Gartner defines SOAR (Security Orchestration, Automation, and Response) as the fusion of three technology markets — security orchestration and automation, security incident response platforms, and threat intelligence platforms — allowing organisations to define and manage incident analysis and response procedures in a digital workflow.
But adopting SOAR is more than adopting new technology: it impacts the training, effectiveness, and morale of security teams and is meaningful in how teams work with the business. For CISOs especially, SOARs provide the foundation for accountable, intelligence-based security decisions and collaboration, enabling you to achieve improved defence and reduced risk, enhanced infrastructure utilisation, employee optimisation, and security programme cost reduction.
It’s vital to outline the key reasons CISOs need a SOAR platform and how it will help their organisations in the long term. Here are the five key reasons:
- Predictability and Prioritisation
The volume, velocity, and complexity of threats is increasing at the same time as the environment and potential attack surface expands. As threats diversify, so must your tools and infrastructure to protect your assets, adding even more complexity.
Complexity rarely breeds predictability, but as ex-Navy SEAL Jeff Boss says: “If I understand mission intent, the decision-making boundaries that enable autonomy, the available resources at my disposal, the character and competence of each operator and how their personalities fit into their job roles… I can immediately dispatch myself, my teammate or another asset to deal with unknown factor ‘x’ when it emerges.”
SOARs act as a collection and analysis hub for threat intelligence, security operations, and incident response data and processes. Intelligence and operations are built on a mutually beneficial, cyclical relationship. As intelligence dynamically changes, it should affect the decision-making process for actions as a result. It should drive prioritisation of your response.
The automation and orchestration informed by threat intelligence make an organisation’s pre-existing technology investments and security team more efficient and effective. Threat intelligence housed in a SOAR influences decisions related to security operations, tactics, and strategy. SOARs help security teams prioritise response, standardise processes and gain instant access to relevant threat intelligence to improve the speed and accuracy of their detection and response.
As an example, one of the world’s largest financial institutions was able to reduce a few hundred million SIEM (Security Information and Event Management) cases per month to a dozen using ThreatConnect’s intelligence-driven SOAR. Leveraging a SOAR to correlate, synthesise and track internal and external data across an organisation’s tools and infrastructure cultivates predictability. “Having a complete understanding of your operating environment is what allows you to move with the depth and breadth of a larger force and the agility and speed of a small team. It’s a force multiplier,” Boss said.
- Force multiplication
Force multiplication is the principle that the collective effort multiplies the results. If you are anything like your peers, you’re experiencing staffing shortages as well as trouble hiring and retaining talent. The team you have is facing more alerts, cases and event data than ever. SOARs create and memorialise playbooks, automated processes, and structured workflows encompassing those processes. Parts of these workflows can be completely automated or configured to trigger based on human input.
Once an action is triggered, applications within each playbook or workflow coordinate those actions, such as data enrichment, triaging an event, correlating vulnerabilities with intelligence, quarantining a host, conducting phishing email and malware analysis, or blocking in the firewall. These processes are tied back to intelligence, reducing the time it takes to uncover relevant threat intelligence when working a case or investigation and mitigating the risk of spending time on false positives.
- Process management
When human resources are scarce, you have to rely on strong processes. You’re likely faced with this need to strengthen your process management and SOARs to help automate processes in an intel-driven way. Not only do SOARs optimise workflow and time by automating and prioritising tasks, but they assist with succession planning by acting as a process management system, bringing us to the next reason CISOs need SOARs.
“Success, in anything, is a process, and in order to get from A to Z, you have to endure B through Y,” says Boss, the former Navy SEAL. B through Y cause the biggest problems for security teams with shortages of time and staff. SOARs create best practices for standardised and repeatable processes across multiple domains and business units, enabling CISOs to measure effectiveness and quality”.
As Forrester’s VP of Security, Risk, Infrastructure & Operations Research, Stephanie Balaouras, states, “Right now, a lot of what we do is very manual. If you look at a typical SOC, they’re flooded with thousands of alerts. Trying to make sense of which alerts are more important than others is difficult. Being able to prioritise by understanding immediately which ones are truly nefarious and dangerous is critical. You could hire as many people as you want but you’d still never be able to keep up with it.”
She goes on to say, “In the future, all of that would happen automatically. You would need the business to work with you to say, ‘OK, from now on if it meets a certain threshold, if we’re 90% confident that this is malicious, then all the processes can be automated.’” Everything from resetting passwords to isolating devices can happen automatically, she says.
SOARs do exactly that by focusing on intel-driven automation and orchestration, effecting prioritisation, predictability, force multiplication, and process management, which in turn, foster efficiency.
- Common language
A big challenge for many CISOs is translating security into business value because the languages of business and security are pretty far apart.
SOARs help bridge this gap because they help identify and reduce risk — a core and fundamental business concern. SOARs enable a common language between business and security because CISOs can now leverage actionable intelligence to pinpoint what the risks to the business are and where they are coming from, and can define them in terms of dollars, time, and probable fallout.
The challenges CISOs face aren’t going away anytime soon. As the role and importance of CISOs in the business increases, so must their knowledge of their organisation’s security footprint, threat landscape and risk profile. By choosing an intelligence-driven SOAR, CISOs gain deeper insight and more clearly communicate that knowledge to stakeholders, positively influencing business outcomes.