Last week I was helping a customer with their incident response policies and processes. All was going well, and then SOAR came into the conversation.
SOAR is another one of those vendor/analyst-invented acronyms and stands for Security Orchestration, Automation, Response.
Wow. That sounds great. If there is an incident, it can be automatically fixed, and we can go on with our day... right?
Well - not quite.
"Security orchestration, automation, response" sounds like a great idea, but it currently solves a particular and tiny problem.
If you have too many security incidents and alerts to respond to - then it can help. It helps by automating the basic analysis of an incident (logs, email headers etc.) to reduce the workload from human analysts.
You're on the right track if you think of partially replacing a junior analyst with 1-2 years of experience.
How Does SOAR Actually Fit Into a Cybersecurity Programme?
As you build a cybersecurity programme, your risk reduces, and your business becomes more resilient. However, one of the byproducts of having a vigilant and security-aware workforce is that potential phishing emails and scams can appear everywhere.
This typically results in increased alerts and can induce alert fatigue in IT administrators and first responders.
This is a real problem - and must be solved in maturing a cybersecurity programme.
However, for your business to be concerned with this problem, you must already have the following:
- A team of people who are investigating real-time security alerts
- A network or security operating centre staffed with analysts
- A SIEM (security incident and event management) system that gathers real-time alerts
- Alert sources configured for logging - e.g. intrusion detection systems, antivirus, firewalls etc.
- All those technologies deployed in the right place
- Policies/processes/business cases to justify the spend...
So, to put it another way, when you already have:
- Comprehensive cybersecurity policies and procedures
- Systems capable of alerting security issues
- Security alerts are being consolidated into a central logging system
- Analysts looking at the alerts in real-time
- Too many security alerts for the analysts to cope
SOAR may make sense. Or more specific security awareness training, so staff better understand what is and is not a scam email.
Selling to the 1%
Several years ago, this idea was described to me as "selling to the 1%". A particular security solution may only be relevant for 1% of companies. Or 1% of security experts… but it's marketed as essential to all companies and maturity levels.
When selling to the 1%, cybersecurity analysts and vendors use an irritating trick. They create acronyms. Far too many acronyms.
Acronyms are valuable, but… cybersecurity acronyms are more often used for two nefarious reasons:
- If I know what an acronym means and you don't, clearly, it means I know more than you. So it would help if you came to me for advice… 🤦♂️🤷♂️
- If enough people start using the acronym, then the vendor controls the language and, therefore, the conversation… 🤦♂️🤷♂️
…in both cases, all paths forward lead to a sales rep.
If you need SOAR - great. Congratulations on your mature cyber operations programme. It can't have been easy to get there.
But if you're like most companies, I suggest you respond with "Lovely acronym. What does it actually mean? What does it actually do?"