SOAR: Approach in Reverse

Viewed at a certain distance, there’s an inevitability about the rise of SOAR (security orchestration, automation, and response). Security teams are overwhelmed and their tool have never been altogether successful at safely locking down the enterprise. This has paradoxically led to more and more tools, and by now there is a resultant need for something that makes it simple to look into all the data that all the tools spew out–and then do something about it.

To be clear, successful SOAR isn’t as easy as just getting all the data on to one pane of glass (though that’s not actually so easy, either). It’s not as straightforward as supporting that data console with nearly infinite drilling down, all the way to viewing viewing packets in raw hexadecimal. Yes, these are good starting points, but we need more. Indeed, whatever passes for actionable intelligence in this business needs to be combined and refined from all this aggregated output. And if the response to the intelligence that bubbles up is something that can be dealt with in a repeatable, parameter-driven way, then a key contribution of SOAR must be automating the response.

Security orchestration is the part that combines the intelligence. Automation is what takes routine responses off the analyst’s plate. And “response” is because Gartner wanted an acronym that had a nice ring to it.

So what we’re after is not just actionable intelligence, but workflows that ensure our actions are consistent across multiple, similar alerts. The basis for the actionable intelligence will primarily be security products, including SIEM, Threat Intelligence, endpoint security tools of all sorts, firewalls and other network tools, vulnerability management systems, and so on.

The principle element making integration a tricky proposition is not that there aren’t standards for exchanging security data, but that there are so many standards and approaches that are taken across the broad spectrum of security tools. The trick is matching hundreds of products and services to dozens of integration approaches, and while working out all this detail is one of the primary reasons SOAR vendors get paid, it’s worth remembering that whatever magic SOAR offers, it’s offered only after the basic homework of getting everything connected is taken care of.

If you’re just starting to consider SOAR, you may want to go at things in reverse. In the normal process, you’d take the tools you have and look for SOAR products that integrated them well. But maybe this is a moment to rethink your toolchain a bit. It may well make more strategic sense to find the right SOAR capabilities for your organization and then re-examine the tools that feed into it to make sure you’ve got the tools in place that best facilitate not only data feed incorporation (table stakes), but also automated responses (the point of the exercise).