In parts one and two of this blog series, we explored the state of the security operations center (SOC) with a focus on security information and event management (SIEM) systems and the state of security orchestration, automation and response (SOAR). In the third and final part of this series, we are going to dive into the future of SOAR.
According to the analyst community, SOAR adoption is still in its early stages. As more and more SOCs mature with their SOAR solutions, new use cases are being implemented and the application of SOAR is proving to be limitless.
While the SOAR enabled SOC has virtually unlimited potential, it’s important to emphasize that no security solution, platform or tool is a silver bullet. As an industry, we need to continue to evolve and grow with the evolving and growing threat landscape.
The best way to do this is to get creative! Organizations implementing SOAR solutions should move beyond orchestrating and automating standard playbooks and workflows (although that’s important too). If you are reading this and fall into that category, consider looking for new ways to maximize the potential of your SOAR platform. Once standard processes are automated, re-investigate how you can achieve the results you want while looking for new and innovative ways to improve those processes, optimizing your SOAR solution. And remember, one of the most exciting aspects of SOAR is the fact that it offers horizontal scalability across the organization. Check out this employee off-boarding use case as an example.
To date, the threat intelligence community has done a good job of breaking down barriers between different organizations and increasing everyone’s ability to share data reliably. As an example, Information Sharing and Analysis Centers (ISACs) have made it easier for organizations across the industry to share indicators of compromise (IOCs), techniques, tactics and more. The natural evolution of this information sharing is moving to standards-based processes, such as Structured Threat Information Expression™ and Trusted Automated eXchange of Indicator Information™ (STIX-TAXII).
We know that collaboration and comprehensive information sharing is important for strengthening the cybersecurity industry as a whole, but it also helps make an individual organization’s SOAR solution more effective. SOCs who participate in information sharing who are empowered with a SOAR solution are better equipped to answer these kinds of questions:
- What do I do when I see particular activity inside of my environment?
- How do we share this information between organizations?
- If I see this type of activity generating this type of alert, what actions should I take?
- What should I be looking for?
- How should I look for other compromised hosts or assets?
- How do I respond and mitigate this as quickly as possible?
When analysts can answer these questions with complete data, they can tweak and customize standardized workflows for more effective incident investigations. As an industry, this will enable us to leverage the shared capabilities of a broader global community, keeping up with (or even getting ahead of) threats and malicious actors.
The other thing that will continue to develop and improve as SOAR moves forward is how organizations create content. As a SOAR vendor, we see customers, partners and individual contributors providing enhancements by creating integrations in and with third party systems. Whether they are unique visualizations of data or even custom-built workflows and playbooks, elements like these enable a SOAR platform to continually improve in capability efficacy.
At Swimlane, we believe in continuing to make the tooling that’s required to build these integrations as easy as possible. Meeting people where they are, enabling them in the way they work and develop content, will continue to drive orchestration, automation and response to new levels. Opportunities like citizen data science and similar concepts take off because distributing that ability to build content to the broadest set of people is incredibly impactful. Similarly, that will continue to happen inside of SOAR.
The great majority of organizations implementing SOAR right now are larger organizations, enterprise organizations and even some mid-sized organizations. The adoption at smaller businesses is few and far between because the organizations do not have the resources to implement automation, properly leverage it and get value out of it. However, the real value that will be created by SOAR for mid-market and smaller organizations is actually much higher, precisely because they don’t have the resources. Smaller companies don’t have a dedicated monitoring team, incident response team or threat intelligence team. But they absolutely need these capabilities.
Organizations of every size are just as much a target as everyone else. Smaller organizations will gain this extra value through taking the automation capabilities, and the collective learning of what everybody is doing and how they are collaborating, and provide all of that to a system administrator who is not a dedicated security person. Going forward that is going to be really impactful for how people and organizations will adopt and leverage SOAR. The future of SOAR is bright. Let’s all join in and maximize its potential!