Enrich Your Solutions Portfolio with SOAR

By Roger Egan

Roger Egan

As channel partners across the globe assess their portfolio of products and consider emerging security technologies, checklist criteria likely will include hot new sectors, high margins, big professional services attach rates — and limited competition. If this exercise has led you to the security orchestration, automation and response (SOAR) market, you may be on the right track.

As in many industries, automation is arriving to help cybersecurity teams battle the increasing volume of threats facing their organizations, a rise directly correlated with the expanding attack surface and increasing numbers of detection tools in use by organizations. This is especially apparent in the security operations center (SOC), which is ground zero for addressing security incidents. The daily battle to efficiently and effectively handle the barrage of alerts entering the SOC is further complicated by skills and resource shortages. Solutions like SOAR are rapidly maturing to help dispose of these very challenges and transform security operations for businesses.

How exactly does SOAR work and what can customers expect to achieve from it? To answer that question, we must first dispel some confusion, particularly how SOAR fits in with security information and event management (SIEM).

Anyone who must manage a SIEM installation in an extensive enterprise environment knows that SIEM alone isn’t getting the job done. The first SIEM solutions were developed around 15 years ago with the promise to make life easier and better for security analysts by providing them with a centralized platform from which to manage and respond to security events. Few would disagree that SIEM represents an improvement over the practice of manually managing security information from multiple, widely disparate systems. Yet many enterprise customers are increasingly finding that centralizing this information has merely replaced one problem with another.

A large computing environment might have 30-50 different security products, from firewalls to email gateways to endpoint protection, each of which produce its own alerts. When all of these alerts are funneled into a central place for handling, it can create alert overload: security analysts become inundated with notifications from dozens of tools simultaneously, many of which are likely to be redundant, and the analysts must attend to each one individually to find the correlations and weed out false positives. This is a slow, labor-intensive process that can tie up valuable analyst time for extended periods, and the tedious nature of the work can increase employee stress and eventually lead to burnout as analysts become dissatisfied and seek work elsewhere. And the greater the load on the analysts, the greater the danger that a critical alert might be missed or mishandled.

Get to Know SOAR

SOAR is designed to solve this alert overload problem and bring efficiency to the alert review process. SOAR doesn’t replace the customer’s SIEM installation — rather, it integrates with it to deliver SIEM’s original promise of providing analysts with coordinated, actionable security intelligence. The letters in SOAR tell the story:

For example, a typical breach incident might trigger alerts in multiple places. Suspicious files and network activity could bring notifications from enterprise firewalls, email gateways, intrusion detection systems, host-based antivirus software and more. On their own, most SIEM solutions would pass these alerts on to a security analyst without attempting to correlate them or provide any additional intelligence. Faced with a clutter of alerts from the same original incident, multiple analysts within the group would likely pick …

… these up as singular incidents. These alerts are likely to be mixed in with other unrelated notifications. Each analyst would need to disregard the noise and later find the crucial connections between all these alerts. Then multiple responders would learn they are losing valuable cycles chasing the same root incident.

However, SOAR receives alerts through SIEM and can correlate multiple alerts related to the same incident through techniques such as matching file hashes. Many solutions also automatically query external resources, which aggregate antivirus products and scan engines to check for viruses that the user’s own antivirus may have missed, as well as security vendor websites to gather pertinent information about identified threats. Finally, the compiled intelligence is presented to analysts in a dashboard that first correlates the disparate system alerts into a single case, then summarizes and showcases what is known about the incident and provides a clear plan for response.

The SOAR response process is built around a playbook, or collections of workflows and best practices that give responders specific, actionable steps to follow when faced with different kinds of security incidents. Most SOAR platforms ship with a set of sample playbooks that customers can adapt and develop to create action plans that are tailored to the needs and resources of the organization. Rather than having to develop a plan on the spot, responders can easily and quickly act based on the accumulated experience and wisdom of everyone on the team. A workflow tracker enables responders to keep tabs on their progress and make appropriate choices given the specifics of the incident. Playbooks are usually constructed using a scripting language, although some vendors offer drag-and-drop functionality to facilitate playbook building without requiring scripting knowledge.

What’s In It for You

“This is all very nice,” you might say, “but how does this translate to sales?” In fact, there are several compelling arguments for channel partners to sell SOAR and for customers to buy it:

Whether you’re convinced or still need convincing, there are more than a dozen SOAR vendors happy to answer any questions.

Roger Egan is executive vice president of sales at Siemplify with more than 20 years of experience managing hardware, software and services sales across North America and Latin America. Follow him on LinkedIn or @Siemplify on Twitter.