With the evolution of Security Orchestration, Automation and Response (SOAR) now in full motion, it is important for SOAR vendors to ensure they meet (and potentially exceed) Gartner’s criteria and requirements of what a SOAR solution should encompass, as well as satisfy the expectations of security operations teams within organizations who will be utilizing them.
In order to address the previous pain points, equally as critical are the key areas that must be included to not only satisfy existing incident response needs, but future requirements as well. Those key findings represent a broad section of needs and apply equally to all verticals. They include:
The requirement for a single pane of glass that affords visibility into all aspects of the network and security infrastructure. This single pane of glass is often referenced as a customer need by vendors, however, we believe that rarely do they meet the level of sophistication afforded by a true SOAR such as IncMan. IncMan affords you the capability to include information from traditional sources (SIEM, TIP, EDR, etc.) and non-traditional sources that are germane to security operations, such as ticketing and inventory systems, entry control data, insider threat platforms etc.
As SOAR technology continues to migrate from the early adopter to early majority phase, we are yet to see a corresponding evolution in use case sophistication from the early adopter users. IncMan addresses this by providing long-term vision as leaders in the SOAR industry introducing capabilities including incident triage, machine learning and an Open Integration Framework that ensures as industry use cases, including both cyber and non-cyber become more sophisticated, the IncMan platform and its open architecture stands ready to evolve with them.
Despite most vendor best efforts, SOAR systems are not “plug and play” regardless of the number of integrations offered. In addition to the initial outlay for the platform there can be multi-week professional service engagements to ensure the components needed for a customer’s environment are available. DFLabs recognized this some time ago and took steps to not only make the installation of the SOAR platform as automated as possible but created the Open Integration Framework that permits their customers to develop their own integrations. This is especially critical when working with large organizations and managed security service providers (MSSPs) that required “homegrown” application that were unable to share outside the organization in order to develop API integrations. Those agencies are now able to develop needed integrations on the fly internally without the need for follow-on professional services engagements.
Less evolved SOAR platforms similarly concentrate on point security technologies, rather than a more holistic approach involving all aspects of security orchestration and automation. This severely limits their applicability and falls well short of Gartner’s definition of a true SOAR platform. SOAR solutions such as IncMan not only satisfy Gartner’s definition, but expands on areas such as key performance indicator reporting, tenant analysis functions in a multi-tenant environment, (such as an MSSP), and tracking SLA metrics.
MSSPs are increasingly turning to SOAR solutions to solve problems as well. While MSSPs face many of the same problems as an internal SOC or CSIRT team, magnified by the number of customers they serve, they also face a unique set of challenges not seen in other security models. For SOAR to be an effective solution for an MSSP, it must support multi-tenancy in a way which segregates customer data and customer access, while simultaneously allowing the MSSP transparent access across customer environments. The SOAR solution must also support various deployment and data security models to enable compliance with the myriad of legal, regulatory, industry and customer requirements. Recognizing these challenges, as well as the value an MSSP can achieve by offering a “SOAR-as-a-Service” model, DFLabs has released a dedicated MSSP module which addresses these unique challenges.
Sustaining the Momentum
While dedicated SOAR platforms continue to innovate and evolve, there were several recommendations identified by Gartner that if not already implemented, should be a focus when implementing a full SOAR solution going forward.
When implementing a full SOAR solution, ensure that defined workflows and processes are part of the implementation. It establishes a starting point for organization response protocols that can be used to build upon as threats and use cases evolve.
A comprehensive implementation plan should be part and parcel of any SOAR implementation. Anticipating needs and professional service needs (if applicable) should be a part of the pre-implementation needs assessment. Solution deployment and training must be focused on these requirements. At DFLabs we take this commitment seriously and an organizational needs assessment is an integral part to each customer implementation. These needs assessments include an evaluation of required integrations, workflow needs in the form of Playbooks and Runbooks (we have 100+ available), establishing a timeline and identifying any special requirements.
As the SOAR market funnels down to a few dedicated SOAR innovators, it’s important to have a plan in the even your SOAR platform gets acquired. If, for example, your SOAR is acquired and now only functions well with a vendor’s suite of products. What is your plan if your SOAR platform is acquired by a specific SIEM manufacturer and now no longer supports your SIEM of choice? These considerations should be part of your selection criteria and plans implemented to deal with this situation should it occur.
It’s simple to see that DFLabs anticipated each of the pain points identified in the Gartner SOAR Solution Market Guide and through its IncMan SOAR platform offers a comprehensive and full SOAR solution that continues to meet Gartner description of SOAR. Most importantly, it is able to provide its three core components, Orchestration and Automation, Incident Response and Threat Intelligence, all necessary to conquer today’s existing and evolving threats.
As the uptake of SOAR solutions continues to rise, we expect to see its use cases start to develop and evolve throughout different organization types and industries. SOAR solutions themselves are also likely to continue to evolve with newly identified organizational requirements and expected advances in cyber threats, in an attempt for organizations to try to stay one step ahead.
As a recognized leader in the SOAR market, DFLabs is committed to continuing to innovate and deliver solutions to some of the most critical and complex problems facing security operations teams for years to come. If you would like further information about SOAR or want to see IncMan SOAR for yourself in action, contact us to arrange a no obligation demonstration.