Top 5 Considerations for Implementing SOAR Technology

My security team is feeling burnt out by the vast amount of security threats coming in.

Swivel-chair security is no fun. It takes more time to investigate and respond to a threat because I need to go on 5-10 different platforms.

We need to find a way to work smarter, not harder.

Does any of this sound familiar? 
Security Orchestration, Automation, and Response (SOAR) solutions are becoming increasingly valuable for security teams as they combat the reality of the growing IT security skills gap, alongside a mountain of daily security alerts. Many teams have used SOAR to lower mean time to respond, lower security team burnout and turnover, and streamline security operations. But what are some considerations you should think about when implementing a SOAR technology

For good reason, new SOAR customers will look for guidelines and certified architectures to ensure that their initial deployment is built on a solid foundation. When deciding how to implement SOAR, you’ll want to consider availability, performance, scalability, security, and total cost to manage. 

Before you get started, here are five key questions for you and your security operations team to consider:

  1. Do you need your SOAR tool to have a multi-site disaster recovery plan?
  2. Do you want to use your SOAR for case management?
  3. Do you want to provide your own external infrastructure, or utilize cloud infrastructures like Splunk Cloud?
  4. How many of your analysts will be using the SOAR tool at any given time?
  5. How many events an hour will you be forwarding to your SOAR tool?

When preparing for SOAR implementation, you’ll also want to review the main use cases your security team wants to automate to decide whether you need SOAR deployed as a “headless” operation or a case management operation. 

If your team will be using the SOAR tool for simple design playbook execution where automation happens in the backend and requires fewer interactive users, a headless operation may be your best solution. But if your team will be using automation on the backend, while also using other user interface functionalities of the SOAR tool to help make sense of the security events coming in, consider a case management operation deployment instead. 

For security use cases, we generally recommend a case management deployment, but because SOAR can be used for use cases outside of security, some may prefer headless operation. 

To learn more about what you might need to successfully implement SOAR, register for our "Splunk Phantom Deployment Models and Use Cases" webinar by Rob Gresham, a global security architect at Splunk. The webinar will air on December 17, 2020. Hope to see you there!

Kelly Huang

Posted by