Security orchestration, automation and response, commonly known as SOAR, is one of the most talked about technologies in cybersecurity these days – and with good reason. The right SOAR platform, coupled with good implementation, can go a long way in helping security teams reduce alert overload, orchestrate the multitude of tools in use, and build automated, repeatable processes that slash response times and ultimately allow security pros to focus their time on higher-value work.
As you would expect from a hot category, there is no shortage of SOAR tools from which to choose. From large established security vendors to independent pure-plays to something in between, it seems like everyone is jumping on the SOAR bandwagon. Gartner listed 18 vendors in its Market Guide for SOAR back in June 2019, and there has been a flurry of acquisitions, market exits and even new entrants since.
In this multi-part series, we will compile practical advice that can help you select the solution that is right for your business. These recommendations are based on our personal experience working with countless companies that have evaluated SOAR in recent years. While Siemplify obviously has a horse in this race, I will do my best to provide valuable and bias free advice (fingers crossed!)
So as we begin our venture to finding the right SOAR for your organization, let’s start with the most basic of all exercises: ensuring a SOAR is actually a SOAR.
SOAR is undoubtedly hot. This has driven some vendors to “SOAR-wash” their offerings with the hope that merely using the acronym will help them break through the incessant cybersecurity noise. So let’s define what the minimal requirements are to be considered a SOAR solution.
There are three capabilities to consider:
1) Alert ingestion
The ability to consume alerts from one or more (preferably more) detection technologies. The most common technology that SOAR solutions connect to is SIEM, but really any detection technology is fair game. Other technologies that SOAR commonly ingests alerts from include EDR, NDR, anti-phishing, DLP and CASBs. To be successful with SOAR, you should feed it with the highest possible alert fidelity, so just because you are implementing a SOAR solution does not mean you should not invest in event correlation quality.
The ability to integrate (via native APIs) with a broad range of third-party tools used by security professionals to programmatically invoke functionality. The idea, of course, is to replace “swivel-chair” integration and constant console switching that plague security operations teams.
3) Automation workflows
The ability to define and build the workflows (commonly referred to as playbooks or runbooks) that security teams need to execute when triaging, investigating and responding to alerts. Naturally, a SOAR platform incorporates the various tools that it orchestrates into these workflows, and strives to automate as many of the tasks as possible.
To clarify, these three capabilities are the bare minimum to earn the right to call yourself a SOAR solution. When selecting the best SOAR solution for your business, there is a lot more to consider, which is what this blog series will take you through.
So let’s get to it! In Part 2, we’ll discuss how you should look at the origin of each SOAR platform to understand which one is the best fit for your use cases.
Nimmy Reichenberg is CMO at Siemplify.