SOAR vs. Security Operations: What’s Really Going On?POSTED BY JOHN CZUPAK
There’s something big brewing in the world of security operations, but what exactly is it? We are regularly inundated with various descriptions of useful tools and capabilities (think Security Orchestration, Automation and Response (SOAR), Threat Intelligence Platforms (TIPs), Security Incident Response (SIR), Hunting and more). Unfortunately, many of us are equally confused about the fundamental capabilities of these technologies, and more pointedly, what problems they aim to solve. Perhaps we need to refresh the way we look at this space – turn it upside down a bit and start from a different perspective.
What problems are we trying to solve in today’s Security Operations Center (SOC)? If you get right to the point, there are many inefficiencies in processes, which result in delayed detection and response times. There are of course many contributing factors, including but not limited to: teams working in silos; applications and data that are not integrated; alert overload and fatigue as well as staff and talent shortages. The industry response has been to add more tools such as IR/ticketing systems, orchestration and automation and TIPs. In fact, if you look back at Gartner’s earliest definition of SOAR, it fundamentally aligns with these technology stacks.
So what’s different today? The conversation has clearly shifted to a discussion around the specific problem (i.e. – use cases) coupled with the way technology can help. This concept of a use case approach makes a lot of sense as it focuses the discussion on the problem at hand vs. attempting to shoehorn a “silver bullet” technology for every situation. Some of the more common use cases we see include things such as:
- Incident Response
- Threat Hunting
- Threat Intelligence Management
- Alert Triage
- Vulnerability Management
- Spear phishing
- Investigations & Collaboration
A new set of technology requirements is emerging as a result of the shift in conversation. In Gartner’s latest SOAR Market Guide (published 27 June 2019), the evolution of SOAR moves towards what we have believed all along – the need for a “full featured” security operations solution designed to support multiple activities for security operations (e.g. – prioritizing activities, formalizing triage and IR, automating response, enabling investigations, facilitating collaboration and more). This can simply be interpreted as a SOAR platform designed for multiple users and use cases. It is particularly relevant for ThreatQuotient and our customers, as it aligns perfectly with our vision for a Threat-Centric Security Operations and SOAR Platform, and what we have been building towards for years. While SOAR used to mean simply orchestration to many, and TIPs were solely used for threat intelligence programs and SIRs were used for incident response, the definitions and use of these technologies is clearly evolving rapidly. The market needs security operations and SOAR platforms to improve efficiencies and effectiveness of the SOC.