SOAR and Ticketing: Friends, Frenemies or the Same thing?

We continue our journey through SOAR mysteries with this one: what is the relationship between case management (aka ticketing) and SOAR? So far, we have encountered these views (overdramatized for added hilarity!):

  1. “Are you dumb? SOAR and security case management are essentially the same thing; you cannot have a SOAR tool without incident case management, human workflow is the heart of SOAR for most clients.” [common]
  2. “Well, our SOAR has a bi-directional link to our IT case management, they are not the same system since IT uses ticketing, but security team uses SOAR, but they must link.” [common]
  3. “Wait…what? SOAR automates stuff so that we don’t have to open the stupid tickets. Our SOAR tool does not really have ticketing [or: it is weak] and we don’t really care much if integrates with external ticketing.” [rare]
  4. “Our SOAR includes ticketing, but also integrates with ticketing. Confused? Don’t be – this is security workflow vs IT workflow, we have to keep them separate, but we need both”

This is befuddling! It would be as if we’d have a debate on whether log collection is a central feature of SIEM or more of an add-on… So, is ticketing a central feature of SOAR or a nice-to-link adjacent technology? Is “O&A” the heart of SOAR or is that case management?

In all honesty, we are leaning towards the centrality or at least high relevance of case management as either part of SOAR or something very closely integrated. “SOAR as glue” (or middleware) just does not seem to have the mass appeal, we think.

What is your view of the ideal relationship between SOAR and ticketing?

Blog posts related to this topic:

This is a Security Bloggers Network syndicated blog post. Read the original at: Anton Chuvakin 2017-11-03.