Welcome to part 3 of our series examining how to select the best security, orchestration, automation and response (SOAR) solution for your business.
In part 1, we defined what SOAR platforms set out to do at their core. In part 2, we listed the key core competencies that you can expect to find in a SOAR solution. In part 3, we are going to dive deeper into one of those core competencies: case management.
It’s hard to imagine running a security operations function without case management. After all, much of the daily blocking and tackling in the SOC has to do with creating, triaging, investigating and closing cases. Naturally, case management (AKA ticketing or ITSM) is key for other operations functions, such as your IT and customer service. This means your organization may very well have an existing case management system in place. This begs the question: should I use my existing ticketing system for security operations, or should I use a SOAR solution?
Having your case and eating it too
When talking about SOAR and case management, let’s make one important distinction – your SOAR solution does not need to (and will never) be the best general purpose case management system, and indeed no SOAR solution can rival a purpose-built generic case management system. However, SOAR solutions should be the best case management for security operations because of “baked-in” security specific functionality. If you want to have your cas(k)e and eat it too, then integrating your SOAR solution with your general purpose ticketing system is the way to go. The integration can be as deep as you need it to be, ranging from opening/closing tickets in your master ticketing system as needed to supporting full bidirectional updates.
Cases versus alerts
One important aspect to understand when selecting a SOAR platform is whether it is “alert-centric” or “threat-centric” in nature. “Alert-centric” SOAR platforms typically create a new case every time an alert is ingested from a detection tool such as a SIEM or an EDR platform. “Threat-centric” SOAR platforms are able to automatically group contextually related alerts (for example, alerts that involve the same user or the same file hash) into cases, allowing the same analyst to work a case that consists of multiple related alerts.
Either way, it’s worth noting that a SOAR does not eliminate the need for investing in alert correlation. For the best results, you should feed the most high-fidelity alerts into your SOAR platform and avoid ingesting very noisy alert feeds (such as an IPS). Threat-centric SOAR platforms act as a second layer of alert correlation, including from different sources even if the alerts are not all centrally funneled through a SIEM.
Key SOAR case management capabilities
Which case management functionality matters most is naturally dependent on your use cases, as well as on whether you plan to use a purpose-built case management system in addition to SOAR. As always, no one solution does it all, but here are some capabilities to consider:
- Prioritization: Does the SOAR platform prioritize cases? Prioritization can be based on static risk scores, risk calculation as part of playbooks or machine learning, whereby cases that resemble those that have been deemed malicious in the past are given a higher priority.
- Assignment: How does the SOAR solution assign cases? This includes the initial assignment when a new case is created, as well as assignment between analysts (for example assigning from Tier 1 to tier 2 to tier 3). Some SOAR platforms also employ machine-learning algorithms that can make assignment recommendations, for example, to an analyst who has historically been successful in closing similar cases.
- Escalation: How is a case escalated, either to a higher tier or in case an incident has been identified that requires collaboration with stakeholders outside the SOC? (Check out this video for a deeper dive)
- Customization: The breadth and ease of use with which you can customize fields in the case, as well as customize the screen layout for the analyst.
- Collaboration: How do analysts collaborate on a case? Can you view the entire case history and chat with other analysts? Can you tag other analysts and assign them tasks?
- SLAs and Analytics: Can the SOAR platform define service level agreements (SLAs) for cases, and give higher priority to cases that are closer to their SLA limits? Generally, what kind of case analytics are available?
- Integration with existing ticketing systems: Assuming you are integrating your SOAR platform with a master ticketing system, how easy and robust is this integration?
I rest my “case.” In part 4 of our series, we will take a look at the bread and butter of SOAR: orchestration and automation using playbooks.
Nimmy Reichenberg is CMO at Siemplify.