Understanding the Power of SOAR for Government

How SOAR in government can help build a comprehensive and cohesive strategy for agencies

By now, it’s clear that the shifting cyberattack landscape requires new approaches and tools on the part of the federal government. Agencies must “see,” with a single point of view, all of the activity impacting devices, networks and data under their watch and then respond immediately to the biggest threats first. They should conduct ongoing analysis of vulnerabilities and incidents, not only to help themselves, but also to share the information to help other agencies. What’s more, they need to invest in machine learning, artificial intelligence (AI) and automation solutions to do all of this swiftly and effectively.

These concepts come together to create what we now call SOAR, or security orchestration, automation and response. Gartner, which is credited with introducing the term, defines SOAR as “… technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow. SOAR tools allow an organization to define incident analysis and response procedures … in a digital workflow format, such that a range of machine-driven activities can be automated.”

SOAR arrives at a time when IT teams are encouraged to “do more with less” through automation in the strained state of their personnel resources. For instance, it takes eight months on average to train new security analysts, and one-quarter of these workers leave their employers within two years, according to research from VIB. This degree of turnover and the overall dearth of talent are significantly driving interest in SOAR: One-fifth of organizations are already “extensively” deploying technologies for security automation and orchestration and two-fifths are doing so on a limited basis, according to research from Enterprise Strategy Group (ESG).

As for intended outcomes, 35% of organizations want to deploy security automation/orchestration tech to integrate external threat intelligence with internal security data collection and analysis and 30% seek to expand the functionality of existing tools, according to the ESG research.

Within the government, SOAR has not emerged as a mainstream concept. But agencies are exploring or adopting its key components—particularly automation, “single pane of glass” visibility, real-time threat monitoring/analysis and comprehensive information-sharing:

  • Through its AI Next campaign, the Defense Advanced Research Projects Agency (DARPA) is investing $2 billion to automate critical Department of Defense (DoD) business processes, including the protection of machine learning and AI technologies, and the real-time analysis of sophisticated cyberattacks.
  • To establish standardized security approaches in the cloud, the Federal Risk and Authorization Management Program (FedRAMP) prioritizes increased automation and near real-time data for continuous monitoring.
  • In its “Tech Industry’s Recommendations for Federal IT Modernization” report, the IT Alliance for the Public Sector (ITAPS) calls for an “automation first” goal that would include the automating of security assessment processes.
  • The White House National Cyber Strategy states that the U.S. will “aggressively expand efforts to share automated and actionable cyber threat information.”

These developments are highly promising; even they aren’t specifically referencing SOAR, they’re at least committing to and/or championing its associated practices. Eventually, we expect a broader, more formal adoption of SOAR governmentwide. To ensure a successful transition, however, IT leaders will have to overcome two challenges:

Lack of awareness: As mentioned, SOAR simply hasn’t “caught on” as a common concept in the government space. Let’s face it: There are plenty of cybersecurity buzzwords getting tossed about these days. SOAR in government suffers somewhat by a lack of awareness about its value distinction, at least for now.

To address this, IT leaders must educate their teams (especially the engineers), users and top influencers about the tangible benefits and achievable ROI of SOAR. They may get pushback in the form of, “We already have single pane of glass visibility,” for example. So they should demonstrate that SOAR is about far more than this. By proving how optimal orchestration and automation will make everyone’s life easier—and supporting this during internal development and testing—they’ll gain buy-in at all levels.

The pitfalls of hiring “one size fits all”: No one expects an agency to launch SOAR on its own. They need support in the form of third-party vendors. Yet, while there are many vendors with SOAR capabilities, they don’t necessarily have government experience. They might claim that “SOAR implementation is the same for any organization, whether in the private or public sector,” but this is far from the case.

Thus, IT leaders must seek out vendors with SOAR credentialing as well as a successful history of working with their agency. Vendor candidates should command an in-depth understanding of the agency’s specific IT environment, mission, goals and challenges. With this, the hired vendor will more effectively conduct the aforementioned development and testing, readily working out any issues discovered in the process because that vendor knows the agency so well.

Yet, by carefully examining the short and long-term value of SOAR—how it enables security teams to build a cohesive, comprehensive and completely integrated architecture with enterprisewide visibility from a singular point of view, along with threat prioritization supported by entirely automated incident monitoring, identification and response—they’ll recognize that it is far from “just another buzzword.” And if they overcome challenges by raising enterprisewide awareness and working with agency-experienced vendors that “get” their specific needs, they’ll thrive through the continuous, positive impact of their time commitment and ROI of their investment.

Robert Schofield

Avatar photo

Robert Schofield

Robert Schofield is a Director of Enterprise Solutions with a BS in Information Technology and a MS in Information Systems. He has over 15 technical certifications to include those for Microsoft, VMware products, and ITIv3. He has 20 years' experience supporting the DoD at an enterprise level to include 8 years active duty in the Armed Forces. He was the technical Program Manager supporting several customers to include US Army Netcom, JSP, CIA, DIA, Secretary of Defense and others. Mr. Schofield has worked for NetCentrics since 2007, most recently supporting the management of worldwide deployments of Enterprise Management (Microsoft System Center) capabilities to the United States Coast Guard.

robert-schofield has 2 posts and counting.See all posts by robert-schofield