Free Newsletters for the Channel
Register for Your Free Newsletter Now
Automation can help overburdened SOC staff.
March 3, 2020
By Roger Egan
As channel partners across the globe assess their portfolio of products and consider emerging security technologies, checklist criteria likely will include hot new sectors, high margins, big professional services attach rates — and limited competition. If this exercise has led you to the security orchestration, automation and response (SOAR) market, you may be on the right track.
As in many industries, automation is arriving to help cybersecurity teams battle the increasing volume of threats facing their organizations, a rise directly correlated with the expanding attack surface and increasing numbers of detection tools in use by organizations. This is especially apparent in the security operations center (SOC), which is ground zero for addressing security incidents. The daily battle to efficiently and effectively handle the barrage of alerts entering the SOC is further complicated by skills and resource shortages. Solutions like SOAR are rapidly maturing to help dispose of these very challenges and transform security operations for businesses.
How exactly does SOAR work and what can customers expect to achieve from it? To answer that question, we must first dispel some confusion, particularly how SOAR fits in with security information and event management (SIEM).
Anyone who must manage a SIEM installation in an extensive enterprise environment knows that SIEM alone isn’t getting the job done. The first SIEM solutions were developed around 15 years ago with the promise to make life easier and better for security analysts by providing them with a centralized platform from which to manage and respond to security events. Few would disagree that SIEM represents an improvement over the practice of manually managing security information from multiple, widely disparate systems. Yet many enterprise customers are increasingly finding that centralizing this information has merely replaced one problem with another.
A large computing environment might have 30-50 different security products, from firewalls to email gateways to endpoint protection, each of which produce its own alerts. When all of these alerts are funneled into a central place for handling, it can create alert overload: security analysts become inundated with notifications from dozens of tools simultaneously, many of which are likely to be redundant, and the analysts must attend to each one individually to find the correlations and weed out false positives. This is a slow, labor-intensive process that can tie up valuable analyst time for extended periods, and the tedious nature of the work can increase employee stress and eventually lead to burnout as analysts become dissatisfied and seek work elsewhere. And the greater the load on the analysts, the greater the danger that a critical alert might be missed or mishandled.
SOAR is designed to solve this alert overload problem and bring efficiency to the alert review process. SOAR doesn’t replace the customer’s SIEM installation — rather, it integrates with it to deliver SIEM’s original promise of providing analysts with coordinated, actionable security intelligence. The letters in SOAR tell the story:
Security orchestration: SOAR works with SIEM to connect and integrate various security systems and processes together.
Security automation: SOAR automatically handles tasks that would otherwise be performed manually by a security analyst.
Security response: SOAR provides an organized framework for both analysts and the SOAR solution itself to address and manage security incidents in a way that limits damage and reduces recovery time and costs.
For example, a typical breach incident might trigger alerts in multiple places. Suspicious files and network activity could bring notifications from enterprise firewalls, email gateways, intrusion detection systems, host-based antivirus software and more. On their own, most SIEM solutions would pass these alerts on to a security analyst without attempting to correlate them or provide any additional intelligence. Faced with a clutter of alerts from the same original incident, multiple analysts within the group would likely pick …
… these up as singular incidents. These alerts are likely to be mixed in with other unrelated notifications. Each analyst would need to disregard the noise and later find the crucial connections between all these alerts. Then multiple responders would learn they are losing valuable cycles chasing the same root incident.
However, SOAR receives alerts through SIEM and can correlate multiple alerts related to the same incident through techniques such as matching file hashes. Many solutions also automatically query external resources, which aggregate antivirus products and scan engines to check for viruses that the user’s own antivirus may have missed, as well as security vendor websites to gather pertinent information about identified threats. Finally, the compiled intelligence is presented to analysts in a dashboard that first correlates the disparate system alerts into a single case, then summarizes and showcases what is known about the incident and provides a clear plan for response.
The SOAR response process is built around a playbook, or collections of workflows and best practices that give responders specific, actionable steps to follow when faced with different kinds of security incidents. Most SOAR platforms ship with a set of sample playbooks that customers can adapt and develop to create action plans that are tailored to the needs and resources of the organization. Rather than having to develop a plan on the spot, responders can easily and quickly act based on the accumulated experience and wisdom of everyone on the team. A workflow tracker enables responders to keep tabs on their progress and make appropriate choices given the specifics of the incident. Playbooks are usually constructed using a scripting language, although some vendors offer drag-and-drop functionality to facilitate playbook building without requiring scripting knowledge.
“This is all very nice,” you might say, “but how does this translate to sales?” In fact, there are several compelling arguments for channel partners to sell SOAR and for customers to buy it:
Hot market: Partners that adopt SOAR now are getting in on the ground floor. Gartner estimates 30% of enterprise organizations with a dedicated SOC will include SOAR by 2021, up from 5% in 2018.
High margins: SOAR isn’t a commodity product, nor is it plug and play. We generally find that each sale of our SOAR solutions brings with it between 30 and 90 days of professional services for training, configuration and related functions. Overall, partners can expect to see healthy margins of 20 to 25% on SOAR software.
Desirable ROI: The expected return on investment (ROI) makes SOAR a tempting purchase for just about any customer. Many are likely to see immediate improvements in the area of labor, considering good security analysts are hard to find, and SOAR acts as a force multiplier. And, by eliminating tedious drudge work, SOAR makes the jobs of customers’ existing analysts easier and thereby reduces turnover and the associated expense of hiring and training new staff. As a result, customers often see large ROI gains within four to 10 months of adopting SOAR.
Whether you’re convinced or still need convincing, there are more than a dozen SOAR vendors happy to answer any questions.
Roger Egan is executive vice president of sales at Siemplify with more than 20 years of experience managing hardware, software and services sales across North America and Latin America. Follow him on LinkedIn or @Siemplify on Twitter.
Read more about:MSPs
You May Also Like
Channel People on the Move: AT&T, C1, Mitel, TD Synnex, MoreMar 1, 2024
Viirtue, MSP Partners Seek Larger Piece of IT PieFeb 29, 2024
New Cisco OT Route to Market Opens New Partner SetFeb 29, 2024
Broadcom-VMware Saga Update: Nutanix Wins, Carbon Black Sale, Hock Tan PayFeb 29, 2024