Securing DoD Systems — A Look at SOAR

It would be hard to overstate the critical importance of security orchestration, automation and response (SOAR) capabilities for the effective mission success of security operations centers (SOC). Without a solid SOAR capability in place, an SOC will be easily overwhelmed with routine and repetitive tasks that in and of themselves could become a vulnerability.

During his confirmation hearing before the Senate Armed Services Committee in October, DoD CIO John Sherman highlighted the continued focus of the Department on ensuring the effective cybersecurity of its networks. While specific attention has been given to the rollout of the zero trust approach, security automation also plays an important role. In his responses to the Committee’s advance policy questions, Sherman rightly noted that “[t]he scope and scale of the information cyber operations and security organizations need to perform their duties is vast and requires automation, big data analytics, and visualization to reach their full potential” and that “[t]he Department has been making significant investments to accelerate digital modernization, and are working towards real-time direction and orchestration in all areas.” Likewise, in the current edition of the Defense Information Systems Agency (DISA)’s Strategic Plan automation is mentioned multiple times. Perhaps most notably is the focus on automating enterprise cybersecurity solutions.

For several years Congress has pushed DoD to add SOAR to its cybersecurity tool chest. This year’s NDAA, signed by President Biden in late December, is no different. Section 1529 of the FY2022 NDAA calls for the DoD CIO, acting through DISA, to complete a demonstration and assessment of automated security capabilities by October 2024. The Senate Armed Services Committee in particular is insistent on the need for DoD to fully utilize automated cyber capabilities. In the report that accompanied their version of the FY2022 NDAA, the Committee again pointed to prior years’ direction to the Department to carry out pilot programs on SOAR. In this year’s report they went a step further and recommended an authorized appropriations increase of $25 million specifically for SOAR pilot programs at Joint Force Headquarters, Department of Defense Information Network (JFHQ-DODIN).

It can be incredibly difficult to implement and further build upon these policy and legislative requirements in an unpredictable appropriations cycle. As of this writing, DoD and the rest of the federal government continues to operate under a Continuing Resolution. While the hope is to have a full year omnibus appropriation in the near future, the continued start/stop appropriations process year after year continues to hinder the effective cyber operations of the federal government. A return to regular budgetary order would allow departments and agencies to more effectively utilize SOAR capabilities to protect critical infrastructure and national security systems. SOAR produces a strong return on investment through faster or real time alerts and solutions and a stronger collective cyber defense.

For more information, check out Splunk’s cybersecurity orchestration and automation capabilities here!