SOAR Technology – What Problems Are We Trying To Solve?
Increasing Adoption of SOAR Solutions
Over the past several years, Security Orchestration, Automation and Response (SOAR) has gone from being viewed as a niche product to one gaining traction across almost all industry verticals. Today, more and more private organizations, MSSPs and governments are turning to SOAR Technology to address previously unsolved problems in their security programs. SOAR is about taking action: “Automate. Orchestrate. Measure”. Organizations are implementing a SOAR solution to improve their incident response efficiency and effectiveness by orchestrating and automating their security operations processes. Gartner estimates that by 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.
In this three-part blog, we will discuss the key drivers for SOAR adoption and what problems a SOAR solution can help solve. In the next blog, the second part of this three-part blog, we will discuss the three pillars of Security Orchestration, Automation and Response (SOAR). Finally, we will round out the series by discussing the critical components and functionality that a SOAR solution should contain.
Five Key Problems SOAR Technology Helps to Solve
Like many new product categories, Security Orchestration, Automation and Response (SOAR) technology was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To define the product category more accurately, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address.
- Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less
As the number and sophistication of threats has grown over the past decade, there has been an explosion in the number of security applications in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data. Although it may not be as difficult to find security analysts as it once was, a truly skilled security analyst is still somewhat of a rare breed. Intense competition for these skill analysts means that organizations must often choose between hiring one highly skilled analyst, or several more junior analysts.
- Valuable analyst time is being consumed sorting through a plethora of alerts and performing mundane tasks to triage and determine the veracity of the alerts
Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams. Each one of these alerts must be manually verified and triaged by an analyst. Alerts which are determined to be valid then require additional manual research and enrichment before any real action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in.
- Security incidents are becoming more costly, meaning that organizations must find new ways to further reduce the mean time to detection and the mean time to resolution
The cost of the average incident has increased steadily year on year. The immediate cost of an incident due to lost sales, employee time spent, consulting hours, legal fees and lawsuits is relatively easy to quantify. The financial loss due to reputational damage, however, can be much more difficult to accurately measure. Reducing the time to detect and resolve potential security incidents must be an absolute priority. Each hour that a security incident persists is effectively money out of the door.
- Tribal knowledge is inherently difficult to codify, and often leaves the organization with personnel changes
Employee retention is an issue faced by almost every security team. Highly skilled analysts are an extremely valuable resource for which competition is always high. Each time an organization loses a seasoned analyst, some tribal knowledge is lost with them and they are replaced with an analyst who, even if they possess the same technical skills, will lack this tribal knowledge for at least a period of time. Training new analysts takes time, especially when processes are manual and complex. Documenting security processes is a complex, but critical task for all security teams.
- Security operations are inherently difficult to measure and manage effectively
Unlike other business units which may have more concrete methods for measuring the success or failure of a program, security metrics are often much more abstract and subjective. Traditional approaches to measuring return on investment are often not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security product or program requires a measurement process specially designed to meet these unique requirements.
About DFLabs IncMan SOAR
DFLabs is an award-winning and recognized global leader in Security Orchestration, Automation and Response (SOAR) technology. Its pioneering purpose-built platform, IncMan SOAR, enables SOCs, CSIRTs, and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks. IncMan SOAR drives intelligence-driven command and control of security operations, by orchestrating the full incident response and investigation lifecycle and empowers security analysts, forensic investigators and incident responders to respond to, track, predict and visualize cyber security incidents. As its flagship product, IncMan SOAR has been adopted by Fortune 500 and Global 2000 organizations worldwide.
Schedule a live demo with one of our cyber security specialists here and see DFLabs IncMan SOAR platform in action. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Stay tuned for our next blog in this series, where we will discuss the three pillars of SOAR technology.