October 06, 2020
What is Security Orchestration, Automation, and Response (SOAR)? Let’s break this down and understand both sides of this product market space.
Terms You Might Also Hear
- Security Orchestration
- Security Automation
- Security Operations, Analytics, and Reporting (SOAR)
- Security Incident and Response Platforms (SIRPs)
Interrelated Products / Functions
- SIEM (Security Information and Event Management)
- Threat Intelligence Platforms (TIPs)
- Security Operations Center (SOC - pronounced “sock”)
- Event - one or more instances of an observable change on a system (i.e. a file was downloaded, a folder permission was changed, etc.)
- Alert - a notification that one or more events have occurred (i.e., an email is about a firewall rule update, etc.)
- Incident - one or more events or one or more alerts that negatively affect the business (i.e., an employee successfully sends a customer list to a personal email address prior to putting in their notice, etc.)
- As we covered in our first issue, companies are doing more with mobile and cloud services via Digital Transformation. Digital transformation leads to more devices, more cloud resources, more environments to monitor, and ultimately more events, alerts, and incidents to comb through looking for cyber threats.
- There has been exponential growth in the number of log sources. Log sources are the systems, services, and devices in an environment that generate events and need to be constantly monitored from a cyber threat perspective.
- The more log sources in an environment, the more noise. Noise makes it harder to know when something bad has happened or is happening in your environment. If you don’t know about a threat, you can’t do anything about it.
- Security operations teams have to sift through the noise. Unfortunately, they spend >95% of their time chasing down low value/fidelity events that are not really threats.
- Companies are doing more than ever and cybersecurity teams have too much to keep up with. A typical workflow might look like this:
A security alert fires, an analyst may need to investigate in the SIEM, lookup an endpoint in the Endpoint Detection and Response (EDR) platform for computer data, reset a user’s password or disable their account in Active Directory (AD), and record the case in a Case Management system.
- The cybersecurity profession has a talent shortage which only exacerbates the problem. In short, humans can’t keep up with the amount of data coming in and the number of disparate systems they have to click through.
Enter Security Orchestration, Automation, and Response (SOAR).
- SOAR platforms let you create efficiency, consistency, and accountability by way of automation between disparate technology platforms and security controls.
- SOAR platforms act as a central place to connect system APIs together to perform a series of actions, lookups, or checks in a visualized process flow. This creates accountability and traceability for teams and when investigating from a single platform.
- SOAR platforms can achieve automation by activating either by event/alert triggers or scenario “playbooks”. These playbooks kick off a series of checks, actions, and steps, with or without boolean logic, to attempt to triage and remediate cyber threats. This can be with or without human interaction.
- Playbooks from SOAR platforms provide consistency and repeatability. Prior to SOAR, an analyst may have followed a loosely defined playbook but would take their own path to investigate. Playbooks with SOAR provide the exact same process each time, including the exact sequence of tools and queries.
- SOAR can reduce the “speed-to-context” to operate from and make better decisions quicker by not having to focus on low-value events, alerts, and incidents.
- Also covered in the last issue, SOAR is a prime example of how demand for professionals results in product companies trying to enhance or subvert the talent needed. SOC teams are under immense pressure and need more help.
- SOAR allows your highly paid security operations team to focus on real and bigger threats. Security investments seldom provide immediate transformational benefits, but SOAR has a chance to change that. SOAR helps solve that age-old management problem of “doing more with less,” thereby trying to show benefit.
Players in the Space
- Demisto / Palo Alto
- D3 Security
Product Space Predictions
- As covered in the last issue, cybersecurity spending is dominated by regulatory and compliance drivers. With escalating requirements from regulators and governing bodies, so too will the requirements for monitoring and responding to all sources be escalated. SOAR platforms can make or break this.
- Digital Transformation initiatives at companies are changing cybersecurity landscapes and associated threats and are driving the need for more automation across all security domains. Time to shine SOAR platforms.
- New players will enter the SOAR product category that seeks to enhance existing SOAR platforms and playbooks, like Polarity. Adding additional context and ease-of-use for operators will be a differentiating factor. Expect more acquisitions in this product sub-space.
- Players in the space will focus on the disrupter of No-code and Low-code solutions as a way to drive adoption to their platforms and reach a broader audience that cannot afford to hire highly specialized disciplines of cybersecurity professionals.
- Cloudy with a chance of SOAR. As more business and technology moves to the cloud, SOAR platforms used on-premises will have to be able to quickly adapt to automation at Cloud Service Providers (CSPs) like AWS and Azure.
“I need another API like I need another hole in my head”
Cybersecurity Engineer at Large Insurance Company
Challenges for Products Buyers
- SOAR platforms work best with specific technology integrations. To get the most out of your SOAR platform, you have to buy or already have all the other platforms that integrate the best. That is unless you want to get into full REST API development and maintenance to support your security stack. Which leads me to my next point…
- SOAR platforms are competence destroying. New knowledge will have to be created and learned to operate these platforms and old knowledge will be less valuable. It is no longer enough to know how a standalone endpoint or network security platform works. You need to hire people who know about APIs, DevOps, CI/CD pipelines, etc. in addition to being sysadmins. These are not skills traditional security people have in most organizations. Skill retooling is necessary.
- SOAR platform rollouts are never “finished”. As connected security platforms get upgraded, new features and functionality will replace old ones, APIs will change, and automation already in place can and will break. You will need resources dedicated and responsible for keeping up with this newly created ecosystem just like with delivering a software product. This speaks to the broader convergence of technical abilities and routines happening across all IT disciplines, and cybersecurity is no exception.
How Players Will Be Successful in this Market
- Focus not just on the volume of integrations, but the completeness of integrations. If your SOAR API connection can only perform 5 basic actions from an integration or is somehow rate limited, you are limiting what can be done with your platform. When you limit your platform, you make buyers, not like it.
- Show the difference. After a certain amount of automation claims, you can start bleeding into the Managed Detection and Response (MDR) space. Why automate only the SOC triage, when we can automate it all with MDR? You’ll want to make sure you are telling the right story and not one that makes it sound like you are replacing people or whole functions. The people closest to the work often have a greater say in product purchasing because those decisions impact them the most.
- Push security to the business edge. Want to drive broader adoption of your SOAR platform? Pushing security into the business technology teams that run the critical operations and move/process the sensitive data for the organization gets greater engagement, and ultimately, better security.
How Will Product Buyers Get What They Need?
- Sell the bigger picture for the overarching security operations and response capabilities and goals. Security investments seldom provide immediate transformational benefits, and showing an uptick in closed tickets is not a measure of SOAR success or actually reducing security risks to the company.
- Hire people from other technology backgrounds. Cybersecurity technology is evolving just like cloud, data, and other larger drivers of innovation in IT. Hire the right technical leaders to bring over the disciplines from other IT functions like software development. Things like code linting, code reviews, testing (unit/functional), and automated deployment should become your new norm. These practices will have ripple effects across your organization and increase security while enabling other teams to work faster.
- The Difference Between Events, Alerts, and Incidents - a quick primer and an all-time personal favorite cybersecurity-related website
- The Benefits of SOAR - listing of benefits and definitions
- SOAR in the Cloud - 7 factors to consider
- Arming your SOC with SOAR - practical and common use cases for SOAR playbooks
- Gartner’s take on SOAR - the Hype Cycle for Security Operations
Looking for more insights and analysis? Check out the Pro version of this newsletter where you’ll find:
- 9 Predictions for the product space (80% more)
- 5 Challenges for Product Buyers (67% more)
- 6 Insights for Players to be successful (100% more)
- 4 ways Buyers can get what they need (100% more)
When you subscribe to the Pro version, you’ll get access to the pro version of this issue and all past and future issues.