With the incorporation of multiple security products defending against increasingly complex attacks, cybersecurity teams can be overwhelmed with a deluge of threat alerts that make it challenging to adequately handle with the traditional processes. Shortages in IT security staffing and continued reliance on multiple technologies and processes have created inefficient and time-consuming systems. Fortunately, solutions to improve security operations exist by implementing Security Orchestration, Automation, and Response (SOAR) technologies.
Gartner, Inc., (Gartner) a leading research and advisory company, has published a report titled “Innovation Insight for Security Orchestration, Automation and Response” which has recognized the convergence of three previously separate technology sectors: (1) security orchestration and organization; (2) incident management and response; and (3) threat intelligence.
The merging of these sectors has formed the basis of the SOAR tools. Gartner describes four key SOAR concepts:
- Automation: Making automatic equipment do task-oriented work
- Orchestration: How different technologies are integrated to work together
- Dashboards and Reporting: Visualizations and capabilities for collecting and reporting on metrics and other information
- Incident Management and Collaboration: Management of all stages of an incident
Adoption of SOAR concepts is exploding within the security operations industry. Gartner estimates that the usage of SOAR in security organizations with five or more security professionals will rise from less than 1% today to 15% by 2020. As the report states, “The challenges from an increasingly hostile threat landscape, combined with a lack of people, expertise and budget are driving organizations toward SOAR technologies.”
The Gartner report offers key recommendations for companies when they begin implementing SOAR, which include:
- Pick the low-hanging fruit first: First implement automation where it can be easily installed and where organizations will see instant returns
- Integrate: Focus on automating tasks and integrating different technologies related to incident response
- Apply gained intelligence: Leverage the threat intelligence that is gained to improve security technologies and response processes
IT security professionals should understand SOAR deployment and operations practices in order to effectively mitigate cybersecurity risks.