SECURITY

The 10 Essential Capabilities of a Best-of-Breed SOAR

Ask a group of security analysts about the challenges of working in cybersecurity, and you’ll likely hear some common themes:

  • A shortage of skilled cybersecurity talent
  • A high volume of security alerts
  • Too many security point-products to manage
  • Lack of interoperability between those products
  • Inability to scale security operations over time
  • Increasing costs, shrinking budgets
  • Increasing sophistication of mlware
  • Slow speed of threat detection and response

It’s no surprise that security teams feel perpetually overwhelmed. Many teams have turned to security orchestration, automation and response (SOAR) tools for help. 

A SOAR tool can orchestrate security actions (like investigations, triage, response) across various security products in a team’s arsenal, and automate otherwise manual repetitive security tasks. Security teams can automate a majority of their alert triage and response, and subsequently free up time for them to focus on more mission critical tasks. 

If you think SOAR technology can help your team overcome the challenges listed above, it’s important to evaluate the various solutions available in the marketplace against a checklist of best-of-breed capabilities. Any best-of-breed SOAR product should include the following:

Essential Capabilities of a Best-of-Breed SOAR

Orchestration

The machine-based coordination of complex workflows across disparate security tools should increase the efficiency and speed of your security operations. 

Automation

The machine-based execution of otherwise manual, interdependent security actions using “playbooks” should allow you to execute in seconds versus hours.

Event and Alert Management

An event and alert management capability in a SOAR tool should queue and prioritize inbound security events and alerts to help analysts perform triage more efficiently.

Case Management

An event and alert management capability in a SOAR tool should queue and prioritize inbound security events and alerts to help analysts perform triage more efficiently.

Collaboration

Built-in chat and notes can facilitate communication across the security team, and thereby accelerate the resolution of security events.

Metrics and Reporting

Metrics and reporting are critical to understanding the effectiveness of the SOAR tool and identifying where improvements can be made to increase ROI.

Mobility

Control of the SOAR tool from the convenience of the analyst’s mobile device will allow for faster response times and easy alert triage — all on-the-go.

Scalability

A SOAR tool should grow with you as your organization grows. As an organization adds more use cases over time, there will be additional processing load placed on the platform.

Open and Extensible

A SOAR tool should easily support incorporating new security scenarios, new products, new actions and new playbooks.

Community Powered

A SOAR tool should easily support incorporating new security scenarios, new products, new actions and new playbooks.

 

Want to Learn More?

Access our whitepaper The Ten Essential Capabilities of a Best-of-Breed SOAR to dig deeper into each of these capabilities and how they can remedy common security challenges.

John Dominguez
Posted by

John Dominguez

John Dominguez is a product marketer in the Security Markets Group at Splunk. With over 8 years experience in the networking and security industry, John is currently focused on the Security Orchestration, Automation, and Response (SOAR) marketplace. In his role, John is responsible for messaging and positioning, marketing strategy, content creation, and product evangelism for Splunk Phantom. In his previous role in Cisco’s Security Business Group, he marketed Cisco’s Next-Generation Firewall and Cisco Advanced Malware Protection (AMP for Endpoints, AMP for Networks). John has an MBA in Marketing and Strategy from the University of Michigan, and a BA in Economics and Government from Dartmouth College.