Is Your Company Ready for SOAR?

SOAR can help organizations manage their data security efficiently through automation and orchestration

In physics, the rate of acceleration is known as “jerk.” A commonly used term, jerk can often be a jerk (pun intended), especially when dealing with real-life scenarios and especially cybersecurity.

We have forever been talking about the ever-accelerating rate of data growth. Security operations teams have been barely coping with this accelerated increase in data. The proliferation of applications, newer security technologies, increasing threat landscape and many other factors have managed to keep the security operations center (SOC) analyst and SOC platform experts on their toes. Advanced data management technologies (aka big data systems) and automated/refined data processing technologies (aka AI/ML) are improving the way we are managing and making sense of data, helping us become more efficient. What remains to be seen is what we do with the “intelligence” derived from this data.

One of my customers got a real-life example of jerk when he decided to pay heed to what the regulator said about also collecting application data for security operations. A midsized company that had grown from collecting 2TB of log data every month to about 5TB of logs in about two years realized one day that his single application stack generates about 1TB of log data every day! Currently, his applications team dumps all this data to an open source big data cluster and recycles it every week to keep infrastructure costs under check. The problem now exists at two levels for my customer:

  1. How is he supposed to scale to manage an over 20x increase in data?
  2. How does he manage the “wealth” of insights generated from this?

Enter security orchestration and automation and response, or SOAR.

The Sour SOAR …

SOAR is not a new kid on the block. We have all heard for a long time about automation, orchestration and everything that the machine can now do on its own. I am sure the seeds of this technology were sown by the overworked analyst who wished that the SIEM would detect the malicious IP and just magically block it on the firewall.

What emerged in due course was the sour experience of SOAR. This experience was not as much driven by the inability or bad implementation of the tech as it was by the immense pressure of expectations from this.

Fortunately for all of us, this phase has been on its downswing, as many users are now realizing that SOAR is not as much about remediation as it is about validation.

The Sore SOAR …

The next—or I should say the current—phase of SOAR is the sore SOAR. What everybody is going through right now is the process of maturing this tech. As things stand today, SOAR platforms act as incident response platforms on steroids!

SOAR platforms today talk about threat investigation playbooks, cool visualizations to customize these workflows, application programming interface (API) integrations with all technologies, etc. However, the challenge still exists in connecting all systems with this SOAR platform. With no standardized API frameworks, writing custom API plugins and maintaining them remains a sore point.

However, the positive side of this is the fact that the SOAR platform is on its way toward delivering its intended use.

SOAR As It Should Be

The future beckons a standardized API development framework and toolkits that can make these integrations easier to build and maintain.

SOAR platforms need to communicate not just with security control systems such as firewalls, proxies or network access control (NAC) but also threat intelligence and validation systems. Going forward, we would like to see internal systems including configuration management databases (CMDBs), change management systems and human resources management systems (HRMSs) connect with the SOAR platform to bring in an organizational context. With almost a zillion technologies to talk to, there is a strong need to have a common language to communicate.

SOAR platforms in the future will not just provide an automated validation and response framework, but along with analytics platforms, they will also form the workbench for SOC analysts to monitor.

Taking the First Step

The question is not whether organizations should start their SOAR journey but when should they start. They should have already.

Users will need to invest time in maturing their capabilities to effectively use SOAR. Stitching the entire fabric to effectively integrate all relevant applications on the platform, devising the correct workflows to validate and remediate security events and setting up the process for continuous improvement will be the key pillars for an effective SOAR deployment.

Unless organizations follow the curve and scale up to handle the “insights,” the jerk may just push them off-balance.

Avatar photo

Chetan Mundhada

Chetan Mundhada drives the Sales team for DNIF with a focus on growing the company's enterprise and channel. He brings to the position a successful track record of over 14 years in the IT infrastructure and security domain. He has a keen interest in data analytics and specifically using data to detect and prevent cyberthreats. He works closely with customers in helping them find the best solution and extract more value from their SIEM investments. Outside his day job, he loves to work on early-stage education for children.

chetan-mundhada has 1 posts and counting.See all posts by chetan-mundhada