SecOps, Simplified: Part 3 – Security Orchestration, Automation and Response

Make no mistake. Security Orchestration, Automation and Response (SOAR) is the direction information security is headed. It makes good sense too. As I’m fond of saying, “speed is security.” The idea behind SOAR is to remove predictable and repetitive human behavior from the security response equation. This involves integrating disparate security capabilities using a centralized management server.

More than merely a simple operational efficiency, adopting SOAR concepts helps security teams close the temporal gap between threat detection and remediation at critical times, such as an emerging security incident, and often at an enterprise scale. Additionally, it helps organizations achieve more return on investment (ROI) for the tools that make up their security stack. While it could be fairly labeled a buzzword, all organizations stand to gain by embracing the security concepts behind the buzzword where possible. Unfortunately, meaningful SOAR adoption tends to be very complex.

The trouble is, SOAR products have built-in limitations that get glossed over by the vendors during the sales phase. SOAR appliances attempt to add value to the customer by pre-integrating or at least facilitating the integration of certain security brand platforms using an user interface. Integration occurs by leveraging each technology’s application programming interface, which leads us to the first significant SOAR limitation. Often the API’s full capabilities aren’t natively available in the SOAR application. Typically, it’s only an arbitrary subset of API-enabled capabilities, which is a disappointment because you’re unable to marshal a particular tool’s full capabilities and eek out that last bit of ROI.

Maximizing a SOAR product entails far more customization than a vendor typically wants to admit. No two network environments are exactly the same. Each has different security technologies and therefore different capabilities to work with. Different normative operations. Unique risk acceptance levels. The list goes on and on.

Orchestrating all those elements in such a way to justify a full SOAR solution means developing numerous “playbooks” that when run repeatedly demonstrate a cost savings calculated according to man-hours conserved. These playbooks are rarely one-size fits all. They need to be meaningful to your security program. In short, you need to know your security operations pain points up front and be able to instrument the answer exclusively through the prism of the SOAR appliance. This can be deceptively difficult especially when attempted via the “easy-to-use” UI.

Many sales people would counter that it’s just Python under the hood, so those pesky customizations can be accomplished that way. But, that cop-out ignores other issues like having the needed scripting skills on staff, available man-hours needed for development, and overall project complexity. You could pay their professional services team or an outside consultant to come in for the project, potentially, but that involves more of your valuable budget. Wait, wasn’t this SOAR product designed to make things easier and faster?

Blumira’s cloud-based SIEM integrates with dozens of different security tools and APIs, including security orchestration, automation and response-related functions such as dynamic IP blocking on your firewall. That list of ingestions continuously grows with each customer’s unique needs and carries no cost. The Blumira platform prides itself on the ability to make the best use of your technologies, whether they’re familiar to us or not. Leave the new technology adoption to us and we’ll develop the available SOAR opportunities to speed up your security operations and deliver more ROI from your tools.

Learn more about what to look for in “The Modern SIEM Evaluation Guide.”

Check out the other two articles in this series:

SecOps Simplified, Part 1: SIEM…Now Without the Headache!
SecOps Simplified, Part 2: Security Tools – Is More Better?