What comes to mind when you first think about security orchestration, automation, and response (SOAR)? As a software engineer for SOAR solutions at Rapid7, I’ve read a lot about what’s been posted online about SOAR. One misconception in particular really stood out to me: that many believe security orchestration and automation tools are only for mature organizations.
Last week during our weekly Whiteboard Wednesday session, I discussed why this myth isn’t true, and why organizations of any size can benefit just the same. To understand how your company may benefit from SOAR solutions, watch the recording or read my recap below:
What is security orchestration and automation?
First, let’s be clear about what exactly security orchestration and automation is. SOAR allows you to define the solutions to your problems and automate them. Effectively leveraging SOAR starts with understanding the day-to-day problems you face. Then, in order to define how SOAR can be implemented, it’s worth thinking critically—and sometimes a bit out of the box—about the individual actions you could automate to arrive at a solution more quickly and with as little friction as possible. Because SOAR doesn’t require you do any programming, chances are your solution can make these possibilities a reality.
The bottom line? If you automate all the things that can be automated, you will have more time to solve problems that can't be automated.
How any organization can use SOAR
Now, let’s bust the myth so many organizations today still believe about SOAR. Put simply, as long as your SOAR product integrates with many other solutions (or at least the ones you utilize), there's no reason that organizations of any maturity level can't benefit.
If your SOAR solution can integrate with the tools you use and has an intuitive UI and UX that allows you to define the solutions to your problems without having to do any programming, you can benefit from it just the same as any large organization.
The first step is making a list of all the tools you use. From there, you’ll need to define the automations you require between these tools. With this list, you can then evaluate different SOAR solutions to see which one fits the bill. Here’s a free step-by-step guide on this.
What SOAR looks like in action
Still not sure what SOAR could actually do for you? Let's go through a quick example. Let's say you work at a company that is the victim of a significant number of phishing attacks. You've run your employees through a good deal of phishing awareness training, so there are a decent number of employees who now forward potential phishing emails to the SOC team. This is great, but now the team has hundreds, if not thousands, of potential phishing emails to sort through to determine what is legitimate. And if there are actual phishing emails in there, they will need to respond.
Herein lies the big problem: Your team doesn’t have the capacity or resources to investigate all of these emails. However, you don’t want to discourage employees from reporting because more reporting means your training is working. So, what do you do?
Let's go through the solution and see whether this is something that can be automated. Phishing investigations require taking an email and testing it across your different security products in order to decide if whether it is a phishing email. Could this process be automated? Absolutely!
Once an email is verified as a phishing email, you need to respond. This requires going through every company mailbox and either deleting or flagging every email that seems like it is part of the same phishing campaign. Could this process also be automated? You bet.
Last, many organizations like to review and report on progress. SOAR solutions can automatically generate quarterly reports around phishing attempts and the subsequent response time. This type of report is a great way to simultaneously measure the time savings of SOAR, gauge the effectiveness of your defense measures, and keep upper management informed of your efforts.
In this case, the entire process can be automated. If you have some experience with programming, you could write the integrations yourself. However, while the code you write may work well for this use case, it might not be flexible for others. And regardless, writing this code would take a decent amount of time that could be better spent elsewhere. So, what do you do?
This is where SOAR really shines
Examples like the automation of phishing investigations are exactly where the promise of SOAR really comes through. With a good product, you should be able to define the process for your solution in less than an hour, then simply plug and play your automation workflows into the solution. Because most SOAR solutions manage the integration and automation code for you, you can know that the workflow will always work, even if the code for one of your tools changes. This alone can save hundreds of (wo)man hours.
Especially for small, resource-strapped companies, this time savings is worth its weight in gold. This means your SOC team can spend their time on more strategic and valuable tasks like incident investigation and response, rather than tedious and repetitive tasks that are better left to the machines. And if your SOAR solution is really top-notch, it will allow for human intervention at any point within the workflow so that if you do need to do something custom, or want a human involved at a strategic point, it allows for it. By leveraging the speed and precision of automation alongside the strategic value of human touchpoints, security can move forward faster.
Learn more about Rapid7’s SOAR solution, InsightConnect, today.