What Executives Should Know About SOAR
Coined in 2015 and later updated in 2017 by Gartner, SOAR (security orchestration, automation, and response) describes a platform that is designed to orchestrate the response to incidents, leveraging automated processes designed in decision tree mapping, typically called playbooks.
The value of a SOAR platform is focused on improving the accuracy, speed, and depth of data for responding to the litany of incidents that operations teams (especially security operations) are constantly dealing with. To deliver on these values, most SOAR platforms leverage the playbooks mentioned above.
These playbooks have a listing of all the surrounding tasks, data, and implications that are needed to respond to a specific type of incident, which can then be automated as much as possible for routine tasks. This includes (but is not limited to) the following:
- Create a ticket.
- Gather preliminary data into a single repository.
- Notify involved parties.
- Compare the incident to known attacks.
- Pause for user input.
How Did SOAR Originate?
Gartner® originated the term “SOAR” during a time when the huge growth of virtualization, containerization, “as a service,” and cloud really hit their stride in automating growth. This brought overwhelming amounts of data, assets, applications, and services into a company, which begets the need to secure it all. SOAR was the concept that looked to bring automation growth to this explosively expanding security coverage need.
Why Is It Important in Cybersecurity?
The concepts of SOAR are designed to ease a growing pain point that security programs continuously encounter as the businesses they serve expand: event and incident overload.
This pain comes from a need to analyze any and every event to verify any level of impact or concern to the business. When humans have to handle event reviews manually, the maximum number of events manageable is relatively low and expensive, while also unable to keep pace with the ability of technology to grow and create more events that need review.
What Is the Spin Around This SOAR Buzzword?
Far and away, the most egregious claim of SOAR is that it is the “only” tool a company needs to manage their security. This typically comes from the excitement of what a SOAR platform brings to a company’s security and a lack of understanding and appreciation for how a SOAR platform is codependent on all the other tools included in a security strategy.
Another interesting claim is that “any programmatic process can be done via SOAR,” which is not inherently wrong, it just misses the focus or the “S”/security and becomes OAR. This lack of focus creates the exact scaling and overwhelming issues as the amount of integration, processing, customization, and upkeep grow beyond any one department’s ability to maintain.
Our Advice: What Executives Should Consider When Adopting SOAR
Approaching a SOAR adoption should be a step taken on a journey of improvement of the security organization. When your company is looking to improve the SOC in efficiency of time and error reduction, or streamline security processes to remove and reduce the risk blocking other business growth initiatives, then SOAR becomes highly compatible with that journey.
SOAR has incredible potential to solve massive scalability issues when properly adopted and maintained. Integrations should be simplified, robust, and prolific with a focus on the security tools and solutions that are already available.
Simplicity remains a key focus for implementation of the orchestration, automation, and response abilities of the platform, to avoid complexity merely expanding to this SOAR tool and not solving the removal/reduction of said complexity.
Here are some questions to ask your team for a successful SOAR adoption:
- If the business were to double or more in the size of our D.A.A.S., how would the SOC be able to maintain our security posture without the ability to increase worker count?
- What are the routine processes and workflows that we continuously repeat to maintain our security integrity and what triggers can we define for initiating these workflows?
- What systems and security-specific D.A.A.S. will need to be integrated into our approach to this new automation of our orchestration and response strategy and how difficult will it be to achieve fully integrated status?
- What other IT-based operations would benefit from having an OAR platform and how well can we enable them from the SOAR platform to achieve new heights?
- How effectively and quickly will operations teams be able to understand, create, and update the playbooks and case management systems and how much product and/or coding knowledge will need to be known?