This past June I presented a .conf22 session called “A Beginner’s Guide to SOAR: Automating the Basics” to address perceptions about SOAR adoption among security practitioners. This was my first in-person presentation to a live audience in several years because of the pandemic and I was encouraged to find that the session was among the highest attended at the event with well over 200 attendees in the room. Alongside a SOAR product expert, we presented five of the top SOAR adoption use cases with product demonstrations.
To help you go beyond getting started, we also created a more in-depth white paper that helped lay out a SOAR maturity journey for your SOC. While no two SOC’s are identical, the goal was to stitch together common ground among security operations teams in their SOAR adoption journey. I’m now happy to share the SOAR Adoption Maturity Model. A lot of credit for this paper goes to the experts at Splunk on our Security Product Management team.
SOAR helps you orchestrate security workflows and automate tasks in seconds to empower your SOC, work smarter and respond faster. Increasingly, security automation is becoming seen as a milestone in maturing your security operations. And maturing security operations is something all organizations need to do, with the rising threat of attacks and threats of all kinds. It should not be a technology only used by a select group of advanced security teams.
SOC & Security Maturity Models Today
The process of defining security maturity levels is not a new effort. A lot of good work has already been done by Splunk and the industry in the area of security maturity. For example:
- The Splunk Security Maturity Methodology (S2M2) is an overarching structure that goes beyond SOAR maturity.
- The SOC-CMM, which aligns to the NIST Cybersecurity Framework (CSF), includes an assessment where you can see the output of your SOC maturity level on a radar chart.
The SOAR Adoption Maturity Model doesn’t aim to replace these tools - we just want to dive into the SOAR universe more since it is a unique technology and customer experience.
But there is a significant challenge to security maturity: each security team is a “special snowflake” when it comes to their SOC Type.
- Are you really even considered a “SOC” if you only have two people in remote locations?
- How do SOC types factor into a maturity journey?
If you want to get super granular you could really draw up a maturity journey for each SOC type. For example if your SOC is within a Local Government you might be classified as a “Distributed SOC”, so what does that maturity journey look like? Perhaps we will take this challenge on in future iterations!
For now, we provide a more foundational approach that allows you to begin thinking about your adoption and maturity journey.
Benefits of SOAR adoption
The end goal of orchestrating and automating security operations processes and workflows means your security team can:
- Clear a vast majority of security alerts with no human interaction,
- Eliminate analyst grunt work by automating repetitive security tasks in seconds vs hours or minutes if performed manually,
- Force multiply the efficiency and productivity of your team so you can do more with the people you already have,
- Coordinate security workflows across your siloed security tools to reduce operational friction and increase response speed and efficacy,
- Reduce mean time to investigate and mean time to respond to threats using automated playbooks
Addressing Today’s Top SOC Challenges with SOAR
SOAR adoption is also front and center as a solution to today’s leading SOC challenges. Just look at the findings from a survey conducted earlier this year that Splunk sponsored called the SANS 2022 SOC Survey. I provide a webinar recap of the survey results here in case you’re interested.
In this survey, the data indicates that security teams are facing several key challenges that are driving a need for SOAR adoption. See the top three answers to the question “What are the key challenges faced when trying to maximize the full power of their SOC?” They are:
- High staffing requirements
- A growing talent gap with a lack of skilled staff
- Analyst grunt work and a lack of automation
In case you didn’t notice, each of these top 3 challenges are addressable by SOAR technology.
Your SOAR Maturity Journey
The “meat and potatoes” of the SOAR Adoption Maturity Model provides maturity stages and definitions that include a maturity description, SOC types, and SOC dynamics. These definitions are the starting point to diving into “Your SOAR maturity journey”.
This is where you identify the progression of the four stages of security maturity. These are the four stages we elaborate on:
- Mostly reactive and highly manual
- Mostly proactive
- Fully proactive
Progression from Stage 1 to Stage 4 is achieved by looking at your action orientation, common use cases, common SOAR applications, common SOAR playbooks, and detection processes with an emphasis on integration with Splunk Enterprise Security.
Advancing to the next step will mainly depend on implementation of the apps and playbooks in each stage, though each SOC will have its own app and playbook requirements. So these journey progression steps are meant to serve as a guide to think through your own goals.
For example, we define an end goal of stage 1 as “automate your most basic, repetitive tasks by using the apps and playbooks mentioned in stage one”.
This article was co-authored by Rajesh Gwalani, Senior Director of Product Management, Security with Splunk.