Security Orchestration, Automation and Response (SOAR) is a familiar term to most cybersecurity professionals but despite the widespread awareness and hype, it’s still relatively new to mainstream security.
According to Gartner, “By 2021, 70% of deployments that are overly expensive for the value enterprise organisations with a dedicated SOC will include SOAR capabilities, up from less than 5% in 2018 and only 1% in 2017.” With its ability to address some of the major challenges that security teams face today – alert overload, disparate tools, manual processes and the cybersecurity skills shortage – SOAR is undeniably a solution that enterprise security teams should be considering to assist in responding to cyber-threats across any environment.
But, SOAR is not simply an opportunity to save time and cost by automating existing processes. SOAR should be considered a transformational technology that will alter the way security services are delivered. Orchestration and automation are well proven within the wider IT industry and a good SOAR product, implemented well, will deliver significant benefits to a security function and their business.
Well-managed organisations implement and maintain control systems that reduce residual risk to be within their defined appetite. These control systems typically consist of people and technology performing a series of tasks in a pre-defined order to deliver a process that achieves specific outcomes.
Within security it makes sense to maximise the use of technology to orchestrate and automate tasks because of the limited number of appropriately skilled people and also because people can be prone to error. Technology can also operate faster and at a larger scale, which can reduce costs as well as improve efficiency and effectiveness.
However, it is important to recognise that technology cannot fully replace people. Not all tasks or processes can be codified into logic that captures all scenarios – the ability of people to apply judgement, recognise where standard process no longer applies or indeed operate without any process, cannot be replicated by technology alone. Therefore, the application of SOAR needs to be appropriate, focused and feasible to maximise value.
The reality is that businesses and their IT environments are typically very complex, so deploying orchestration and automation will very quickly become complicated and deliver limited value unless managed well. Complexity results in SOAR they deliver or that ultimately fail. Successful deployments typically come from sound planning and design, and incremental implementation that proves change or, where necessary, fails fast.
The tasks that SOAR might be used to execute and the scope of the ecosystem that SOAR will exist with- in should be considered prior to implementation. SOAR will be used to orchestrate and automate tasks within a complex environment where repeated tasks are per- formed to acquire intelligence and where appropriate actions are taken based on that intelligence.
Moving from manually performed processes to processes that are, at least in part, executed by SOAR requires a detailed understanding of what the manual operator does. People have an incredible ability to take imperfect instruction or imperfect results during task execution and still be able to successfully complete a process. A SOAR system, like any IT system, is considerably less likely to successfully complete a task or process under these circumstances, which means that detailed analysis, design and testing must be part of successful implementation.
The environment that SOAR exists within will have many different entities that contribute to intelligence acquisition or the actions that are executed based on acquired intelligence. The entities will be of many dif- ferent types including (but not limited to) people, oper- ating systems, databases and applications, and within each of these high-level types there could be distinct sub-types. To further add to this challenge, each of these entities might also have one or more interfaces, each of which could require different authentication methods, permissions and protocols for interaction.
Adarma recommend a well-planned, modular approach to SOAR deployment. We would welcome the opportunity to work with you to understand your SOAR requirements.