We interrupt our regular (SIEM, for now) programming to pre-announce our Q4 2017 (to spill over onto 2018) research on SOAR (which, by then, will likely stand for Security Orchestration, Automation and Response). Hurrah! Go SOAR! Well, go and SOAR 🙂
So, dear SOAR vendors (you know who you are, if I use examples here those NOT mentioned will get mad at me so none are mentioned), please schedule a briefing with us focused on some or all of the following:
- When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
- What budget item was used to purchase a SOAR tool by your clients?
- Most common SOAR use cases observed in your client base? For SOC? For CIRT? For threat intelligence?
- What do clients consider more valuable, a platform to integrate tools or content to guide their security operations processes? Or perhaps a workflow engine?
- Do most clients value the playbook content that comes with your SOAR tools? Or do most buyers have their own playbook content?
- What is your approach for dealing with tool integrations that become unsupported and/or break due to API changes? What do you suggest clients do when automation breaks?
- Most commonly integrated services and tools into your SOAR platform?
- Regarding the automation features, do most users utilize automation around enrichment and investigation or around automated mitigation actions?
- How long did it take to deploy at a typical client?
- Is SOAR the proverbial single pane of glass?
- If not, what the role of SOAR – being a glue to tie security products behind the scenes?
- What have you learned from deployment? What are the top challenges?
For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.” Hence our first question above focuses on the conditions for SOAR toolsets to be “aspirin, not vitamin.”
Go and share your SOAR stories, even if you are not a vendor. In fact, better if you are a SOAR user who loves his SOAR tools! Or, perhaps, hates them!
Vaguely related blog posts: