How SOAR Can Address Tool Integration and Management Buy-In Concerns | DFLabs

Free community edition

Request a demo

How SOAR Can Address Tool Integration and Management Buy-In Concerns

Back to all articles

In a recent blog post “The Road to SOC Excellence Using SOAR” we highlighted some of the crucial findings from the 2019 SANS SOC Survey. The top concerns reported by the survey’s respondents were not new, but the trend towards successful implementation of compensating controls to overcome these shortcomings had finally taken a turn towards the positive. True, it wasn’t a huge leap towards success, but any improvement should be considered a win.

Of the shortcomings reported, short staffing and the inability to effectively utilize automation and orchestration to assist staff were the problems most often experienced by today’s security operations centers. In our last blog we discussed how the use of a SOAR solution can help security staff utilize automation and orchestration techniques to improve the incident handling and knowledge management concerns experienced by the lack of qualified staffing. In this continuation further along the road to SOC excellence, we’ll explore ways that a SOAR solution can help conquer the additional shortcomings experienced; lack of tool integration and management buy-in.

Tool Integration

It is of no surprise that security operations teams are also reporting frustration when attempting to integrate the security and networking tools required to secure and maintain today’s modern environments. As attackers become more sophisticated, so do the tools necessary to assist network defenders in their quest to protect their businesses and assets. To make matters worse, product vendors have flooded the market with these new products without any native ability to have them work in concert with other security and networking products outside of their product lines.

This condition is one of many which has driven the evolution of automation and orchestration technologies, especially SOAR. Security orchestration is the practice of making disparate products, security and non-security, integrate with each other to automate tasks across products through workflows, while also allowing for end user oversight and interaction. These workflows allow for enrichment and containment activities to be automatically initiated on one product and the outcome or findings of that action to be passed to another, in order to make additional incident handling decisions.

By utilizing SOAR to integrate an organization’s toolsets, security professionals can construct these incident workflows to mimic analyst actions during the course of an incident’s investigation. This not only ensures consistency every time an incident is handled but will also reduce the number of dashboards and platforms analysts must navigate to identify, contain, and document a potential security incident.

Management Buy-In

The ability to integrate disparate tools together using a SOAR solution enables security teams to redirect their focus towards the tasks required to build a more robust security program. As a result, when security teams have the time and staff to focus on strengthening their security posture, the translation between technical necessity and business need begins to evolve naturally.

Oftentimes security teams fail to obtain management buy-in due to measuring and communicating the wrong kinds of information. As highlighted in the 2019 SANS SOC Survey, a huge contributing factor to this failure is the types of metrics being used and how security teams are being forced to gather them. Of those respondents questioned most reported a large majority of their metrics were “quantity” based metrics such as, number of incidents handled, or events closed. While important, these quantity-based metrics fall short when attempting to convey the big picture message C-level management looks for when making business decisions.

Anyone who has ever been tasked with presenting metrics that “show value” know that quantity-based metrics never seem to hit the mark, no matter how elaborate the pivot chart may be. These types of metrics are easy to gather and can be easily automated, however as the SOC Survey points out, the more elusive business focused metrics which will help drive business decisions such as losses accrued vs. losses prevented, are much harder for SecOps teams to produce.

However, by integrating a SOAR solution into a security program, organizations can begin to tailor their metrics towards business need through the utilization of case management features available within some SOAR solutions, such as the IncMan SOAR platform from DFLabs. These features allow for assets to be monetized and tracked throughout an incident in an effort to begin to quantify the work produced by SecOps teams. Through converting quantity-based metrics, such as incidents handled to business-focused metrics, which show how the business’ bottom line has been affected, it becomes easier for everyone to speak the same language and move towards one unified goal.

Although this year’s SOC Survey showed slight improvement in many of these key areas, there is still plenty of work to do.Thankfully the cybersecurity industry is moving in the right direction with the wider adoption of automation and orchestration technologies such as SOAR and these technologies were designed and developed to help struggling SecOps teams overcome areas in which they are burdened year after year.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo