SOAR vs. Security Operations: What’s Really Going On?

Written by John Czupak, CEO, ThreatQuotient

There’s something big brewing in the world of security operations, but what exactly is it? We are regularly inundated with various descriptions of useful tools and capabilities (think Security Orchestration, Automation and Response (SOAR), Threat Intelligence Platforms (TIPs), Security Incident Response (SIR), Hunting and more).

Unfortunately, many of us are equally confused about the fundamental capabilities of these technologies, and more pointedly, what problems they aim to solve. Perhaps we need to refresh the way we look at this space – turn it upside down a bit and start from a different perspective.

What problems are we trying to solve in today’s Security Operations Centre (SOC)?

If you get right to the point, there are many inefficiencies in processes, which result in delayed detection and response times. There are of course many contributing factors, including but not limited to: teams working in silos; applications and data that are not integrated; alert overload and fatigue as well as staff and talent shortages. The industry response has been to add more tools such as IR/ticketing systems, orchestration and automation and TIPs. In fact, if you look back at Gartner’s earliest definition of SOAR, it fundamentally aligns with these technology stacks.

So, what’s different today? The conversation has clearly shifted to a discussion around the specific problem (i.e. – use cases) coupled with the way technology can help. This concept of a use case approach makes a lot of sense as it focuses the discussion on the problem at hand vs. attempting to shoehorn a “silver bullet” technology for every situation. Some of the more common use cases we see include things such as:

Incident Response: an organised approach to the process by which an organisation handles the aftermath of a cyberattack or data breach with the goal of limiting damage and reducing recovery time and cost.

Threat Hunting: the practice of proactively and iteratively searching for abnormal activity within networks and systems for signs of compromise.

Threat Intelligence Management: the practice of aggregating, analysing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment.

Alert Triage: the process of efficiently and accurately going through alerts and investigating them to determine the severity of the threat and whether or not the alert should be escalated to incident response.

Vulnerability Management: the practice of continuously discovering, classifying, prioritising and responding to software, hardware and network vulnerabilities.

Spear phishing: the practice of sending fraudulent emails that targets specific individual(s) or organisation for the purpose of gaining unauthorised access to confidential information.

Investigations & Collaboration: The industry’s first cybersecurity situation room designed for collaborative threat analysis, shared understanding and coordinated response.

A shift in conversation: The emergence of new technology requirements

In Gartner’s latest SOAR Market Guide, published on 27th June 2019, the evolution of SOAR moves towards what we have believed all along – the need for a “full featured” security operations solution designed to support multiple activities for security operations (e.g. – prioritising activities, formalising triage and IR, automating response, enabling investigations, facilitating collaboration and more). This can simply be interpreted as a platform designed for multiple users and use cases.

While SOAR used to mean simply orchestration to many, and TIPs were solely used for threat intelligence programs and SIRs were used for incident response, the definitions and use of these technologies is clearly evolving rapidly. The market needs a security operations platform to improve efficiencies and effectiveness of the SOC.