A common misconception in the marketplace for security is that tools and technology is filled with automation and Artificial Intelligence (AI) and ‘security’ Judgement Day is coming where SkyNet takes over and we can all stop worrying about staffing security roles.
Sadly this is quite some way down the road. But the good news is; there is something you can do to bolster your internal efforts. The biggest dependence is on what you already do as part of your security operations. Similarly you can’t be a Michelin starred chef by simply buying the ingredients and owning an oven. You can’t magically be good at security because you buy a tool that has some form of automation baked in.
SOAR combines Security Orchestration, Incident Response and Threat Intelligence platforms to provide a workhorse that offers the user a set of capabilities that offer consistency, scalability and intelligence/enrichment. These can be a useful set of tools for building the foundations of a security capability. But these tools are missing two things quite regularly; firstly a set of comprehensive instructions and secondly a competent builder.
A set of comprehensive instructions
Its clear, that to be successful with security and more specifically, automating aspects of security. You have to be able to carry out the functions manually first. Therefore, this means that you need processes you want to augment with automation. If you don’t yet have the security processes in your organisation, head back to the drawing board. You aren’t ready for SOAR…yet.
A competent builder
You must be prepared to get your hands dirty with automation. Whilst some tools on the market do provide a point and click front end, complex use cases and integrations with existing investments in other security technology can be severely lacking. Therefore a sensible automation strategy is one that has full and regular access to a developer, and that the budget stretches to enabling support from vendors for integration with their technologies.
Be ready to consume BEFORE you buy
Organizational and process maturity is a key factor in successful implementation of SOAR technologies. The main considerations for an organization looking to purchase a SOAR technology are:
Do I have trusted security processes that I want to make more efficient or to automate?
Will my existing security technologies and subscriptions integrate well with a third-party toolset via API?
Does the SOAR technology of choice align with the security operations and business IT architecture roadmap and evolution?
At Gartner we are seeing shifts in the way organisations look at SOAR, what they want it to do. Furthermore the direction of the market and the products within it are beginning to change. The latest in a series of research about the challenges we see in the world of security operations is here: Is Your Organisation Mature Enough for SOAR?