The Difference Between SOAR and a Security Operations Platform

When an innovative product hits the market, it does not take long for the market to become overrun with similar offerings. 

Consumer technology products are a great example of this phenomenon. Soon after Apple released its AirPods wireless headphones, a number of lookalike offerings, even in Apple’s signature white color, flooded the market. 

For the consumer, this is good and bad. On the positive side, now there are more choices available, probably at different (and more affordable) price points. Unfortunately, much of the competition is quite inferior to the original, leaving it up to the consumer to do their homework before making any decision. 

This same situation occurs when it comes to cybersecurity products. For example, a few years ago, artificial intelligence began increasingly becoming embedded in offerings, from firewalls to data loss prevention. 

The reality, however, was that many of these products rushed open-source machine learning models into the technology that may have impacted the actual functioning of the product. Only after security teams deployed these products did this slim – and this being generous – implementation of AI come to light. 

Today we are seeing a similar situation arising around one of the hottest security categories: security orchestration, automation and response (SOAR). Everywhere you look, vendors are weaving in SOAR-like messages into their marketing efforts, claiming to improve security operations center (SOC) efficiency, as well as decrease dwell time (time between attacker penetration to discovery and eradication), among other benefits. 

But to extract all the value possible out of a SOAR you do not need a SOAR product, you need a SOC platform.

Here are three things to help you identify a SOC platform:

1) People

The most important part of a SOC are the people that work in it day in and out. Working under extreme pressures and and within a workload that outstrips their maximum capacity, these folks are the lifeblood of your entire security program. From your Tier 1 analysts to the SOC manager, every member of the team must do their job, and do it well, or something negative can occur. A SOAR product will not take into account the people aspect of your SOC. Even if it is capable of assigning a name to a case it considers all of the names the same. A SOC platform, on the other hand, enables you to assign an analyst to a case – and it knows that every analyst is different. It tracks and learns which analysts are better at which type of case so over time the SOC operates as efficiently as possible.

Free Guide: Pragmatic SOAR Selection

2) Awareness

Ever walk into a room and catch the tail end of a conversation and think, “What in the world were they talking about?” The reason what you heard makes no sense is that you missed the context of the conversation, so your reaction to what you heard may be totally off the mark. A similar thing can occur when we talk about investigating and responding to a security threat. A typical SOAR product is much like an old-time printing press, where the letters are set in place and, when a blank sheet of paper is fed into the machine, those exact letters are printed on the paper every time.

In the SOC, however, this approach misses the mark. A SOAR product that has no awareness of other alerts leaves the analyst working in a silo, where they are closing alerts faster but may be missing the fact that all those alerts are related to a massive targeted attack, giving the adversary more time to cause harm. Alternatively, a SOC platform is fully aware of each and every alert in the system and can, automatically, identify related alerts, providing the analyst a holistic view of the entire threat. With this visibility, the analyst can sound the alarm if, and when, they see that a major security incident has or is taking place. This awareness allows your overall security posture to improve in the long term.

3) Adaptability 

Starbucks changed the coffee-drinking experience. Before they existed, java was just java, but listen to some people order their cup of joe nowadays, and you might leave scratching your head. Half-caf, extra-hot, oat milk, extra shot. What Starbucks figured out that no one else had at the time is providing the ability for the consumer to tailor their cup of coffee in any way they wanted met a need in the market, and the rest is history. Back to the world of security, SOARs traditionally provide the following core capabilities:

  • Ingest alerts from a source.
  • Integrate with a set of security products, as well as other tools used during response.
  • Model a workflow that can be used over and over.

As such, a SOAR product will generally force a certain user experience on the analyst. For instance, some SOAR products in the market assume the workflow creation will be completed by someone with reasonable programming skills, so the UI design may feel like a development environment. On the flip side, some vendors may offer workflow creation but in a very limited manner. This means some workflows required may simply not be possible.

A SOC platform, on the other hand, can adapt to the norms of any SOC by matching its people and processes, not the other way around. For example, if a SOC team is made up of programmers, a SOC platform gives them the ability to customize the entire experience through an integrated development environment (IDE). For a team of non-programmers, the SOC platform provides intuitive user interfaces and playbook designers that do not require coding. It is this adaptability that makes the SOC platform the true center of the SOC.

As a consumer, we all love choices, and in general, these choices push vendors to deliver better products. That said, a product is only good for you if it fully meets a pressing need and delivers the desired outcome. Choose wisely.

Steve Salinas is director of product marketing at Siemplify.

The post The Difference Between SOAR and a Security Operations Platform appeared first on Siemplify.

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Steve Salinas. Read the original post at: