by Anton Chuvakin | April 16, 2018 | Comments Off on SOAR Webinar Questions – Answered
The questions are edited for clarity and vendor-specific questions omitted.
Q1 It sounds like it isn’t really viable to use a SOAR when deploying a new SOC (to optimize limited resources and integrate the tool from the very beginning)? Is it mainly reserved for mature SOC?
A1 This is actually an excellent question! During the webinar, I alluded that only those with mature security operation processes should use SOAR tools. However, this is not entirely true: we have seen some organizations building security operation centers with “native” (day 1, etc) support for SOAR tools, and it worked for them.
Q2 Can you provide some insights into how MSSPs are deploying SOAR in their operations with some examples of notable benefits?
A2 We have said in the paper that these service providers have been deploying tools the call is they present the easiest business case among other organizations. Those MSSPs that decided to utilize a SOAR tool reported increased alerts processed per analyst , improve consistency of their triage and handling procedures and other benefits. Some reported that SOAR integration in their workflows took ~6-9 months to complete.
Q3 If my company has separated the SOC and the [IT] outsourcing in 2 independent contracts, would you recommend to join these services to implement SOAR?
A3 If your company choose to use an external party for a SOC, you in effect don’t have a SOC: you just rent one. In this scenario, your MSSP would have to make the choice to utilize an orchestration tool, and not for you.
Q4 What are the top 3 or 5 industries you’re seeing deploying SOAR tools?
A4 This is a hard question to answer, since we have seen large organizations with mature security operation centers (SOCs and/or CIRTs too) across many industries adopting these tools. Admittedly, more clients were in the financial industry , but perhaps because they are the typical early adopters of much of security tech.
Q5 Have you estimated the cost reduction percentage in the security operations if a company implement SOAR?
A5 We have not done any independent studies of such cost reduction. But we have observed some interesting and seemingly credible estimates by the vendors, created using real-world measurements (and not [only] their fantasy]. Some of the tools have features to record many tasks and such data then can be used to estimate the time savings and then dollar savings as well.
Q6 Is it good to automate security without involving any manual work?
A6 Is it to good to travel to another star system easily and immediately? Sure, it would be good, but it is also [for now and possibly forever] outside of the domain of possible. This situation is exactly the same here: it is impossible to do security without a single manual task. In other words, it is impossible to automate the entire lifecycle of information security. Hence, the discussion of whether such a thing would be beneficial is irrelevant.
Related posts from our SOAR research:
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- SOAR and Ticketing: Friends, Frenemies or the Same thing?
- Threat Detection Is A Multi-Stage Process (by Augusto)
- SOAR and “Curve-jumping” in Security Operations
- SOAR: Magic or Mundane?
- SOAR Research Coming … Brace for Impact!!
- SOAR research is coming! (by Augusto)
- Security: Automate And/Or Die?
- Security Without Security People: A [Sad] Way Forward?
Past webinars and Q&A posts:
- Upcoming Webinar: Prepare Your Security Operations for Orchestration and Automation Tools
- SOC Webinar Questions Answered
- Upcoming Webinar: Design a Modern Security Operation Center (SOC)
- SIEM Webinar Questions – Answered
- Upcoming Webinar: SIEM Architecture and Operational Processes
- Upcoming Gartner Webinar: DLP Architecture and Operational Processes
- DLP Webinar Questions – Answered!
- Upcoming Gartner Webinar: The Future of Security Monitoring and SIEM
- Webinar on Security Monitoring of Public Cloud Assets
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.