As companies evaluate ways to improve their security posture, one area getting a lot attention are solutions that provide a level of automated response to attacks. Security Orchestration, Automation and Response (SOAR) is one such solution. According to Gartner, the three most important capabilities of SOAR technologies are:
- Threat and vulnerability management: These technologies support the remediation of vulnerabilities. They provide formalized workflow, reporting and collaboration capabilities.
- Security incident response: These technologies support how an organization plans, manages, tracks and coordinates the response to a security incident.
- Security operations automation: These technologies support the automation and orchestration of workflows, processes, policy execution and reporting.
While SOAR can provide a number of benefits to your organization, as with any security tool - SOAR itself is not a silver bullet. If you are in the evaluation process, here are three critical areas to consider:
1. Problem Domain Expertise is required. At the heart of most SOAR solutions is a workflow engine that can be given instructions - when it is triggered based on specific conditions, it will take specific actions. For a SOAR solution to take automated action, someone must know what actions should be taken and under which conditions.Security domain expertise and knowledge of your security and IT infrastructure is needed to implement successful playbooks (or whatever the SOAR workflows are called) in order for your business to realize the value of the solution. Some solutions may provide rudimentary templates for basic responses for phishing attack responses or other general attack patterns, but as attack vectors change, domain expertise will be required in order to keep up with the changing responses to dynamic conditions.
2. Consider the Connectors. While a number of SOAR platforms provide a basic workflow engine to implement automated response, there are other factors to make sure you are aware of. All SOARs must connect to various software and services to take action or to gather information to take further steps. Those connectors need to be as easy as possible to implement and need to cover the elements in your security and IT infrastructure as completely as possible. If this isn’t the case, it may require a programming project to build connectors or other proxy methods in order to interact with your systems.
Successful SOAR platforms will support a wide variety of the systems you have (or expect to have) in your environment or may even have a community that develops these connectors so that you don’t have to make the programming investment.
3. Reliance on Programming. As mentioned above, domain expertise in security and IT (via your security team or through vendors or partners) is critical to make effective playbooks or workflows. Additionally, many SOAR solutions require scripting capabilities to greater or lesser degree. The implication: in addition to the requisite security and IT expertise, you tie up programming resources in order to implement and update those workflows.A suitable SOAR solution will rely more on logical and visual rather than programmatic methods to implement the response logic.
Implementing a SOAR solution is a very useful way to improve your security posture; being aware of these considerations will help bring the proper return on the security investment.
If you are in the process of evaluating your current security posture, or want to ensure your security controls are working the way you expect, we’d like to offer our complimentary Security Health Check.