Earlier this year, Gartner published its latest research on the Security Orchestration, Automation and Response (SOAR) market in a report entitled, “Is Your Organization Mature Enough for SOAR?”. We’ve been talking to clients about this very subject and agree with Gartner that SOAR tools can increase SecOps efficiency and consistency, provided organizations have laid the proper groundwork. Without that, we find that security teams are having a hard time realizing the expected value from their SOAR investments. 

If you’ve been in the security industry for any length of time, you know that there are no “silver bullet” solutions. The same can be said about SOAR tools. As Gartner states, “The key selling point for these tools is their ability to automatically react to an incident or issue without some form of human-led analysis. In reality, however, successfully implementing such functions is far from simple.”

The current approach to security automation and orchestration has focused on automating processes, with no regard to the data being processed. Playbooks are run on irrelevant and low priority data. If you put noisy data in, the result will be amplified noise out. In fact, Gartner says, “Automating broken or incomplete processes doesn’t make your security organization more efficient; it simply breaks things faster.”

The other challenge is that process-focused playbooks are inherently inefficient and complex because the decision-making criteria and logic are built into the playbooks and updates need to be made in each playbook. This complexity grows exponentially as you increase the number of playbooks. Gartner notes that “despite out-of-the-box capabilities, SOAR playbooks, scenarios and integrations cannot be used effectively without customization.” Every organization is different so “in order to build automated actions or playbooks to orchestrate events, security operations teams will need to customize and maintain each of those use cases in the SOAR platform.”

An Effective and Efficient Way to Close the Maturity Gap
At ThreatQuotient, we have long believed that data is the lifeblood of detection and response automation. That is why data-driven playbooks are required, where the data, or information, should drive playbook initiation and data learned by actions taken is at the core of everything. We also believe that automation is more than just running processes. It involves inputs and outputs to processes as well to cover the full security lifecycle.

To eliminate the complexity inherent in traditional playbooks and drive all aspects of automation, ThreatQ TDR Orchestrator takes a data-driven approach across all three stages of automation:

1. Initiate: Define what should have actions taken upon it and when those actions should occur
2. Run: Perform the course of action or defined process through to completion 
3. Learn: Record what is learned for analytics and to improve future response

ThreatQ TDR Orchestrator puts the “smarts” in the platform and not the individual playbooks by using Smart Collections™, data-driven playbooks and the Threat Library. Security teams can update the platform once versus having to update dozens of playbooks. This provides for simpler configuration and maintenance, and a more efficient and effective automation outcome. Users can curate and prioritize data upfront, automate what’s relevant and simplify actions taken, and capture what has been learned to improve data analytics, which in turn improves the initiation stage of automation.

If you’re looking to make an investment in SOAR or improve your return on an existing investment, consider ThreatQ TDR Orchestrator. The solution complements the playbook capabilities offered through our ecosystem partners, or you can choose to define data-driven playbooks within the ThreatQ platform. Either way, you’ll up-level your maturity quickly to realize the promise of SOAR. You can accelerate setup and maintenance of playbooks, reduce playbook runs by 80%, ensure output is relevant and high priority, and learn from actions taken to improve over time.  

To learn more about the maturity gaps that may be keeping your organization from getting more from SOAR – and how to close them – download your copy of the new Gartner report now.