Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
When it comes to evaluating a SOAR solution and a SOAR vendor for that matter, it is important to understand the requirements of the organization and its security program, including their individual set of problems and overall goals they are trying to achieve.
As mentioned in my previous blog post “4 Core Functions of a Security Orchestration, Automation and Response (SOAR) Solution” no two SOAR solutions (or vendors) will be the same. Some functions of a SOAR solution may be more important than others, but there are three critical factors that are essential for any organization when it comes to utilizing a SOAR solution to its fullest potential and improve the overall effectiveness and efficiency of the organization’s security program. These include; customizability, collaboration & information sharing, and multitenancy.
In this blog post, I will briefly discuss these three factors in more detail and touch on several others that should be considered before and when evaluating a SOAR solution and SOAR vendor.
There are no two SOAR vendors that offer identical security programs; this is especially true when you cross vertical lines. For a SOAR solution to be effective, it should be capable of adapting to the environment to become a tool on top of the security stack. A “one size fits all” approach to SOAR will leave customers with a solution that does not adequately address all their use cases, forcing customers to look to other tools to supplement the gaps.
A SOAR solution must be flexible in its implementation, the data it collects and the way in which it integrates with other security tools (discussed in more detail in the following section). SOAR vendors should offer SOAR solutions that are able to be implemented in a manner that is optimized for Computer Security Incident Response Teams (CSIRTs), as well as Security Operations Centers (SOCs), Managed Security Service Providers (MSSPs), and security teams. Data input from a multitude of sources, including bidirectional technology integrations, email, user submissions, and manual input should be supported. The importance of security metrics means that customers should be able to customize not only the information available in the solution but also what attributes are tracked as well. Higher customizability of the SOAR solution will result in greater ease of use and a better fit for the customer, as well as substantially increased ROI.
Incident response is not a one-player sport. Response to a security incident will likely include multiple individuals and potentially multiple teams and even organizations. To be effective in a team environment, a SOAR solution must support seamless collaboration and information sharing between team members in a controlled manner. Those with authorization should be able to have instant access to the status of the incident they are collaborating on, as well as any information gathered, and other actions performed by team members. Team members should also have the ability to communicate securely within the SOAR platform, providing an out-of-band communication mechanism when other mediums may not be trusted.
Collaboration and information sharing must also be possible outside of the organization itself. This is especially true in the context of threat intelligence. Open sharing of threat intelligence, when possible, is a critical tool in fighting cybercrime. There are numerous avenues available to share threat intelligence, open, closed and industry-specific. The majority of these threat intelligence sharing programs utilize one of the open standards for threat intelligence, such as STIX/TAXII, OpenIOC or MISP. A SOAR solution should support both the ingestion and sharing of threat intelligence information via these common standards in a controlled and secure manner.
Many large enterprises have multiple internal security teams performing unique sets of tasks. In some instances, it may not be appropriate for some internal teams to have access to the data collected by other internal teams. MSSPs are also increasingly turning to SOAR solutions as a force multiplier and require very strict segregation of customer data.
In either case, it is not cost-effective to deploy an individual SOAR solution for each team or customer. A SOAR solution must be capable of supporting multiple instances on a single host, providing accurate data segregation and access controls for each tenant’s information.
Before evaluating a potential SOAR solution and a SOAR vendor it is also highly important to answer a few fundamental questions which should be formulated from the principal criteria guiding the process, from initial evaluation to deployment and project completion. If the answers to these questions are not thoroughly defined at the onset, the organization risks investing enormous time and money into a solution that may not achieve the anticipated outcome and may result in a net negative impact on the organization over time.
For further information about how to evaluate a potential SOAR solution and SOAR vendor, read our latest 2019 Enterprise SOAR Buyer’s Guide which aims to provide an unbiased guide to assessing the maturing market of SOAR solutions.
DFLabs / 24 Jul 2018
Discover the three core pillars which define what a SOAR solution is: Security Orchestration, Automation and Measurement. Learn more
DFLabs / 9 Apr 2019
DFLabs / 29 Nov 2017
See IncMan SOAR in Action.