10 Must-Ask Questions When Choosing a SOAR Solution in 2021

The adoption of security orchestration, automation and response (SOAR) platforms has grown significantly in recent years. Countless end-user and service provider security operations teams are leveraging SOAR to address the most common security operations challenges too many disparate technologies,  alert overload, limited staff and manual processes. 

Free Download: The Gartner Market Guide for SOAR Solutions

Naturally, SOAR platforms have matured and evolved over time. With over a dozen SOAR solutions to choose from, and given that by now most offerings cover “the basics” such as drag-and-drop playbook creation and common integrations such as SIEM and threat intelligence, zeroing in on the right questions to ask when choosing a SOAR solution is more important than ever.

So without further ado, here are the 10 must-ask questions for anyone considering SOAR in 2021.

1) How does the SOAR platform integrate threat intelligence?

Why it matters

Leveraging threat intelligence is foundational to any effective security operations program. The best SOAR solutions now include an integrated threat intelligence platform (TIP) and out-of-box support for common use cases such as alert enrichment and threat hunting. Without this, you will likely need to separately purchase and integrate a TIP, resulting in additional cost and effort.

2) How does the SOAR platform address playbook lifecycle management?

Why it matters

As your SOAR implementation matures, your playbook library will grow and develop. The best SOAR solutions include playbook lifecycle management capabilities that enable you to build, maintain and optimize a growing playbook library. These include capabilities such as playbook versioning and rollback, reusable playbook “blocks” and playbook monitors that help with troubleshooting and optimizing your playbooks.

3) Does the SOAR platform offer community-powered development?

Why it matters

If there is one thing security people are good at, it’s coming together as a community. A good SOAR platform will include a community of like-minded experts, who not only share best practices, but can also develop new integrations and use-cases and make them available to the entire community via the SOAR platform’s marketplace.

 4) How comprehensive is the platform’s case management?

Why it matters

While case management is included with most SOAR platforms, the capabilities vary greatly. A good SOAR platform will group contextually related alerts to form threat-centric cases so that every alert does not create a separate case for analysts to investigate. Also make sure to evaluate the level of customization, access control and integration into other “master” ticketing systems you may have. 

5) What collaboration capabilities are available in the platform?

Why it matters

Successfully thwarting advanced threats often requires the collective wisdom of multiple people in the security organization, and oftentimes extends to security service providers and stakeholders outside the SOC. A good SOAR platform will include capabilities to effectively collaborate inside and outside the SOC. These can range from an interactive “case wall”, live chat and task management, all the way to “command centers” for crisis management with legal, PR and other cross-department teams in the event of a breach.

6) What kind of advanced reporting is available in the platform?

Why it matters

One of the often overlooked benefits of SOAR is the ability to track KPIs and identify areas of improvement since SOAR platforms typically capture and can mine all analyst activity. Make sure to get a good feel for how robust the reporting capabilities are. Some SOAR platforms even include full-blow business intelligence for flexible and powerful report creation.  

7) What does the investigation experience look like in the platform?

Why it matters

In a perfect world, SOAR playbooks would do all the work. But in reality, while SOAR playbooks automate a lot of repetitive and mundane tasks, an intelligent human analyst will often need to make sense of the data, conduct an investigation and reach a decisive conclusion. Don’t overlook the investigation experience . Is it mostly visual or mostly command-line based? Is it easy to find the most relevant data? How prescriptive is the solution for junior analysts and how flexible is it for more advanced engineers?

8) Does the SOAR platform support cloud-native deployment?

Why it matters

With the rapid transition of security tools such as SIEM, EDR and TI to the cloud, it makes more sense than ever for your SOAR solution to be cloud-based as well. Unless you have a compelling reason to go on-prem, make sure your SOAR platform was built for the cloud with a cloud-native infrastructure. (And no, running a static machine on AWS or Azure does not mean your SOAR is cloud-native.)  

9) How easy is it to deploy the solution?

Why it matters

Here’s the truth: SOAR platforms are not plug and play. Defining, building and rolling out playbooks takes time and effort. That said, the best SOAR platforms will make this process as simple as possible, with more intuitive playbook builders and packaged use cases and templates for the most common SOAR scenarios, such as phishing emails or endpoint malware. 

10) How supportive is the vendor during the onboarding process and beyond?

Why it matters

SOAR is a journey, not a destination. Throughout this voyage, you will likely need new integrations, advice on implementation and additional use cases and features. Naturally, every vendor will claim they are a committed partner, so to address this important question, you are probably better off reading reviews on sites such as Gartner Peer Insights to formulate your own opinion. 

For more, information on choosing the right SOAR for your business, check out our four-part (and growing) series. Here is Part 1.

Nimmy Reichenberg is CMO of Siemplify.

The post 10 Must-Ask Questions When Choosing a SOAR Solution in 2021 appeared first on Siemplify.

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Nimmy Reichenberg. Read the original post at: