SOAR SOC Solutions Strategies
We recently spoke with Tari Schreider, Strategic Advisor at Aite-Novarica Group, an advisory firm providing mission-critical insights on technology, regulations, strategy, and operations to banks, insurers, payment providers, and investment firms—along with the technology and service providers that support them. We talked with Tari about security orchestration, automation, and response (SOAR) technology and the role SOAR plays in security strategies and how SOAR SOC solutions are shaping modern security operations centers.
1. In your opinion, Tari, what is one of the biggest misconceptions that the user community has about SOAR solutions?
Tari Schreider:
A common misconception of SOAR I have heard is that SOAR replaces security incident and event management (SIEM) solutions. SOARs require a repository of IT estate data (logs and alerts) to function. This repository can either be a SIEM or a security data lake, but it must have a repository. Many SIEMs are bound to endpoint and extended detection and response (XDR) platforms that provide SOAR SOC solutions with crucial incident information. SIEM providers hear the rumblings of disgruntled customers and are quickly moving to acquire SOAR products or develop SOAR-like capabilities in their next-generation platforms. Security operations (SecOps) must architect SIEMs and SOARs to properly work together, as effective SOAR SOC is essential for a robust security posture.
2. With that in mind, how should companies go about evaluating different solutions for their own SOCs?
Tari Schreider:
SecOps is the factory behind the information security program. It is the assembly line where processes meld with technology to enforce policies. The more seamlessly this happens, the more resiliency is afforded in critical business processes. Automating and orchestrating disparate security technologies through Security Orchestration, Automation and Response (SOAR) is the Six Sigma of SecOps. SOAR sits at the center of SecOps like a production supervisor, and without one, a security program becomes unpredictable and unreliable. As a former manager of several SecOps organizations, I could not imagine a world without SOAR SOC solutions in my SOC. Leading SOAR providers are enabling organizations to streamline processes and respond faster.
3. NetWitness: What role should automation play for an effective SOAR solution compared to manual activities within an investigation?
Tari Schreider:
SecOps can benefit from time and motion studies to understand where the rote and menial tasks exist. Organizations need to understand the performance of security analysts at a deep and meaningful level, not anecdotally. A realistic and achievable goal for SecOps is that a SOAR solution should automatically perform all but customer-facing, level one security analyst job responsibilities. This enables level one analysts to advance faster in the SecOps organization, where they’ll learn and perform more meaningful and rewarding tasks. Alert, incident, and tool fatigue is real; addressing this through automation is a matter of the utmost importance to SecOps management. It is crucial that organizations select SOAR SOC solutions with proven automation capabilities, such as NetWitness SOAR, to optimize their operations.
4. NetWitness: In terms of visibility, what sort of user experience should SOAR deliver?
Tari Schreider:
The ideal state of SOAR within an organization is a material improvement in incident response metrics. Nothing else matters more. If an organization makes an investment in SOAR SOC solutions and does not realize a significant reduction in time containing and eradicating incidents, something is very wrong. Either with the deployment of SOAR or its management.
We live in an assumption of a breached world and must act as if the aggressors are already in the IT estate—find them and stop them. Using SOAR SOC solutions with sophisticated inherent threat intelligence is the “jacks or better to open” to achieving an ideal SOAR state. Leading SOAR solutions are now using advanced technologies to provide better visibility and faster response.
5. NetWitness: Finally, as many organizations are dealing with a shortage of talent in the SOC, how can SOAR help fill the gap?
Tari Schreider:
Many organizations acquire SOAR SOC solutions in the belief they’ll be able to replace security operations personnel. There is no evidence, primary or secondary, to support this urban legend. SOAR does, however, make existing security operations personnel extremely productive by significantly reducing the amount of time required to triage and dispatch incidents to a successful resolution. SecOps will never be properly staffed, but with SOAR SOC solutions, SecOps can achieve the proper balance of the trifecta of people, processes, and technology. Security orchestration automation and response (SOAR) is a core strategy for SecOps that are chronically understaffed.
NetWitness: Thank you for your time and insights, Tari.