Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) products have their own respective places in the incident response infrastructure. They both have symbiotic responsibilities that are simultaneously distinct in their executions.

In a recently published market study by Gartner they estimated that by 2022, 30% of organizations larger than 5 people will be leveraging a SOAR solution. This is even more significant when we consider that less than 5% of those organizations are utilizing SOAR today. Organizations of all sizes are quickly realizing that they need the best-in-class infrastructure to ensure it will carry them to the last mile of the incident response.

SIEM vs. SOAR

Back in 2015, there were overlaps in SOAR platform capabilities. As the definition of SOAR evolved in subsequent years, SOAR use cases grew to include:

• SOC optimization
• Threat Monitoring and response
• Threat investigation and Hunting
• Threat Intelligence Management

The question remains: How do we ingest the information coming from different sources and make it actionable within our network security infrastructure?

Over time, our customers have discovered that the more they automate, the more time their organizations have to dedicate to threat hunting.

Still, many organizations are struggling to effectively and efficiently manage Security Operations and Incident Response. It funnels down to 3 separate areas:

1. How can I make SIEM and Threat Intelligence data actionable and more effectively investigate alerts and incidents? (few Analysts vs. many information fountains)
2. How can I prioritize my response to security incidents (including ‘’non-cyber”) given the increase in volume and scale across a growing attack surface?
3. How can I rapidly respond to security incidents with limited human resources to contain the damage and limit legal exposure?

Recent statistics show that the “dwell time” of the average security incident is 99 days. The question quickly becomes how do we address the cyber incidents that affect our entire workspace?

There is clear evidence that SOAR solutions are the clear solution to reduce response time, automate incident prioritization and better utilize existing sources of information to make them more actionable.

Buying SOAR add-ons for SIEM: What are the limitations?

• SOAR modules and add-ons are verticalized - it forces customers to rely on a single SIEM Vendor;
• Organizations risk vendor dependency;
• Creates a SIEM/TIP and SOAR dependency that contains an inherent risk of closed architecture;
• Reduced level of innovation that stays in step with security trends;
• If the SIEM fails in its detection role, the corresponding SOAR capability will fail as well.

Given that true SOAR platforms are capable of integrating with a host of SIEM products, as we move towards 2020, having a SOAR product that is focused on input from a single SIEM is a point of failure and something that can be avoided.

How do independent sources such as IncMan SOAR address critical customer requirements?

Utilizing Machine Learning (ML):

• Significantly reduces false positives and duplicate events;
• ML enables checklist and workflow-based automation (by applying the right type of O&A for every use case);
• It is engineered to support both MSSP and complex corporate environments;
• Allows customers and partners to integrate tools in minutes with little coding experience (it also supports ‘’non-cyber’’ use cases);
• Leverages automated Runbooks to provide rapid data enrichment and correlation;
• Manages all aspects of the incident case management, from identification through remediation.

Industry standards dictate that all aspects of the incidents should be managed from a singular platform. Being able to work through each phase of that incident response life cycle inside of your SOAR platform, regardless of chosen SIEM, is critical. Additionally, the ability to respond to each incident type with its own distinct workflow and remediating that to ensure this type of incident won’t occur again is vital.

This increases the requirement of having a single platform that will help you perform all of these incident activities.

The thing that is important to remember here that there are few requirements that help you make a distinction whether this is a true SOAR platform.

7 factors which constitute a true SOAR platform:

• Progressive Automation
• Observables, Correlation Engine & Threat Intelligence Management
• Concise Incident Case Management
• Open Architecture and Lateral Use Cases
• Full Chain of Custody Handling and Forensic software integrations
• Role-based KPI Dashboards & Comprehensive Reporting Library
• Knowledge Base

GDPR & IncMan SOAR

Additionally, GDPR compliance is a significant consideration for full incident management. It’s imperative that we are able to chronicle all actions taken as part of a responsive event including:

• Orchestrate human activities and monitor all ongoing actions with Task assignments and tracking;
• Document physical and logical evidence and chain of custody;
• Complete audit log of every activity performed;
• Track and manage incident phases and management expectations;
• Document policies, procedures and best practices in the Knowledge Base.

Providing documentation of required actions ensures your responses that contain responsive GDPR elements are not only repeatable but defensible as well

Where SOAR Will Go In The Next 5 Years?

SOAR platform implementation is rapidly evolving as a requirement in the IR industry. Ensuring that your SOAR is as extensible as possible without requiring specific infrastructure to perform will be a crucial part of organizational response criteria going forward. If you want to see how IncMan can quickly become an integral part of your infrastructure reach out to us for a free, no-obligation demo or drop us a line here.