How to Implement a SOAR Solution Successfully

Back to all articles

SOAR implementation

In my recent blog posts, we have discussed the core factors as well as critical functions of a SOAR solution. Before beginning the assessment of any SOAR solution, it is important for any organization to fully understand, assess and analyze their current security program to fully define the problems they are trying to solve.

Defining the Problem before Implementing a SOAR Solution

Before you begin evaluating potential SOAR solutions and vendors, or any potential solution for that matter, it is crucial to answer a few fundamental questions. The answers to these questions should become the principal criteria guiding the process from evaluation to deployment and project completion. If the answers to these questions are not thoroughly defined at the beginning of the process, the expected and designed results of the solution will likely be adversely affected.

Best Practice Questions to Ask before incorporating a SOAR Solution

In this blog I will cover a number of fundamental best practice questions which should be answered before investing in a SOAR solution. I will also briefly discuss how to evaluate a solution and vendor in order to provide you with an unbiased guide to assessing SOAR solutions, informed by DFLabs’ and my own previous experience listening to customer problems and crafting unique solutions, as well as impartial information gained from leading industry analysts. So let’s begin....

What is the problem we are trying to solve?

A SOAR solution can solve any number of problems; some better than others. It is crucial to define which problems are most important for your organization to solve. Some of the most common problems organizations look to a SOAR solution to solve are:

  • Too many alerts to handle with available staff

  • Lack of qualified staff to fill positions

  • Repetitive, manual processes requiring large amounts of the staff’s time

  • Lack of incident management capabilities

  • Undocumented or inconsistent processes

  • Inability to record and generate metrics

  • Need to comply with regulations, standards and best practices

Once the problems have been identified, each solution can be evaluated as to how well it solves these problems.

Setting Goals Before Evaluating SOAR Solutions

How will success be measured?

The answer to this question is closely tied to the previous question. Ideally you should identify at least one measurement of success for each identified problem. Any measurement should be as clear, objective and easy to measure as possible. For example, if one of the problems the organization is trying to solve is an unacceptably high time to respond to an alert, you may decide to measure success by the reduction in the average time to respond to alerts.

Once you have defined what you will measure, define the goal you wish to achieve for each measurement. Put another way, if we implement this solution what outcome do we expect? To be an effective measurement of success, goals should be SMART: Specific, Measurable, Attainable, Relevant and Time Based. Goals which do not meet all five criteria are unlikely to give you an accurate measure of the success of your project. For example, a goal may be to reduce the average time to respond to alerts by 50% over the next year.

Some other questions to consider before beginning your research and evaluation of Security Orchestration, Automation and Response (SOAR) Solutions:

  • What are the critical milestones for this project?

  • What is the Value-add of combining a SOAR solution with existing security technologies?

  • Which features are must haves? Which are nice to haves?

  • Which integrations are must haves? Which are nice to haves?

  • What are they technical and implementation requirements?

  • What is the budget for this project?

With the answers to these critical questions thoroughly defined, documented and shared with the entire evaluation team, you should be ready to begin an evaluation of SOAR solutions which will provide you the best solution for your organization’s specific needs.

Watch out for my upcoming blog on the next steps of how to evaluate a SOAR solution and SOAR vendor or if you can’t wait, download our recently published Enterprise Buyer’s Guide to SOAR. If you currently have a SOAR project on the cards and are already in the process of evaluating solutions and vendors, why not get in touch to see what DFLabs IncMan SOAR solution has to offer.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo