SOAR versus Security Operations: What’s Really Going On?

There’s something big brewing in the world of security operations, but what exactly is it? We’re regularly inundated with various descriptions of useful tools and capabilities – think Security Orchestration, Automation and Response (SOAR), Threat Intelligence Platforms (TIPs), Security Incident Response (SIR), threat hunting and more. Unfortunately, many of us are equally confused about the fundamental capabilities of these technologies, and more pointedly perhaps, what problems they aim to solve. Perhaps, observes John Czupak, we need to refresh the way in which we look at this space – turn it upside down a bit and start from a different perspective.

Heading right to the point, there are many inefficiencies in processes which result in delayed detection and response times. There are, of course, many contributing factors, including but not limited to teams working in silos, applications and data that are not integrated, alert overload and fatigue as well as staff and talent shortages.

The industry’s response has been to add more tools such as IR/ticketing systems, orchestration and automation and TIPs. In fact, if you look back at Gartner’s earliest definition of SOAR, it fundamentally aligns with these technology stacks.

More common use cases

What’s different today, then? The conversation has clearly shifted to a discussion around the specific problem (ie use cases) coupled with the way in which technology can help. This concept of a use case approach makes a lot of sense as it focuses the discussion on the problem at hand versus attempting to shoehorn a “silver bullet” technology for every situation. Some of the more common use cases we see include things such as:

Incident Response: an organised approach to the process by which an organisation handles the aftermath of a cyber attack or data breach with the goal of limiting damage and reducing recovery time and cost

Threat Hunting: the practice of proactively and iteratively searching for abnormal activity within networks and systems for signs of compromise

Threat Intelligence Management: the practice of aggregating, analysing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment

Alert Triage: the process of efficiently and accurately going through alerts and investigating them to determine the severity of the threat and whether or not the alert should be escalated to incident response

Vulnerability Management: the practice of continuously discovering, classifying, prioritising and responding to software, hardware and network vulnerabilities

Spear Phishing: the practice of sending fraudulent e-mails that targets specific individuals or organisations for the purpose of gaining unauthorised access to confidential information

Investigations and Collaboration: The industry’s first cyber security situation room designed for collaborative threat analysis, shared understanding and co-ordinated response 

Shift in conversation

John Czupak

John Czupak

In Gartner’s latest SOAR Market Guide, published on Thursday 27 June this year, the evolution of SOAR moves towards what we have believed all along – the need for a ‘full-featured’ security operations solution designed to support multiple activities for security operations (eg prioritising activities, formalising triage and IR, automating response, enabling investigations, facilitating collaboration and more). This can simply be interpreted as a platform designed for multiple users and use cases.

While SOAR used to mean simply orchestration to many, and TIPs were solely used for threat intelligence programs and SIRs for incident response, the definitions and use of these technologies is clearly evolving rapidly.

Ultimately, the market most certainly needs a security operations platform to improve efficiencies and effectiveness of the Security Operations Centre.

John Czupak is CEO of ThreatQuotient

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts