Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Given the sheer range of threats facing organizations in 2020, it will result in the need for more advanced detection mechanisms. In order to compensate for their shortcomings, this necessity has led to a growing number of organizations to partner with a Managed Security Service Provider (MSSP).
As a response to the current threat landscape, MSSPs started developing managed detection and response service offerings. The main goal here is to effectively assist organizations by not only detecting a potential threat but also aid in its quick and rapid response. However, they are battling another major risk: falling victim to the same shortcomings (on an even greater scale). So, how can SOAR technology help MSSP’s overcome these challenges?
In this article, you will learn the core functions and capabilities that any SOAR solution should provide to assist MSSPs. We will also identify the current obstacles service providers face when trying to deliver their security services.
Bidirectional integrations are crucial in supporting full automation and orchestration. To achieve this, there are several methods that support this type of flexible integrations such as scripting languages like Perl or Python, APIs or proprietary methods. Whatever method is chosen, it will be very simple to be implemented by the MSSPs or their customers.
In cases where full bidirectional integrations are not required, unidirectional integrations can be more suitable for the customer to deploy. Accordingly, an effective SOAR platform should support common methods of data ingestion, like Syslog, database connections, APIs, email, online forms and common data standards such as CEF, OpenIOC and STIX/TAXII.
Workflows are at the heart of the automation and orchestration activities a SOAR solution provides. These workflows help reduce the burden of repetitive tasks on an MSSP’s operations team.
There are two fundamental ways to codify process workflows within a SOAR solution:
Both methods are suitable for different client environments and proprietary use cases. However, supported by a SOAR solution, the implementation of these workflows must be flexible enough to support almost any process which may need to be codified within the solution.
Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks that need to be completed by an MSSP analyst or their client’s security team. Additionally, flow-controlled workflows should support multiple types of flow control mechanisms, including those that allow for an analyst to make a manual decision before the workflow continues.
Many organizations are relying on MSSPs to handle the entire incident response lifecycle through managed detection and response services. To properly take over the entire incident response lifecycle, a SOAR solution should provide the following incident management features:
To discover attacks and patterns that may not have been detected through automated methods, many security service providers now include various forms of threat hunting to their service offerings.
When it comes to a multi-tenant environment, to facilitate this process, threat intelligence and correlated events should be displayed in a simple and coherent visual manner to allow analysts to effectively examine the full picture of information and gather the context necessary to issue the correct response.
An adequate response to a security incident includes multiple individuals and potentially multiple teams and even organizations. So, to be effective in a team environment, a SOAR solution should support flawless collaboration and information sharing between team members in a controlled manner, even outside of the organization itself. This means that those who have authorization should have instant access to the status of the incident they are collaborating on and all the information gathered, as well as other actions performed by team members.
On the other hand, team members should also have the ability to communicate securely within the SOAR platform, providing an out-of-band communication mechanism when other mediums may not be trusted.
A SOAR solution should provide a powerful multi-tenant infrastructure required by MSSPs. Operating as a core component of MSSP operations, this infrastructure should provide accurate data segregation. Moreover, it should apply strict access control mechanisms for each tenant’s information to block any cross-contamination concerns.
The service provider should also have the ability to customize configuration options on a per-tenant basis, as well as to provide transparent access to the MSS across their entire client base.
When evaluating a SOAR solution, you should ensure that the solution provides your team with the ability to collaborate with your customers through a single platform. By providing both managed security service teams and their customers a single platform to work from, they can track previous actions, share gathered information, and view the investigative steps that have been taken during an active incident. This capability can also be extended to teams outside of the security team like the client’s IT, Human Resources department or even the MSS’ threat research teams. This will ensure that all interested parties will have access and information necessary to perform as one consolidated security solution.
Informed by our previous experience listening to customer problems and crafting unique solutions, at DFLabs, we created an unbiased guide "2020 MSSP Buyer’s Guide for SOAR Solutions" to enable you to make the most informed decision based on your individual organization requirements.
Heather Hixon / 21 Mar 2019
By combining SOAR with MDR services, MSSPs can provide a solid answer to some of the most difficult challenges their clients are being faced with.
John Moran / 2 Apr 2019
John Moran / 2 May 2019
Take a look at some common questions that should provide some meaningful differentiation between SOAR solutions to assist in your evaluation.
See IncMan SOAR in Action.