We recently spoke with Tari Schreider, Strategic Advisor at Aite-Novarica Group, an advisory firm providing mission-critical insights on technology, regulations, strategy, and operations to banks, insurers, payment providers, and investment firms—along with the technology and service providers that support them. We talked with Tari about security orchestration, automation, and response (SOAR) technology and the role SOAR plays in security strategies.
NetWitness: In your opinion, Tari, what is one of the biggest misconceptions that the user community has about SOAR solutions?
Tari: A common misconception of SOAR I have heard is that SOAR replaces security incident and event management (SIEM) solutions. SOARs require a repository of IT estate data (logs and alerts) to function. This repository can either be a SIEM or security data lake, but a repository it must have. Many SIEMs are bound to endpoint and extended detection and response (XDR) platforms that provide SOAR solutions with crucial incident information. SIEM providers hear the rumblings of disgruntled customers and are quickly moving to acquire SOAR products or develop SOAR-like capabilities in their next-generation platforms. Security operations (SecOps) must architect SIEMs and SOARs to properly work together.
NetWitness: With that in mind, how should companies go about evaluating different solutions for their own SOCs?
Tari: SecOps is the factory behind the information security program. It is the assembly line where processes meld with technology to enforce policies. The more seamless this happens, the more resiliency is afforded critical business processes. Automating and orchestrating disparate security technologies through SOAR is the Six Sigma of SecOps. SOAR sits at the center of SecOps like a production supervisor; and without one, a security program becomes unpredictable and unreliable. As a former manager of several SecOps organizations, I could not imagine a world without a SOAR in my SOC.
NetWitness: What role should automation play for an effective SOAR solution compared to manual activities within an investigation?
Tari: SecOps can benefit from time and motion studies to understand where the rote and menial tasks exist. Organizations need to understand the performance of security analysts at a deep and meaningful level, not anecdotally. A realistic and achievable goal for SecOps is that a SOAR solution should automatically perform all but customer-facing, level-one security analyst job responsibilities. This enables level-one analysts to advance faster in the SecOps organization where they’ll learn and perform more meaningful and rewarding tasks. Alert, incident, and tool fatigue is real; addressing this through automation is a matter of the utmost importance to SecOps management.
NetWitness: In terms of visibility, what sort of user experience should a SOAR deliver?
Tari: The ideal state of SOAR within an organization is a material improvement in incident response metrics. Nothing else matters more. If an organization makes the investment in SOAR and does not realize a significant reduction in time containing and eradicating incidents, something is very wrong. Either with the deployment of SOAR or its management.
We live in an assumption of a breach world and must act as if the aggressors are already in the IT estate—find them and stop them. Using a SOAR with sophisticated inherent threat intelligence is the “jacks or better to open” to achieving an ideal SOAR state.
NetWitness: Finally, as many organizations are dealing with a shortage of talent in the SOC, how can SOAR help fill the gap?
Tari: Many organizations acquire a SOAR in the belief they’ll be able to replace security operations personnel. There is no evidence, primary or secondary, to support this urban legend. SOAR does, however, make existing security operations personnel extremely productive by significantly reducing the amount of time required to triage and dispatch incidents to a successful resolve. SecOps will never be properly staffed, but with SOAR, SecOps can achieve the proper balance of the trifecta of people, processes, and technology. SOAR is a core strategy for SecOps that are chronically understaffed.
NetWitness: Thank you for your time and insights, Tari.
###
See how Aite-Novarica Group views and ranks NetWitness Orchestrator against their scoring methodology for SOAR solutions in its recent report, which can be found here. You will also gain insights to the benefits and potential pitfalls of incorporating SOAR solutions within your threat detection and response processes.