4 reasons why you need SOAR on your SecOps team

Rob Lemos Writer and analyst

The proliferation of devices, cloud infrastructure, and remote users has made security operations increasingly complex. Automation is widely seen as the solution to tackle these issues of complexity, consistency, and lack of adequately skilled staff.

The set of features known as security orchestration, automation, and response (SOAR) promises to augment security alerts with context from threat intelligence, speed incident response times, allow easier security operations, and improve the scalability of complex systems. While automation can help improve the efficacy and efficiency of security operations centers, the fully automated SOCs that some vendors claim will arrive in the near future are likely much further off.

Machine learning and automation may have led to systems that can beat chess grandmasters and Jeopardy contestants, but both those games have well-defined rules and systems, said Allie Mellen, an analyst at Forrester Research.

"Security does not have rules. We have attackers that are targeting hospitals. The whole goal in attacking a network or enterprise is to break the rules, to get into the system and steal data or prevent a business from operating."
Allie Mellen

SOAR systems augment the current security operations team, making the group more effective. Rather than aim to fully automate the security functions of a business, companies should adopt SOAR features to aid security analysts in detection, analysis, and response. In addition, automated systems allow security operations to collect data on performance.

Here are four reasons why your SOAR functionality is critical to modern security operations.

1. Shortage of skilled security workers puts automation on short order

While 84% of companies have increased spending on IT security, according to the Future of the SOC report from business and technology consultancy Deloitte, security staffing continues to be a major problem. Almost 30% of organizations consider the lack of skilled security operations personnel to be a top challenge, according to the CyberRes 2021 State of Security Operations report. Specifically, there is a large gap in the availability of security professionals who have two to eight years of experience, said Mellen.

The lack of skilled security professionals makes automation a critical tool to speed response time, add context to security events, and make playbooks repeatable. However, experienced security analysts are a group whose skills are hard to fully automate, because they have enough training to spot the anomalies in unstructured data, something at which most automated systems do not excel, Mellen said.

"Most of our automation is built around consistent, repeatable processes, but security is not like that. Every incident is its own specific snowflake."
—Allie Mellen

Automation, however, can also help train less experienced employees faster by highlighting evidence of malicious or anomalous activities that they might otherwise miss.

Jonathan Trull, general manager of security solutions for Microsoft, in a blog post on automating the SOC, said that the key is to not only measure automation results and SOC efficiency, but to also gain insights to determine where automation efforts need to be spent to improve the security posture of your organization.

"The goal for any security operations center automation efforts is to reduce mean time to detect and mean time to remediate while not having a linear growth in head count with the growth in business."
Jonathan Trull

2. Automate analysis at the endpoint

Companies should minimize the amount of raw data that central systems are processing by making sure that all security tools do as much processing as possible on the endpoint. Pushing the analysis to the endpoint results in less work for the analyst while culling the least important data as soon as possible.

With the increasing velocity and complexity of attacks, such edge analysis is now required.

"Our information environments are extremely complex and vast. They are also often beyond the capabilities of a human to perceive, visualize, calculate, and understand the interconnections."
—Jonathan Trull

3. Don't discount the benefits of orchestration

Orchestration is another facet of SOAR systems that has become very important. The average organization has 19 security tools to maintain, according to the 2021 Security Technology Sprawl report by security firm ReliaQuest. Other firms have put the number much higher, claiming that the average small business uses 15 to 20 tools while medium businesses use between 50 and 60 tools and enterprises use more than 130 security tools.

Orchestration simplifies that picture immensely, said Forrester's Mellen.

"Right now and in the future, orchestration is the key element of this that is so important for the security team. The orchestration capability provides a ton of value, because you can take all the actions that you need from one centralized place and you don't have to go to other tools to take these actions."
—Allie Mellen

4. SIEM will likely subsume SOAR

While the industry is talking about SOAR as a separate entity, it will likely become integrated with the current security operations hub, which is usually the security information and event management (SIEM) system.

"Due to the nature of its design—SIEM as the central repository of information for security analysts—the technology is in prime position to swallow the capabilities of other security solutions such as SOAR, UEBA, and EDR," GigaOm stated in the analyst firm's GigaOm Radar for Security Information and Event Management (SIEM) Solutions:

"Whether the result will be called simply a next-gen SIEM, or an entirely different name, we expect that SOCs will need only one main platform for collection, filtering, investigation, response, and reporting."

Toward a unified tool set

While adding another component to the overall security-operations landscape will just increase complexity, if the SOAR capabilities are added to an existing platform, companies will get the benefits of added automation, orchestration, and response while keeping the same tool set.

Read more articles about: SecurityInformation Security

More from Information Security