Welcome to part 2 of our series on how to select the best security, orchestration, automation and response (SOAR) solution for your business.
In part 1, we defined what SOAR platforms set out to do at their core. In this post, we will take a closer look at the core competencies on which different SOAR solutions focus. Understanding how your objectives and challenges align with the core competencies of a specific SOAR solution is the first place you should start when evaluating providers.
Note: We will dive deeper into most of these core competencies in future posts.
1) Case management
Creating, documenting and assigning cases (aka tickets) is an important aspect of a security operations function. Robust case management allows for complex process flows, custom field creation, case assignment, and ease of documentation of all activities carried out as part of a case. SOAR products from vendors that are first and foremost case management vendors obviously excel in this category. Where these offerings typically lack is in baking in the security know-how required to effectively investigate and respond to cases.
2) Automation and orchestration
Automation and orchestration included the ability and ease with which one can build playbooks, integrate with and orchestrate a large number of tools, and automate repetitive tasks. However, SOAR vendors with this as their focus may be limited to essentially offering automation as “middleware, unable to deliver a true end-to-end platform experience for security operations.This means analysts are required to conduct most of their work in other tools, such as SIEM and EDR.
3) Threat intelligence
Operationalizing threat intelligence (such as enriching alerts with threat intelligence data) is fundamental for any security team. This has resulted in SOAR offerings from several TIP vendors. If your requirements are mostly about operationalizing threat intelligence, these offerings should be part of your evaluation. As you can expect, such solutions typically do not score high in any of the other core competencies due to their bias toward threat intelligence.
4) Crisis management
As any security pro knows, experiencing a cybersecurity incident is only a matter of “when,” not “if”. Some SOAR platforms were developed with the core competency of helping your organization run a “playbook” when a crisis hits. These playbooks are very different from the playbooks that are required to respond to daily alerts and can include, for example, your regulatory disclosure requirements for a particular incident.
Since a truly damaging incident does not happen often, with time these solutions have increasingly shifted more toward traditional SOAR functionality, aimed at solving the daily alert blocking and tackling – but their core competence still lies in crisis management.
5) Security operations management
The last set of vendors (of which Siemplify is a representative) have their roots and core competency set in managing SOCs and security operations teams. The founders of such companies typically managed, ran and even trained SOC teams, and have a deep understanding of how security teams operate. These products aim to serve as a main workbench for the security operations function, with the aim of incorporating everything security operations teams need to work more effectively and efficiently. As you can expect, they typically include all the aforementioned core competencies – case management, automation, integration with threat intelligence and then some – but their strength lies in the ability to tie everything together into a cohesive experience for security analysts, engineers and managers.
Putting it all together
So which SOAR solution is best? As you can expect, there is no “one size fits all” answer. Truth be told, no single solution excels across all these core competencies. When evaluating SOAR, think about which of these core competencies are the most important to you and give more weight to the solutions that score higher in the areas that matter to you the most.
As a final thought, it’s worth noting that it’s perfectly OK to use more than one solution to achieve your goals. As an example, we commonly see organizations that opt for a purpose-built SOAR solution and integrate it with their existing “master” case management solution to get the best of both worlds.
In our next post, we will take a closer look at case management in the context of security operations to help you zero in on the capabilities that matter the most to you.
Nimmy Reichenberg is CMO at Siemplify.