As Anton anticipated on this post, we’ll be writing about SOAR – Security Orchestration, Automation and Response – tools. Of course many people, seeing this coming from Gartner, will think: “oh great, here are those guys creating new fancy acronyms for silly markets with a bunch of VC powered startups”. Yes, I agree that usually that’s the feeling. But let’s consider a few FACTS:
- Some of these new vendors have already been acquired by big players such as FireEye (Invotas), Microsoft (Hexadite) and Rapid7 (Kommand). So, it seems that what they are offering is interesting enough to be integrated into other security technologies out there.
- We often complain about the lack of skilled manpower in security. It is a very common issue to put together SOC teams. And whenever lack of manpower becomes an issue, AUTOMATION is a potential solution.
- We also like to complain about the ever growing number of security tools being used by organizations. How can you properly integrate them so you can actually get the full value from them? You have tools to detect threats on the network, but you need to investigate those alerts on the affected endpoints using your EDR tool; with so many moving parts in place, some ORCHESTRATION is definitely required.
- Finally, we also keep saying organizations are not reacting fast enough to incidents. Again, one of the most common ways to do things faster is streamlining processes (WORKFLOW) and leveraging AUTOMATION.
So, the need for the capabilities is there. We may argue that they should be embedded in current tools or that they are not complex enough to require a new product, just a bunch of Python or Powershell scripts. For the first point yes, this could definitely help the integration, but if you use the automation capabilities from each tool individually you may end up with “automated spaghetti workflows”, what would become a nightmare to support, troubleshoot and maintain. A hub and spoke approach can help keeping the complexity manageable. What is that hub? SOAR! Can it be done purely with scripts? Well, I bet you can replicate a lot of these products capabilities with some clever scripting, but how many organizations have people to do that and want to have more code to support, troubleshoot and maintain?
There are other interesting things related to SOAR that we want to explore: is this the new “single pane of glass” for the SOC? Does it make sense to leverage Machine Learning on these use cases? Are organizations looking for the glue only or for content (playbooks)? Some of the things we have in our minds for this upcoming and exciting research project.
So, of you are a SOAR vendor, don’t forget to schedule a Vendor Briefing with us! You can find more details here.