SBN

Crosspost: A Simple SOAR Adoption Maturity Model

Originally written for a new Chronicle blog.

As security orchestration, automation and response (SOAR) adoption continues at a rapid pace, security operations teams have a greater need for a structured planning approach.

My favorite approach has been a maturity model, vaguely modeled on the CMM approach. For example, in my analyst days, I built a maturity model for a SOC (2018), a SIEM deployment (2018) and vulnerability management (2017).

Guess which one is missing? The one for SOAR! Now, why was it missing? In my estimation, there are too many doors to SOAR to plot a coherent yet universally applicable SOAR maturity model.

But with many Security Operations teams deploying and running SOAR for several years, I sense that a reasonably applicable adoption maturity model can be created. So here is a first attempt at it.

But first, let’s go through a few assumptions:

  • The maturity climb starts with having a SOAR. Admittedly many organizations don’t have a SOAR or comparable technology, so they fall outside of this visual.
  • The starting point for SOAR may still differ dramatically (as the tweet below references), so this is at best an illustration rather than universal guidance. For example, some organizations start with case management and no playbooks, yet still find value in SOAR. Numbers of playbooks in use vary.
  • Dimensions may be mixed up at many organizations, but they do follow an increasing maturity individually.
Anton’s SOAR Adoption Maturity Model

Printable version (PDF)

How do you use this in your environment?

  • Take care of the assumptions and check for where you are starting up (Dealing with phishing? Too many SIEM alerts? Using SOAR as case management?)
  • Use as a very rough guide to judge where you are in your SOAR journey and where to go next
  • Don’t despair if your journey to SOAR does not fit; SOAR is a very flexible and programmable technology so being atypical is typical.

Thanks to Google SOAR Solution Architecture Manager Oleg Siminel, and others from the Siemplify field team, for their support here.

(original version)


Crosspost: A Simple SOAR Adoption Maturity Model was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/crosspost-a-simple-soar-adoption-maturity-model-dacf61ae857b?source=rss-11065c9e943e------2