Addressing the Opportunities of SOAR: What Organizations Need to Know
By Matt Eberhart, chief revenue officer, Respond Software
Security operations teams have the unenviable task of sifting through endless security alerts to find the real incidents in their environments. Then, they need to investigate further to determine the extent of the attack, and finally coordinate a response with various teams across IT. Finding the security talent to do this has always been a challenge, and frankly, people may not have the ability to do the task accurately at speed and scale. So, the security industry has been looking at automation as a way to reduce the workload on analysts and make security operations more effective.
Challenges with existing approaches to SOAR
Building out security operations workflow is compelling and makes sense as the next step in improving detection and response capabilities, but the challenges become obvious once you see a demo of one of these tools. SOAR platforms run on playbooks. They are like the autopilot system of a commercial aircraft. To use them, you still need to know where you want to go and how to fly the plane.
Workflow automation is good for simple tasks requiring three to five steps. In reality, security professionals rarely run into exactly the same scenario, which presents challenges for workflow automation. You end up building playbook after playbook to address the volume of different scenarios that come up. Most organizations aren’t benefitting from the automation they’ve invested in. They find themselves in an endless cycle of building additional playbooks, which requires more development and engineering talent, which typically isn’t cheap.
This is why SOAR usage is less than 5% and why playbook-driven SOAR tool projects tend to stall out after the first two playbooks are built. Most SOAR implementations have two or three playbooks written that are all focused on event investigation. That’s it.
One of the leading use cases is comparing binaries found on potentially infected systems to see if they are malicious or not. Don’t be fooled by the example. It sounds great to have a SOAR tool automate the evaluation of a potentially malicious binary. In reality, workflow automation struggles to determine which binaries to send, resulting in a huge bill for just a few valid escalations.
SOAR solutions were designed for (and by) the top 1% of security programs in the world that are staffed with hundreds of security engineers that can code up playbooks and constantly tinker with them. That’s not the world of most security teams. The promise of SOAR really is great. Most teams just don’t have the time or resources to write and manage all the moving parts to realize significant value.
The questions to ask before deploying SOC automation
So, what is the best approach to take when starting an automation project? Ask yourself the following questions:
- What is the security operations problem that is impacting your team the most?
- What type of threats do you face most often, and what type of threats are you most concerned about?
- Look at your technical architecture. Is it working for you, or is it the root cause of some of your challenges?
- Are you able to automate the foundational and repeatable tasks that address the problem you identified?
- Do you know where SOAR can save you money, and can you deploy it effectively?
For many organizations, the challenge is too many alerts, most of them false positives or low-risk items, that are taking up the valuable time from your team that should be spent on the higher-risk items. The opportunity here is that if you can solve the problem of truly turning billions of alerts into a small number of validated and investigated incidents, it completely changes the game.
The best automation for security teams understands how to investigate many different types of alerts across different security telemetries and automates the investigation process, leading to real, actionable and scoped incidents that need a human response.
Looking ahead: How will these best practices lead to measurable business benefits?
It’s important to measure the effectiveness and efficiency of any investment. Security is no exception. Many of the challenges in security compound due to the way we layer on technology, people and processes over time.
Break that cycle. Look at where your team is spending time and how they could become more efficient with purpose-built software solutions. Think in outcomes, not technologies.
Success means people are now free from manually investigating alerts or constantly writing playbooks to automate workflows. Success means more alerts can be investigated and turned into fewer incidents. Success means SOAR/SIEM/SOC/MSSP budgets become more efficient.
And the greatest sign of success is that the people working in security programs experience a huge improvement in the quality of their daily job, becoming more effective and improving their job satisfaction.
About the Author
Matt Eberhart, chief revenue officer, Respond Software. Matt has over 20 years of experience in the security industry from hands on operations to product management, go to market, and hyper growth. He was early at Secureworks, where he had the opportunity to create and grow several different security operations models, innovating on blends of people, process, and technology. Listening to and understanding the true needs of customers has been the north star in Matt’s journey, leading to hands on roles in security engineering and sales and ultimately executive positions in product management, sales, and go to market strategy. In recent years, Matt served as the Vice President of Global Product Management at Secureworks and Chief Revenue Officer of MediaPRO.
Matt holds an MBA from Georgia State University, Robinson College of Business, a CISSP certification, and was nominated as the ISE Information Security Executive of the year in 2006.