The benefits of security orchestration, automation and response (SOAR) are many - if executed correctly
There’s no doubt, organizations around the globe are investing in security orchestration, automation and response (SOAR) solutions. While today, less than 1% of large enterprises use SOAR technologies, by 2020 15% of organizations with a security team of more than five are expected to leverage these tools.
Given that we are still early in the adoption of SOAR, there isn’t a set roadmap for success in implementing these solutions (though we recommend this piece from Gartner to get you on your way). After talking with dozens of companies embarking on SOAR projects, we’ve been able to identify what can set your organization up for success and the pitfalls to avoid.
First, let’s quickly review why enterprises begin these projects in the first place.
Why enterprises implement SOAR
Consolidating disparate security tools
To effectively counter the different types of cyber threats and attack vectors, organizations acquire or subscribe to multiple security tools or services - SIEM, EDR, threat intelligence service, anti-malware, sandboxing solution, and many others. Before they know it, they have amassed as many as 70 disparate security solutions.
Considering that most of these tools aren’t designed to communicate with one another, managing them and the information they offer can get tedious and complicated. SOAR solutions bring together individual security tools in a way that allows SOC teams to orchestrate and manage them more efficiently from a single platform.
Addressing alert overload
From dozens of security tools come hundreds of thousands of alerts. Most security operations teams find themselves overwhelmed with the alerts they need to triage and investigate every day, with 36% saying their number one challenge in incident response is keeping up with the volume of security alerts.
SOAR solutions mitigate alert overload by helping teams automatically close false positives and zero in on threats that truly need analyst attention.
Making up for security staff shortages
Organizations already know they have to deal with the cybersecurity talent gap, a problem that seems to be worsening every year. ESG’s research finds the shortage has been growing steadily since 2014. Enterprise SOCs typically have job requisitions open for analysts of all levels that take months to fill and finding experienced analysts is the toughest. The alternative solution is to better enable their existing teams to work more efficiently, which is a key benefit of implementing a SOAR solution.
The need to improve incident response processes
Oftentimes, security analysts will resolve similar alerts or incidents differently from one another. While this practice might seem pretty harmless, it can breed inefficiencies and allow ineffective processes to persist. Teams can handle alerts and resolve issues faster, more effectively with a greater degree of consistency if they follow a documented, codified set of processes. This can be achieved by leveraging playbooks inherent in SOAR solutions to document tribal knowledge and ensure processes are executed the same way every time across the SOC.
SOAR implementation pitfalls to avoid
Now that we’ve taken a peek at the main reasons why organizations embark on SOAR projects, it’s time to discuss the common missteps that can keep you from realizing the full potential of a SOAR solution.
Incompatibility between in-house skills and the SOAR solution
An array of options in the SOAR category exist - and we expect additional entrants into the market as demand continues to grow. As with other cybersecurity technologies, each SOAR solution takes a slightly different approach, with some better suited to highly skilled analysts and others designed for ease of use at all skill levels.
As an example, when it comes to integrating your security tools and building playbooks via a SOAR solution, some rely heavily on coding capabilities to fully take advantage of these features. Before analysts can start integrating or building playbooks on these particular solutions, they need to be adept at scripting languages like Perl, Python, and Ruby.
To ensure a smooth implementation and avoid delays, choose a SOAR solution that is in line with the in-house capabilities you currently have. Be sure to ask whether your chosen platform supports both a graphical user interface and a module for writing scripts, like an IDE (integrated development environment). The GUI can enable non-coders to leverage the strengths of the SOAR solution from the get-go, perhaps through simple drag-and-drop functionality, while the IDE will allow coders to do more sophisticated customization, if needed.
Not mapping out incident response processes
As the ‘A’ of the acronym SOAR indicates, another major function of SOAR solutions is automation. These solutions can be used to automate security operations processes. And so, when they start to roll out a SOAR project, many companies eagerly attempt to include whatever process they can automate.
Therein the problem lies. While it’s true that automation can greatly improve processes, this also means it can worsen an already bad process. As Bill Gates once said, "Automation applied to an inefficient operation will magnify the inefficiency."
In order to avoid this pitfall, security operations teams need to devote considerable time to outlining their processes before building playbooks off of them. You can lay out representative diagrams on paper or on a whiteboard for better visualization and collaboration. And, as you shop for SOAR solutions, you should ask whether any standard playbooks come included. This can be a great way to help your team get started and you can then customize as you figure out what works for your particular SOC.
Trying to automate everything at once
With so many manual processes and staff in short supply, it can be tempting to go all in on security automation. After all, there is no shortage of articles about its ability to alleviate the overload experienced by today's SOCs.
But there are two realities here to consider. First, trying to automate everything at once can make it hard to tease out the result of any process failures. Stated another way - if your processes aren't tested to begin with, it will be easy to blame automation as the culprit in the event of a failure. And in that case, some teams may end up being unnecessarily gun shy of automation.
Second, most security teams know that you can't possibly automate everything. The toughest, most malicious cases still need the hands-on, critical thinking that can only come from a security analyst. So any SOAR implementation is always about finding the right balance of machine-led and analyst-led activities for your particular SOC.
If you’re just starting out, identify processes that are prime candidates for automation and implement SOAR in those areas first. From there you can determine how to continue forward on the automation component of your journey.
Thinking incident response processes are 'set it and forget it'
You can’t get everything right the first time. Even if you’ve devoted a lot of time and energy designing a particular incident response playbook, there’s still a good chance it won’t turn out to be perfect. Besides, the tactics, techniques and procedures (TTPs) of cyberthreats evolve with time. Thus, you need to adapt and incorporate changes accordingly.
Once processes are codified via a SOAR solution, analysts still need to monitor, evaluate, and improve them to ensure each playbook continues to function at maximum effectiveness and efficiency. SOAR solutions that enable you to run tests and alert simulations on your playbooks can help with this continuous improvement.
Expecting SOAR to be a silver bullet
There is no magic cure for all of the challenges security operations teams face. End of story.
SOAR holds the promise of driving process improvement, increasing efficiency and maximizing effectiveness for enterprise SOCs. As such, as you embark upon a SOAR implementation project, be sure to be clear on how it can best enable your team to maximize the use of the security tools you already have, empower your existing team and inject new structure to your processes and techniques.