Security professionals are struggling to keep up with today’s dynamic threat landscape as they continue to deal with security alert overload and cybersecurity skills shortage, but several security experts believe deploying security orchestration, automation and response tools can aid security teams with streamlining and improving everyday processes.
Gartner defines SOAR as “technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed using a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow.” For companies with five or more security professionals, the research outfit forecasts SOAR adoption rate to rise from 1% to 15% by 2020.
Research from Enterprise Strategy Group (ESG) found even higher adoption rates for SOAR tools. In a survey conducted last year, ESG found that 19% of responding enterprises said they had deployed operations automation and orchestration technology “extensively,” while 39% of respondents said they are deploying the technology on a “limited basis.”
With most enterprises receiving more than 10,000 alerts per day — according to data from a 2018 RSA survey — it is impossible for security teams to review all of those alerts. This high volume of alerts and the need to perform detection in multiple stages would be enough of a driver for SOAR tools, but there’s something else, Gartner analyst Augusto Barros said in an email interview.
“We also need faster reaction times; we cannot afford investigations that take hours or days, as incidents can cause a lot of damage in a few minutes,” Barros said. “It’s only possible to improve the time to respond when you are not doing everything manually. SOAR can bring the automation scale to alert triage, enable multistage detection and reduce response times.”
With alerts or anomalies, security professionals also realize that without further investigation to provide context they can’t really answer the question of, “Well I got an alert, so what?” said John Grigg, professional services engineer at Colorado-based SOAR vendor Swimlane.
“SOAR helps because once you have a process in place to answer the ‘so-what’ question, then you can write a playbook to automate large portions, or maybe even the whole thing, and then the analyst is able to go into an alert and understand immediately if the alarm or anomaly actually matters,” Grigg said.
Automating security tasks
While automating security tasks is a huge value-add for security leaders — it saves time by automating repetitive and manual processes — it doesn’t have to be complicated, said Scott King, senior director of strategic advisory services at cybersecurity vendor Rapid7 in Boston. King and other infosec professionals discussed enterprise adoption of SOAR tools during an Information Systems Security Association (ISSA) webinar titled “Is Your Organization Ready for Automation?”
Automating security tasks can be as simple as developing a custom script that allows security professionals to routinely collect information so an analyst can have a much quicker time to resolution or time to understanding a particular alert, King explained.
Augusto Barrosanalyst, Gartner
When implementing SOAR tools, security leaders should evaluate the existing skill sets and technologies in place, and assess the top challenges that security teams face, King said.
Michael Wylie, director of cybersecurity services at Richey May Technology Solutions, a consulting firm headquartered in Denver, advised organizations to devise ways to enrich data in order to make better decisions, and map out their processes and pick key ones that can be automated. Implementing SOAR tools to examine phishing emails, for example, can help respond to those emails faster, Wylie said.
“The ability to interpret those emails, … the ability to respond to certain types of actions or requests into a SOC mailbox and apply a level of automation to that, so information can be collected, correlated and presented back to the analyst [is important],” King reinforced.
Automating your IAM system
Identity and access management (IAM) is one other area that is ripe for automation, according to Jason Winder, managing partner at Aerstone Labs, a cybersecurity services firm based in Rockville, Md. IAM provides organizations with the ability to identify, authenticate and ultimately authorize a user for access to resources and has become increasingly important for organizations to be able to control that access and to make sure that users don’t accumulate roles over time, Winder said.
“When I go into even very large, sophisticated enterprises, I typically see a very Byzantine set of scripts which require frequently a lot of manual execution and process,” Winder said during the webinar. “We see a lot of homegrown applications … many of which have a large gap either at the security or the functional level, and to the degree that COTS software has been purchased, but it’s frequently not implemented as extensively as it might be and is poorly integrated with the rest of the enterprise and other security applications.”
Before selecting and deploying software for IAM automation, Winder said, it is important to consider the three core inputs to IAM requirements: business rules of the organization, the actual user communities and their use cases for authentication and authorization, and the requirements of the various enterprise systems.
“The best plan is to start with applications that are least disruptive to the enterprise,” he said. “Try not to pick on everything at one time and really plan a gradual and purposeful implementation plan that ultimately doesn’t shut down the business, but already starts to show some success as we move.”
Challenges associated with SOAR implementation
Gartner’s Barros highlighted the two sources of pain associated with SOAR implementation — processes and tools integrations.
SOAR is essentially a process automation tool and without processes in place, there’s nothing to automate, he said. Many organizations with ad hoc security operations and without established processes believe they can avoid fixing those issues by buying SOAR tools, he added.
“Fixing those issues is a prerequisite to make SOAR useful,” Barros said. “If you don’t know how you do incident response, you don’t know which playbooks you need to create on the tool or how they will look like. Out of the box content can give you ideas, but it’s not something you can use right away.”
The other issue is connecting your tools and services to SOAR, he said. The “orchestration” part of SOAR implies that it will have to talk to many different technologies and services. While APIs should make the integration easy, there are challenges, he added.
“First, some prebuilt integrations may not provide the capabilities you want to use … and APIs are also changing all the time, so integrations provided by the SOAR vendor may stop working after a tool is upgraded,” he said.
Organizations getting more value from SOAR are aware of those challenges and keep resources with the right skills to develop and maintain integrations, he said.
Investing in security automation appears to be a no-brainer for most organizations; however, from an analyst’s perspective, workflows derived from automation technologies can be viewed as restrictive, leaving little room for creative thinking. That’s according to Rebekah Wilke, director of business enablement strategy at Swimlane.
“Following predefined workflows and playbooks has the potential to squash the curiosities that drive an analyst down the path to scoring the APT or anomalous behavior that could lead to big wins for the security team,” Wilke said.