Executing a Successful SOAR Implementation: What to Avoid
Without a doubt, organizations are increasingly investing in Security Orchestration, Automation and Response (SOAR) solutions. Even though SOAR is relatively new to the market, more and more organizations are expected to implement a SOAR tool within their operations in the next few years. According to Gartner’s new Market Guide for SOAR Solutions report, “by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.”
Before we dive into some of the reasons why SOAR implementation can sometimes go wrong and what organizations should potentially avoid, let’s briefly start by outlining some of the main reasons why SOAR is becoming a necessity within security operations today.
Why are organizations increasingly implementing SOAR?
Companies struggle to combat many different types of increasingly sophisticated cyber threats and attacks. In this battle, organizations acquire multiple security tools or services, and before they know it, they have SIEM, anti-malware, EDR, sandboxing solutions, and many more. If we add to this that many of these solutions are not designed to communicate with one another, we end up with a complicated and challenging task ahead of us. And here comes the era of the SOAR solution. It brings together individual tools in a manner that allows security teams to manage and orchestrate them all from one single platform and pain of glass.
Increasing cyber attacks combined with a large number of tools can generate a growing volume of security alerts. Today, typical security operations teams are overwhelmed with the number of alerts they have to triage and examine, and they often state that managing this huge deluge of alerts daily is the biggest challenge they encounter. SOAR solutions mitigate this alert fatigue by enabling teams to automatically triage and close false positives, letting them focus on the threats that require their attention.
No More Staff Shortages
Every year the staff shortage issue seems to be worsening. Finding the right qualified experts in the field could take months. The alternative to this could be training existing teams to work more efficiently and effectively, utilizing their full potential, which is key in the process of SOAR implementation. SOAR helps to take away the mundade, repetitive and time consuming low level tasks to empower security teams to do more with less.
Teams can better solve security incidents if following a clearly defined set of processes and procedures, instead of trying to resolve similar alerts differently – practice that could allow ineffective processes to continue to exist. If analysts follow codified processes, they will handle alerts better, faster, and more effectively. This could be done by documenting tribal knowledge in playbooks inherent to SOAR solutions, also ensuring that processes are executed across the SOC team in the exact same way.
What to Avoid?
Now that we have a brief understanding of why SOAR solutions are increasingly being implemented within organizations, with an idea of the benefits they can bring, let’s now take a look at some of the elements that should potentially be avoided when implementing SOAR in order to realize its full potential. Like with any new solution, it will take time to implement and there are always many factors such as best practices and internal needs to consider. A number of these factors will also depend on the maturity level of your security operations and what existing tools, technologies, processes, procedures and importantly people are currently in place.
Discrepancy Between In-house Capabilities and SOAR
As with other technologies, implementing a SOAR solution could require a slightly different approach organization to organization or SOC to SOC, depending on its objectives, maturity and skill set. To make sure you have smooth SOAR implementation, it is important to choose a solution that is in line with the in-house capabilities of your SOC experts. Many SOAR vendors offer professional services to assist with implementation or customization of the solution, which can bridge the gap between in-house capabilities and implementation requirements. If professional services are required for a successful implementation, this should be discussed and planned during the purchase of the SOAR solution, not during the implementation stages.
Rush to Automate Every Single Process
SOAR solutions, as the “A” suggests, automate security operations processes, so as soon as organizations embark on a new SOAR project, they may rush to automate any type of process there is. And this is where the problems arise. Why? Because as much as automation improves many existing processes, it can worsen a process that is already flawed, or a process that is not fully implemented. To avoid this, security teams should ensure the processes are fully defined and outlined before they create playbooks for them. As you consider implementing a SOAR solution, also see if there are some standardized playbooks included to get your team started.
Trying to automate all processes at once also bears other risks. Firstly, if you do this, it will be hard for you to conclude if the failure is due to the automation or not, because if the processes you’re trying to automate aren’t tested, you’ll be tempted to blame automation for the failure. This can deter some teams from employing automation all together. Moreover, many security analysts and experts are aware that not every step within every process can be fully automated. Some more complex issues still need some attention from a human expert. Therefore, the process of SOAR implementation often means finding the ideal middle point between machine and analyst-driven activities for your particular needs, and there are some solutions out there, such as IncMan SOAR from DFLabs, which lets you do both within one workflow.
At the beginning of the implementation stage you should prioritize the processes that can easily be automated and those that need to be automated, and implement SOAR in these areas first. You can then continue with careful assessment of other areas that cause pain points that could benefit from being automated, and over time, as you build in success and confidence, phase in further automation as required.
SOAR Implementation Is an Ongoing Process
SOAR implementation is not something that you are finished with in a day and then simply move on to other priorities. You have to pay close attention to the procedures and techniques to fight constantly changing cyber threats, while analysts need to monitor, run tests, and continuously improve the processes to ensure they are fully up to date once they are automated. In this way, you will keep up with any changes that are required and this will help to ensure that you are on the road to SOAR success.
SOAR Is Not a Silver Bullet
Let’s face it – there’s no single solution out there on the market that will solve all issues a security team faces, and this unfortunately is the reality. With the use of a SOAR solution, it can help security teams and the wider organization to utilize what they already have, and it will drive improvements throughout many processes to improve their effectiveness and efficiency.
Before your organization embarks on a SOAR journey, make sure you understand the uses for it and where it can really add value to the business. Ensure you have the right tools, technologies, processes and people in place, as well as the metrics to measure its success, and with the successful implementation of SOAR you can take your SOC to the next level.
If you are currently in the process of evaluating SOAR solutions and vendors our recent Enterprise SOAR Buyer’s Guide may be of assistance.