Arming Security Operations for SOARPOSTED BY LIZ BUSH
Last year as the Security Orchestration, Automation and Response (SOAR) market started to garner attention, Gartner published a paper entitled, “Preparing your Security Operations for Orchestration and Automation Tools.” The title alone should cause everyone to stop and think before they move full steam ahead with orchestration and automation tools, what does “preparing” entail?
Gartner thinks of SOAR as security workflow + security orchestration + security automation [+ maybe knowledge management of playbooks and such]. To date, this combination of capabilities has primarily been applied to incident response (IR) – automating playbooks as part of the IR workflow to orchestrate a faster response. As Gartner points out, most of the examples thus far have been about improving efficiency.
But what about effectiveness? Orchestration and automation tools are effective at automating defined processes; however, they simply automate a process over and over again without the benefit of learning. Plus, they are only as good as the input to the process. Put in noise and you will receive amplified noise as output. Without first aggregating, scoring and prioritizing the inputs, automated actions can backfire and investments in orchestration and automation tools are squandered.
That’s where the preparation comes in.
You cannot defend against and respond to what you do not understand. Effective security operations must start with the threat. You need the ability to bring together internal alerts, data and events with global threat intelligence to provide the context needed to gain a deeper understanding of risk. Only then can you determine what that threat means to you and the right course of action.
The next step is prioritization. We all know that security operations is fraught with an overwhelming number of data, events and alerts. There are simply not enough people or hours in a day to work on everything. And even if that were possible, the sheer tedious nature of the work would result in burnout and turnover. Teams need a way to focus their efforts on what really matters to their organizations and this means having controls to tailor scoring and data sets and automatically prioritize within the context of their environment. Remember – the goal here is to improve effectiveness, which means moving fast on the right things!
With a single SOAR platform that stores all this intelligence with context and integrates into their workflow, analysts can use orchestration and automation with greater confidence and reliability because they are applying it to relevant, prioritized data. As this SOAR platform for gathers and analyzes internal and external data on an ongoing basis, it contextualizes and re-prioritizes based on what has been learned and how the organization is changing. Analysts have up-to-date data and decision support to take the right actions faster.
In today’s dynamic and relentless threat environment the pressure is on to act fast. But if we aren’t acting fast on the right things, we’re wasting precious cycles. That’s why it’s so important to make sure you’re taking the right steps to prepare your security operations for orchestration and automation tools.
ThreatQ and orchestration tools are complementary, and when used together provide integrated workflows that optimize time and user experience for intelligence and security analysis alike. Orchestration tools are process-focused and will repeat execution of the same playbook or tasks. ThreatQ allows you to take a threat-centric approach to security operations. It provides a highly relevant, custom enrichment source to orchestration tools as well as captures playbook output to learn, fine-tune and serve as organizational memory. Combined, ThreatQ and orchestration tools improve both the efficiency AND effectiveness of your defenses and response.
Fast forward 12 months and Gartner has since published their Market Guide for Security Orchestration, Automation and Response Solutions. Gartner assembled the list of vendors with an eye towards use cases and the gaps organizations need to fill to address their readiness and accelerate security operations. Thus, the vendors included approach SOAR and SOAR platforms differently and go beyond orchestration. The guide explains when an approach to orchestration and automation that starts with the threat, as the ThreatQ platform does, is the right path forward. Download your complimentary copy of the Gartner Market Guide today to help you discover the best option for your organization.