SOAR Webinar Questions – Answered

Here are my recent SOAR webinar Q&A (also see webinar recording link, our amazing SOAR paper [Gartner GTP access required, but everybody can see the outline])

The questions are edited for clarity and vendor-specific questions omitted.

Q1 It sounds like it isn’t really viable to use a SOAR when deploying a new SOC (to optimize limited resources and integrate the tool from the very beginning)? Is it mainly reserved for mature SOC?
A1 This is actually an excellent question! During the webinar, I alluded that only those with mature security operation processes should use SOAR tools. However, this is not entirely true: we have seen some organizations building security operation centers with “native” (day 1, etc) support for SOAR tools, and it worked for them.

Q2 Can you provide some insights into how MSSPs are deploying SOAR in their operations with some examples of notable benefits?
A2 We have said
in the paper that these service providers have been deploying tools the call is they present the easiest business case among other organizations. Those MSSPs that decided to utilize a SOAR tool reported increased alerts processed per analyst , improve consistency of their triage and handling procedures and other benefits. Some reported that SOAR integration in their workflows took ~6-9 months to complete.

Q3 If my company has separated the SOC and the [IT] outsourcing in 2 independent contracts, would you recommend to join these services to implement SOAR?
A3 If your company choose to use an external party for a SOC, you in effect don’t have a SOC: you just rent one. In this scenario, your MSSP would have to make the choice to utilize an orchestration tool, and not for you.

Q4 What are the top 3 or 5 industries you’re seeing deploying SOAR tools?
A4 This is a hard question to answer, since we have seen large organizations with mature security operation centers (SOCs and/or CIRTs too) across many industries adopting these tools. Admittedly, more clients were in the financial industry , but perhaps because they are the typical early adopters of much of security tech.

Q5 Have you estimated the cost reduction percentage in the security operations if a company implement SOAR?
A5 We have not done any independent studies of such cost reduction. But we have observed some interesting and seemingly credible estimates by the vendors, created using real-world measurements (and not [only] their fantasy]. Some of the tools have features to record many tasks and such data then can be used to estimate the time savings and then dollar savings as well.

Q6 Is it good to automate security without involving any manual work?
A6 Is it to good to travel to another star system easily and immediately? Sure, it would be good, but it is also [for now and possibly forever] outside of the domain of possible. This situation is exactly the same here: it is impossible to do security without a single manual task. In other words, it is impossible to automate the entire lifecycle of information security. Hence, the discussion of whether such a thing would be beneficial is irrelevant.

Finally, go read our SOAR paper and then provide your comments on how to make it better!

Related posts from our SOAR research:

Past webinars and Q&A posts:


This is a Security Bloggers Network syndicated blog post authored by Anton Chuvakin. Read the original post at: Anton Chuvakin