on case and analyst level can help managers understand historic events and better plan future directions.
Richard Cassidy, Senior Director Security Strategy EMEA, Exabeam
A SOAR solution should enable teams to automate the identification and response process across significant volumes of disparate data streams, so that the prioritisation of threats and vulnerabilities becomes almost seamless, not least far more operationally efficient.
If implemented correctly, Security Operations Centres (SOC) can benefit from using SOAR solutions helping them to deal with threats faster and more efficiently.
Integrating SOAR with other security tools, such as Security Information and Event Management (SIEM), can transform SOC teams business and technology outcomes through automation, while also increasing efficiency.
Combining forces, organisations can use SOAR to augment the capabilities of SIEM, offering an all-comprehensive solution. SIEMs collect and store data in a useful manner which SOAR can use to automatically investigate and respond to incidents and reduce the need for manual operations.
What’s more, in tackling one of the biggest challenges for SOC teams to date, SOAR solutions can help to ingest information, sort, prioritise and combine duplicate alerts to reduce the number of false positives.
Cody Cornell, Chief Strategy Officer, Swimlane
When considering which SOAR solution is right for your organization, think about it from two perspectives: what do you need right now to solve the problems that led you to determine you need automation in your operations, and how will you leverage automation into the future. With these perspectives in mind, there are primary considerations to keep in mind.
First, do you expect that the tools you use or the adversaries targeting you to be static, or dynamic and changing over time? In almost all circumstances it will be the latter. Therefore, you should be looking for a solution that will provide new integrations quickly, and a platform that is rapidly extensible – enough to not only meet today’s needs, but future needs as well.
Second, when you look at how attacker techniques are changing, do you expect that attackers will continue embracing automation on their side? Adversaries are using automation to not only run scans, but also from a DevOps perspective to build unique infrastructure per target.
If this continues, you will need an automation platform that has the ability to retroactively reinvestigate indicators of compromise (IOCs) and other intelligence in cases and alerts, without human intervention. If not, you will miss a SecOps worst-case scenario, a True Negative alert, or an alert that was real but wasn’t flagged as malicious.
Matthias Maier, Security Evangelist, Splunk
There are a few different criteria to consider when evaluating SOAR platforms and which to use:
These can be thought of as the basic parts of an SOAR platform and are typically functional in nature and easily identified in a platform. Some elements of this include the orchestrator who directs and oversees all activities relating to a given security scenario. It is critical that the orchestrator delivers optimal utilisation of available resources. Another is the automation engine. Because automation tasks run independently and largely without human interaction, attributes such as platform scalability and extensibility are important criteria to consider. Case and playbook management should also be taken into consideration.
These are more subtle, like architectural characteristics, that are more qualitative in nature. These criteria are evaluated more often through observation and interaction with the platform. Collaboration significantly improves the substance of a platform. A SOAR platform must support a strong community model and make sharing of app integrations and playbooks easy. It is also important to understand how an SOAR platform will scale, both vertically and horizontally. As an organization adds use cases over time, there will be additional processing load placed on the platform. A platform that is open, mobile friendly and easy to use is also key.
These include value-add services offered by a company to augment their core technology, like training and support. No matter how great a company’s core technology is, there are considerations outside of what is traditionally thought of as the product that heavily influence a buyer’s decision-making process.
Faiz Ahmad Shuja, CEO, SIRP
A research found that security professionals report receiving an average of 840 security alerts every day. With most alerts taking around 15-30 minutes to investigate manually, this is an impossible task for any security team.
Automating as much of the workload as possible will enable security teams to keep up with the pace and ensure critical threats don’t go unnoticed in the noise. SOAR platforms have emerged as one of the most effective solutions for delivering these capabilities.
The most important step in integrating SOAR successfully is to have solid documentation in place for all security processes. There needs to be well-established response playbooks for all major processes. For example, if a potential phishing email is detected the response might include investigating the sender’s address and detecting signs of spoofing, probing any URLs for its reputation score and for malicious script. Once all these processes have been documented, the SOAR platform can begin to carry them out automatically.
In addition, organizations need to ensure their chosen SOAR platform has strong integration capabilities. The platform will need to fit smoothly with their existing SIEM solution, as well as connecting with the rest of their security solutions and wider IT infrastructure.
Amos Stern, CEO, Siemplify
Security orchestration, automation and response, or SOAR, addresses some of the most persistent – and frustrating – challenges facing security teams.
The right SOAR platform, coupled with good implementation, can help reduce alert overload, tie together the multitude of disparate detection tools in use by organizations, and build automated and repeatable processes to slash response times – all while untethering security analysts from the tedious and often-manual grind of blocking and tackling so they can focus on higher-value work, like hunting for threats and building more resilient security infrastructures.
At their core, SOAR solutions should ingest alerts, integrate (via native APIs) with a broad range of third-party detection tools, and automate workflows.
But the best SOARs go beyond these table stakes by acting as the centralized workbench from which security operations professionals perform their jobs. Think like Salesforce, but for SOC analysts. Advanced capabilities you should look for include:
1. Case management (specifically the ability to group contextually related alerts)
2. Integrated threat intelligence
3. Collaboration (especially important in the new remote normal)
4. Dashboards and KPIs (to provide visibility and insights)
5. Crisis management (to escalate a cross-organizational response in the event of a major incident).