Security Orchestration, Automation and Response (SOAR) today is more than simply a buzzword. For many organizations, it is becoming a primary focus for their security operation centers (SOCs) and/or computer security incident response teams (CSIRTs) as a solution for addressing the numerous daily challenges they face. It provides a means to improve their overall operational effectiveness and efficiency, and more importantly incident response capabilities, on the ground all the way up to the executive level.

The term SOAR (Security Orchestration, Automation and Response) coined by Gartner back in 2017 has led to further innovation by security vendors in this space, as well as a growing uptake of such a solution by organizations, including large enterprises and managed security service providers, seeking the benefits a SOAR solution has to offer as the market continues to mature.

According to the Gartner SOAR Market Guide, published at the end of June 2019, “by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.”

Evolving Expectations

The historic three core components of a SOAR solution previously outlined by Gartner, including Security Orchestration and Automation (SOA), Security Incident Response Platform (SIRP), and Threat Intelligence Platform (TIP) capabilities have since further expanded to include additional data sources. These additional sources include feeds from incident and access management and insider threat monitoring resources, in addition to historic security information event management (SIEM) and log monitoring applications.

The evolution of SOAR is now in full motion. Moving from the product funneling stage that typically happens when we cross from the early adopter to the early majority stage, as referenced in Crossing the Chasm by Geoffrey Moore, to now seeing the strongest vendors and solutions continue to evolve their SOAR capabilities, while others fall by the wayside or get swallowed up by large IR product companies, mimicking some of the natural selection observations as in Darwin’s Origin of the Species.

In this two-part blog about the evolution of SOAR, we will start by discussing the top six most common security operations challenges that were identified in Gartner’s recent SOAR report, while explaining how IncMan SOAR from DFLabs can easily address these.

1. Staff Shortages

Staff shortages are a common theme in a SOC environment. It is labeled as one of the most frequent security operations challenges because of the difficulty SOCs are experiencing while balancing between ensuring that they not only have the necessary personnel but that they are making the best use of the personnel currently in place.

IncMan resolves this issue by providing the level of automation and orchestration needed to meet the needs of the tier 1 to tier 3+ analysts inclusive. These needs include automating repetitive tasks and providing standardized incident workflows to ensure a consistent, defensible response to alerts. Additionally, it provides customers access to industry-leading machine learning components that further enhance their capability to respond quickly to incidents as they arise.

2. Evolution of Threats, Vectors, and Scaling

As incidents escalate in both sophistication and frequency, organizations must have a scalable solution designed to evolve with the threats.

IncMan promotes not only unparalleled scalability through the use of advanced triage technology but the ability to leverage data and threat intelligence to provide a visual associational link analysis of trending threats and corollary data. Additionally, IncMan gives cybersecurity teams the tool to detect, prioritize, respond and triage incidents, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of evolving threats and threat vectors.

3. Alert Triage and Processing

One major benefit of SOAR technology is giving security and risk management the tools required to reduce the time it takes to triage alerts so that SIEM “wheat” can be separated from SIEM “chaff”.

IncMan provides several avenues to address this security operations challenge, including full alert triage as well as an industry-first correlation engine that provides a comprehensive associational link analysis of not only incident data, but threat intelligence sources as well.

4. Threat Intelligence, Making it Actionable

Leveraging threat intelligence is a crucial part of a comprehensive security architecture. It is crucial to note however that this sharing of intelligence between incident response entities can often also create a torrent of noise. This can render it difficult for security practitioners to discern credible information on what actually constitutes a potential threat to their organization's cybersecurity. Antithetically, unfiltered intelligence sharing can actually prevent a faster and more effective response.

IncMan makes the threat intelligence actionable by including it as part of enrichment activities and providing customers with a proprietary correlation engine.

5. Reducing Time from “Click to Bang”

One of the chief concerns not only in the Gartner report but in customer interactions is the excessive time to properly resolve a security incident. This is due in large part to overworked and understaffed incident responders not having the tools to properly process the large number of alerts being received. It’s never been more important to deal with incidents with an organized workflow that provides better threat coverage including enrichment and containment actions. Additionally, ensuring your SOAR product can connect the dots to bring enrichment to the observables and the indicators encountered in incidents, will bring measurable value to the increased speed of the incident response process. Analysts require dynamic interaction capabilities at all phases of the incident workflow to quickly deal with existing and emerging threats.

IncMan provides this functionality through the use of Supervised Active Intelligence and its patented Automated Responder Knowledge machine learning algorithm.

6. Reducing Routine Tasks

And the last security operations challenge is an often-repeated pain point is an organization’s need for the capability to distinguish between routine, non-routine and critical incidents and evolve a methodology to deal with the routine to further expedite the incident response process. Routine task automation involves more than toiling through lines of SIEM and log output looking for indicators of compromise (IoCs). It involves notification, task assignment and frequently an element of conditional decision making to ensure appropriate considerations for privacy and regulatory requirements considerations.

Leveraging security operations automation within IncMan’s Supervised Active Intelligence ensures that all of these routine elements of the incident response process are accomplished, permitting the analysts and responders to dedicate their time to more complex tasks.

Look out for our second blog in this two-part series discussing the key requirements required from a SOAR solution to address these SecOps challenges, as well as the recommendations identified by Gartner that should be focused on when implementing a SOAR solution.



You can learn more about the Gartner SOAR market guide by downloading our full white paper on the topic “Gartner’s Market Guide for SOAR Solutions: Techno-Darwinism and the Next Evolution of SOAR”.

Please enable JavaScript to view the comments powered by Disqus.