Security Orchestration, Automation and Response In Poland: How Far Has It Come?

Back to all articles

Security Orchestration, Automation and Response

Following another successful Security Case Study (SCS) Conference which took place last week in Warsaw, we took some time to talk more in-depth with our local partner in the region who we participated with. As an established cybersecurity expert and Vice President of Orion Instruments Polska, Piotr Brogowski has been in the industry for over 20 years, while partnering with DFLabs for the past four years. During our chat we asked him to share his insights on the current state of affairs of cybersecurity in Poland, especially with regards to effective security operations and incident response, as well as how he envisioned the uptake and adoption of Security Orchestration, Automation and Response (SOAR) solutions to develop in the months ahead.

How Much Is Being Invested In Cybersecurity In Poland?

According to Canalys forecasts for August 2019, cybersecurity investment worldwide is forecast to grow on average by 7.2% each year between 2018 and 2023, with EMEA slightly less at 6.5%. Spending, on the other hand, will increase from US$ 36.6 billion to US$ 51.8 billion worldwide and from US$11.6 billion to $15.9 billion in EMEA during this period. Growth and spending in Poland is estimated by Piotr to be at similar rates to these statistics. As expected, spending is likely to grow in line with increasing vulnerabilities, as organizations deal with legacy issues and address new threats. Large businesses with 500+ employees will drive most investment in cybersecurity in the region. According to Forbes Insight report “Cybersecurity Insights: Security in the Digital Era”, 23% of surveyed companies in Poland use at least 26 different security tools with 90% planning to buy more within three years.

Worldwide vulnerabilities and the increasing need for threat management will remain the key drivers for this cybersecurity investment, especially for investment in SOAR solutions. Organizations will continue to increase investment in improving their threat detection efforts with the aim to produce fewer false positive alerts, while striving to improve their incident management capabilities, in order to be able to respond to security incidents in the fastest possible time frame before they potential lead to a full blown breach. This particular cybersecurity segment is evolving from more traditional logging and monitoring efforts, to now incorporating more complex threat intelligence and behavior analysis into organizations’ daily operations.

The remedy for the problems outlined above can be found by adopting a SOAR solution, which, according to Gartner’s Market Guide for Security Orchestration, Automation and Response Solutions, converges three capabilities into a single solution: a platform for orchestrating and automating security tools, procedures and teams (SOA – Security Orchestration and Automation), a platform for managing the entire incident response lifecycle (SIRP – Security Incident Response Platform) and a platform for threat intelligence and knowledge sharing (TIP – Threat Intelligence Platform).

The Increasing Adoption of SOAR

Only three years ago, relatively few people in Poland knew the term SOAR, although almost every major company already had a Security Information and Event Management (SIEM) system in place at the time. When we presented DFLabs’ IncMan SOAR platform at the SCS Conference in Warsaw back in 2018, many people who we talked to knew what SOAR was, but were only at the early stages of researching it to discover its capabilities, and were not at the stage of considering such an implementation. Today, the Polish market seems to be maturing, especially when it comes to SOAR implementation. Almost all organizations within the enterprise and corporate sector are now already using some form of SOAR solution, are at the stage of choosing a vendor to provide a solution, or are seriously considering implementing it in the near future.

CISOs in Poland clearly understand that cybersecurity professionals within their organizations spend most of their time addressing high priority or emergency issues and not enough time on strategy or process improvement. In other words, security operations center (SOC) teams are in constant firefighting mode. This creates a self-perpetuating cycle where nothing ever improves, leading to employee burnout and high attrition rates. Threat detection and response is anchored by manual processes that hinder their ability to keep up. Moreover, most organizations do not have the tools and processes in place to operationalize threat intelligence, making it difficult to compare on-premises security incidents with what’s happening “in the wild”. Without current knowledge about cyber-adversary tactics, techniques and with proper procedures in place, organizations cannot really know who is attacking them, how these attacks are conducted, and how they can overcome them. This builds a compelling business case for the need to implement SOAR.

Understanding The Full Benefits of SOAR

Today, Piotr confirmed that the typical use case for SOAR in Poland was tied in with an organization’s SIEM tool, but he is keen to further educate SOC teams in Poland of the full benefits it has to offer and the other features and capabilities it has, most importantly being able to integrate with any security tool in the tool stack.

A very important issue it helps to solve is enabling the existing SOC teams to do more with less, enabling them to improve their performance and the overall security program effectiveness without having to employee more headcount. SOAR can significantly save time and money by increasing efficiencies through automating and orchestrating a number of mundane and repetitive tasks requiring less human involvement in many areas. Using this mechanism, analyst time can be better spent prioritizing and focusing on more proactive tasks such as threat hunting and analysis, as well as overcoming more complex problems. SOAR can also help to redefine existing processes that can further facilitate operations and help to implement some processes and workflows that perhaps wouldn’t have been feasible to implement without it.

Piotr went on to confirm that most of Orion Instrument Polska customers use at least a few basic functionalities of a SOAR solution. The most common ones are automation of IR process (especially Runbooks), orchestration of different security tools including bidirectional integrations with often very rare systems, collaboration and information sharing and last but not least measurement (in terms of metrics, reports and KPI). The latter functionality is extremely important not only from the point of view of the internal needs of the organization but also often necessary to demonstrate compliance with the required regulations which is particularly important for financial institutions.


Although the adoption of SOAR is on the rise, there is still a lot of work to be done in terms of educating organizations and their security operations teams about the benefits of implementing a SOAR solution, and how it can ultimately help them to overcome a range of challenges and pain points which are common in every SOC regardless of industry. With threats only expected to increase in terms of volume and their levels of sophistication, the struggle to combat these threats will only continue. Together with DFLabs, Orion Instruments Polska is committed to raising the awareness among industry stakeholders in order to take incident response and security operations to the next level through the increased adoption of SOAR.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo