SOAR Solutions: Key Things C-Suite Should Know

Back to all articles

SOAR solutions

DFLabs’ CEO and Founder, Dario Forte, recently took part in a panel discussion hosted by Peerlyst to discuss the elements that c-suite executives should be made aware of when it comes to Security Orchestration, Automation and Response (SOAR) solutions.

Joined by industry leading experts from Alite Group, Duo Security and ThreatConnect, the discussion was moderated by Anton Chuvakin, VP Distinguished Analyst at Gartner, who has many years of experience in the security field and has led a number of research projects around security operations including SOAR.

In terms of the evolution of SOAR, it was coined by Gartner back in 2017 to describe the convergence of three technology markets; Security Orchestration and Automation (SOA), Security Incident Response Platforms (SIRP) and Threat Intelligence Platforms (TIP). Gartner defines SOAR as:

“Technologies that enable organizations to collect security data and alerts from different sources. SOAR allows incident analysis and triage to be performed leveraging a combination of human and machine powers. This helps define, prioritize and drive standardized incident response activities according to a standard workflow”.

The aim of this blog post is to provide an overview of some of the key points and questions raised about SOAR solutions during their discussions, detailing some of their answers and opinions, including:

  • What are the problems and challenges most directly addressed by implementing SOAR?

  • Can SOAR technology reduce current headcount in security operations and/or save company money?

  • How does SOAR differentiate in a way that doesn’t make existing tools redundant?

  • What can we realistically hope to automate with a SOAR solution?

  • Can you automate something before defining a particular workflow or process?

  • What have you seen successfully implemented that has delivered lasting value?

  • Do you think there are operations and processes only achievable with a SOAR solution that can not be done manually?

  • What lessons can be learned from implementing SOAR and are there any challenges organizations and/or vendors face?

What Are the Problems and Challenges Most Directly Addressed by Implementing SOAR?

SOAR can address may security challenges and pain points as it provides a centralized place for managing security operations processes, including both human and machine elements. SOAR enables security operations teams to normalize automation workflows, as well as human ones, whereby analysts can consistently conduct the same tasks in a measured and methodical way following a standardized process. SOAR also blends human and automation workflows together, allowing them to scale, while providing accountability and tracking for both, which historically has been difficult to achieve within security operations.

Case management is one particular area where a SOAR solution can help. Typically, security operations would not manage case management and ticketing systems that are used within the organization (which are usually deployed by other departments such as ITOps), and these tools would normally take care of the incident process. Therefore, security operations tend to look at SOAR as a potential source for this data, enabling them to track cases in a more dedicated and defined way. This not only provides speciality and focus on the incidents at hand, but the team can also use their own specialist platform which can be segregated from the rest of the organization, which is also usually very important from a compliance standpoint.

Today, the typical use case for SOAR is tied in with an organization’s SIEM tool, but other use cases are often overlooked. SOAR can easily and should be expanded beyond just the integration with a SIEM to not limit its full capabilities. One example of this includes physical security, where playbooks can be developed to monitor the access of staff to secure areas within the organization. If unusual activity is detected, it would immediately be flagged. The flexibility in application of SOAR within different aspects of the organization is a lot wider than first anticipated and today does not just have benefits for a security operations center; and this is one of its unique aspects, unlike any other automation and orchestration solution.

Can SOAR Technology Reduce Current Headcount in Security Operations and/or Save Company Money?

It is very rare to hear anyone in security operations say there are too many people. Most organizations who are looking at SOAR or have progressed with a SOAR solution do so because they are short staffed and need to improve efficiencies. SOAR should be seen as the logical explanation, acting as a force multiplier, enabling the existing team of professionals to do more with less, and overall it will only help to improve their performance and the overall security program effectiveness.

SOAR is also a very important solution for MSSPs as well as for enterprises, who suffer from the same issues, such as the shortage of skilled workforce, just on a much larger scale multiplied by the number of customers they are supporting. SOAR can significantly save time and money by increasing efficiencies through automating and orchestrating a number of mundane and repetitive tasks requiring less human involvement in some areas, but even with machine learning and artificial intelligence capabilities in the mix, human analyst input is still required within the overall process.

How Does SOAR Differentiate in a Way That Doesn’t Make Existing Tools Redundant?

An organization needs to be aware of the problems they are trying to solve, understand which technologies they currently have in their tool stack and asses which new ones are potentially needed. With an influx of tools in the market, security operations needs to do its due diligence before an investment is made, and a number of solutions and vendors should be evaluated in order to ensure the organization’s individual requirements and use cases can be met.

For example, SOAR was not built to be a replacement for SIEM, it may do some of the same tasks, but it was ultimately designed to enhance the existing SIEM capabilities. Independant to the SIEM and other tools, it sits as an overlay platform within the SOC to orchestrate all of the tools and technologies seamlessly together and to fulfil the decision making function.

What Can We Realistically Hope to Automate with a SOAR Solution in Security Operations?

As previously mentioned, SOAR has a wide range of uses, whether in security operations, physical security, vulnerability management, IoT or other, and technically has the ability to automate all stages of the incident response lifecycle, all the way through to the remediation phase. Currently today, automation tends to be used by organizations more within the triage stage of an incident to collect and collate information. Typical use cases include phishing and malware analysis but another more unique case has been seen within cyber fraud, where a transactional fraud system was not able to automate the last mile of the investigation, so this is where SOAR came into the process.

Over time, as SOAR becomes a more widely used solution, specific use cases will expand and this could be in any aspect where a response in the form of a decision or prevention action is required.

Can You Automate Something Before Defining a Particular Workflow or Process?

In most cases, proper planning and preparation is the key to success and this is no different with the implementation of SOAR. SOAR is the tool that enables the technology to work within a pre-existing or operationalized process, so it is important for an organization to have well defined processes in place before trying to apply a SOAR solution to it.

SOAR can though also help to redefine existing processes that can further facilitate operations and help to implement some processes and workflows that perhaps wouldn’t have been feasible to implement without it.

What Have You Seen Successfully Implemented That Has Delivered Lasting Value?

Success can be measured in a multitude of ways and will depend on a number of factors, including but not limited to geography, size, maturity of the organization, as well as defining the time period in which it will be measured. To date SOAR projects have been very effective in security operations by freeing up valuable analyst time. By automating the low level, mundane and repetitive tasks, analyst time can be better spent prioritizing and focusing on more proactive tasks such as threat hunting and analysis, as well as overcoming more complex problems. Essentially the value provided through automation allows for faster triage and remediation, as well as shifts the value of existing staff to better utilize their talent.

Are There Operations and Processes Only Achievable with a SOAR Solution that Can Not be Done Manually?

Referring to MSSPs specifically, it is very difficult for them to contribute to effective customer SLAs when they conduct their processes manually. SOAR has had a huge impact in this sector by enabling well executed playbooks and runbooks to enable automation, and in this case automation is far more effective in achieving set SLAs than manual processes, thus providing better value to customers, as well as cost savings and a competitive differentiator for the MSSP.

Technically, SOAR doesn’t replace existing processes, it improves them with efficiency and enables responses to be faster with the use of automation, reducing some tasks from potentially hours to just minutes in many instances. But, SOAR is not only about automation, it is the conification of processes with automation woven in where needed.

SOAR allows for speed and scale and some process can’t scale manually, and this is another of its unique features. Like most innovations things become bigger, better, faster and smarter and combining SOAR with existing security operations enables just this.

What Lessons Can Be Learned from Implementing SOAR and Are There Any Challenges Vendors Face?

When implementing a new technology solution, whether SOAR or otherwise, it is key to be able to provide and prove value within a certain time frame. With SOAR it is practical to start its implementation with pre-existing and traditional use cases within the organization and to address the most simplest problems that could be fixed with automation. For example removing departmental silos and utilizing tools collectively, sharing information across the breadth of the organization. A new solution can also show value more quickly once there is buy-in from other departments and this is usually one of the biggest challenges for security operations to overcome.

As mentioned earlier, it is crucial that the SOC has set processes, workflows and playbooks in place operationally, before attempting to implement a SOAR solution. Without having operationally sound process and procedures to build upon, organizations run the risk of automating and containing the wrong elements.

Integration with other operational and departmental tools is also an important factor to maximize operational capabilities, but with a SOAR solution, more integrations does not necessarily mean better. Organizations are now more than ever before looking for quality over quantity and with a SOAR solution this may include an open architecture, speed of implementing new integrations, flexibility, and its overall completeness to fulfil the organization’s needs.

Finally, implementation of any new program can be overwhelming and it is important that the organization has a unified strategy outlined from the beginning, alongside the quick wins it wants to initially achieve by using the solution. Having a bigger vision, broader strategy and ensuring the use of SOAR aligns with the overall vision of the security program is key to its success.

Hopefully this blog has provided you with a good overview of what can be achieved with a SOAR solution along with valuable insights from the experts within the industry. The full recording of the panel discussion is now available on-demand from Peerlyst here.

If you would like to know more about DFLabs’ SOAR solution, IncMan SOAR, you can reach out for a personalized demo, or alternatively join our Community.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo