Blog post

SOAR Research Coming … Brace for Impact!!

By Anton Chuvakin | September 13, 2017 | 5 Comments

SOARsecurityorchestration

We interrupt our regular (SIEM, for now) programming to pre-announce our Q4 2017 (to spill over onto 2018) research on SOAR (which, by then, will likely stand for Security Orchestration, Automation and Response). Hurrah! Go SOAR! Well, go and SOAR 🙂

Given that both Augusto and myself are so popular and have fairly long Vendor Briefing lead times, we wanted to issue our SOAR CALL TO ACTION now, before we actually start the research in October.

So, dear SOAR vendors (you know who you are, if I use examples here those NOT mentioned will get mad at me so none are mentioned), please schedule a briefing with us focused on some or all of the following:

  1. When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
  2. What budget item was used to purchase a SOAR tool by your clients?
  3. Most common SOAR use cases observed in your client base? For SOC? For CIRT? For threat intelligence?
  4. What do clients consider more valuable, a platform to integrate tools or content to guide their security operations processes? Or perhaps a workflow engine?
  5. Do most clients value the playbook content that comes with your SOAR tools? Or do most buyers have their own playbook content?
  6. What is your approach for dealing with tool integrations that become unsupported and/or break due to API changes? What do you suggest clients do when automation breaks?
  7. Most commonly integrated services and tools into your SOAR platform?
  8. Regarding the automation features, do most users utilize automation around enrichment and investigation or around automated mitigation actions?
  9. How long did it take to deploy at a typical client?
  10. Is SOAR the proverbial single pane of glass?
  11. If not, what the role of SOAR – being a glue to tie security products behind the scenes?
  12. What have you learned from deployment? What are the top challenges?

For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.” Hence our first question above focuses on the conditions for SOAR toolsets to be “aspirin, not vitamin.”

Go and share your SOAR stories, even if you are not a vendor. In fact, better if you are a SOAR user who loves his SOAR tools! Or, perhaps, hates them!

Vaguely related blog posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

5 Comments

  • Andre Gironda says:

    SOAR is more about SOMP than just TIP (e.g., Yeti-platform, MISP), case management (e.g., TheHive), and Security Operations Automation (e.g., Rundeck). SOMP is for decision making, for resource allocation all-around.

    Cyentia Institute just published their Cyber Balance Sheet 2017 report. It’s prescient.

    We must, as an industry, move completely away from Use Cases — https://my.socprime.com/en/ucl/ — and towards Hubbard AIE control effectiveness. Is there a control deficiency? Which controls are effective and to what degree? We must measure that risk and uncertainty using Hubbard AIE — there is no other method that works on business-to cyber and cyber-to business outcomes. Yes, it will require NACD structures, but allow that Exceedance-Probability curve to show the statistics: to show the math; to show our work. Stop leveraging use cases in decision-making processes!

    SOMP is a must-have technology. Is SOAR a piece of SOMP? Probably, but the outcomes matter, the structure matters — so much much more.

  • SOAR is indeed way, way more about workflow and orch than TIP, full agreement here.

    Thanks for the mention of rundeck — so far, I never heard of anybody using it for security but will add it to our list of tool to check for.

    Hmmm…use cases -> control effectiveness. This I need to ponder, but my first reaction is “Huh? Why not both?”

    Re: SOMP — My impression is that your SOMP = our SOAR exactly.

    • Andre Gironda says:

      @ Anton — SOAR is more than TIP + SIRP. Is TIP even a part of SOAR? In MISP and threat_note, yes, because they integrate to Cuckoo. In the commercial offerings, I’m not so sure. They have separate integrations for TIP and SIRP (especially AMA — Automated Malware Analysis) that don’t connect up. For SOMP, you need to see — https://www.rooksecurity.com/soar-sirp-soap-tip-x/

      Use cases pollute and confuse the crux of the issues with control effectiveness. They do not apply to managing cyber risk (although one could argue that there is ROI out of productivity improvements, but that’s not the goal with control effectiveness, just more-general resource allocation). Managing cyber risk needs a way to measure risk and uncertainty — Hubbard AIE does that and it precludes use-case analysis. You can’t have both. In fact, I’d argue that the reason why we still have huge breaches in cyber, even (or especially) in financials, services, industrial, and gov orgs is because leaders keep trying these hybrid qual/quant methods. Just stick to the quants! Quants-only!!

      To me, use cases in cyber are akin to arguing with a civil engineer about what types of concrete are best for building skyscrapers. They know which ones: the ones that worked for the past century — THOSE ONES!! You don’t change it up. You don’t add new requirements every quarter to improve quality.

      We’ve had methods for formulating the outcomes of adversary-against victim under the uncertainty of geopolitics and the fog-of war for over 3 or 4 decades. You don’t implement SIEM features. You canvass a panel of experts and use statistical techniques on their expertise statements based on calibrated-confidence intervals. You use Hubbard AIE. Period.

  • Malte Wirz says:

    Dear Anton, I think that your papers on all SOC topics are really well researched and easy to read. Since I am responsible at Computacenter for the topic of SOAR/SIRP, I am really looking forward to ýour SOAR research 🙂