The phrase security orchestration, automation, and response (SOAR) contains a lot of security terms wrapped together, however, this turns out to be quite fitting for what SOAR is at its core — a system of systems. SOAR cybersecurity combines platforms, processes, technologies and databases into a network that works with, around and in tandem with every part of your organization.
What is SOAR in Cybersecurity?
According to Gartner’s 2020 Market Guide for Security Orchestration, SOAR can be defined as “…solutions that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform.”
Essentially, it’s many technologies — all with different purposes — coming together with a single purpose: defend your organization. Orchestration technologies work on threat and vulnerability management. Automation technologies assist in operational tasks. Response technologies and processes actively respond to detected threats.
To make your SOAR experience smoother and more efficient, know these five things before you start making changes and switching things up:
- Know Where You Are
- Know What You Need
- Know How You Do Things
- Know What Your Data Is
- Know How You Work
1. Know Where You Are
Gaining a firm understanding of what your organization currently has to work with and how much you’re willing to change in order to implement SOAR will make the entire process that follows so much smoother. Assess technologies, protocols and employee capabilities. Meet with your stakeholders to arrive at a unified understanding of what SOAR looks like for your organization and get their full support. Time spent setting this foundation will pay off big time once you start taking real steps in implementing SOAR. To get started, take a look at your current maturity standing with deepwatch SCORE.
2. Know What You Need
Once you know what you have to work with, then you can figure out what you need and how much you need. Understand the scope and scale of your organization (including things like size, customer base, risk factors, platforms, devices, etc.), and how an incident affecting one part of your organization could trickle down and impact another. When it comes time to dig in and set up programs and workflows, understanding the relationships between the different parts of your organization allows you to make faster, more informed decisions since the outcome would already be known. This leads to less trial and error and a more streamlined SOAR workflow.
3. Know How You Do Things
Before you dive in, come together as a team and agree upon a set way of doing things. Applying standards across the board ensures smoother implementation and more effective incident response. Here some of the things we like to encourage our partners to standardize as they get started on implementing SOAR:
- Naming conventions and definitions
- Success thresholds
- Roles and responsibilities
- System integrations
- Coding and scripting standards
Trust us — taking the time now to have everything follow the same method will save headaches, time, resources and increase efficiency like little else. Even if you’re operating a current system and just making a few tweaks to make it more aligned with SOAR, standardizing how you do things will make future you so grateful that current you took the time.
4. Know What Your Data Is
As a system of different programs and technologies, SOAR relies on good, clean, reliable data in order to work. If even one data source uses faulty data, the whole system could be off. Starting SOAR implementation with a thorough cleaning and pruning of all your systems’ data sets will ensure that the overall network is reliable. Once that initial cleaning is done, enforce criteria for your data so that it can be normalized going forward as it starts talking to other systems with their own (possibly different) data fields.
5. Know How You Work
Like standardizing naming conventions, standardizing your workflows and how you work streamlines incident response and can actually reduce the time it takes to respond. Take the time to know how you work now, analyze those processes for missed opportunities or places where you can optimize and make changes both at the micro and macro levels. Refine who responds to what, in what order, what that person looks at, how they report or escalate it, etc. In our experience, we’ve found it helpful to represent these workflows in a visual medium (usually a diagram of some kind) that people can reference and understand quickly should they need to act fast.
Read our whitepaper: “Best Practices to Apply to Your SOAR Solution”
How Can deepwatch Help Me Get Started with SOAR?
If you’ve got questions, we’ve got answers. If you’ve got a complicated setup with lots of devices and teams, we’ve got solutions that touch on every single one of them. SOAR is a powerful tool when used in the right way in the right hands, so our Squad will work with yours to make sure everyone is on the same page and knows what’s up. Contact us today to get started.