Earlier this year, Gartner published some great recommendations around purchasing security tools (Tips for Selecting the Right Tools for Your Security Operations Center; Bussa & D’Hoinne, January 23, 2020), written by Toby Bussa and Jeremy D’Hoinne. We’re very happy to be offering the document as a download from our website. You can find it here.
In this post, we’ll share a few excerpts from the document along with our thoughts about Gartner’s insights. The document has valuable advice for tools across the SOC, but for this post we will focus on what the authors had to say about how SOAR fits into a good tool selection strategy.
We recommend reading the entirety of Gartner’s Tips for Selecting the Right Tools for Your Security Operations Center, and once again, you can download it here.
Regarding Incident Response Capabilities in New or Recently “Insourced” SOCs
Gartner: “The need to have a common repository of incidents could be addressed within an SIEM tool or within IT’s case management or service desk tool. Using a security incident response platform (SIRP) tool or the SIRP capabilities of an SOAR tool should be considered if the incident and case management capabilities in the SIEM tool are not advanced enough, or there are security and privacy concerns with using the IT service desk tool. Every “greenfield” SOC will not have the resources (budget, people, time) to implement SIRP at the beginning, but it should be strongly considered at the start of instrumenting the SOC, rather than trying to bolt it on later in the SOC building journey.”
D3: We’re glad to see the authors recommending that companies include incident response capabilities in the foundation of their SOC. SOAR can be an effective tool for cleaning up the data silos and complexity that accumulate over time in an established SOC, but it can be even more effective when built in from the beginning.
We understand the authors to be saying to include SOAR when other tools like SIEM and IT Service Desk are not advanced enough. We would make the case that those tools are almost never sufficient for incident response, as we’ve written about previously. A SIEM is the ideal alert source for a SOAR product, but does not function well as a standalone incident response solution. A SIEM lacks playbooks, orchestration capabilities, threat intelligence enrichment, and many other features that SOAR offers.
We also interpret the authors as expressing concern about potential security and privacy issues with using an IT Service Desk to cover incident response. ITSD tools generally lack the access controls and information security to ensure compliant and safe handling of sensitive data. They also lack the features needed for effective incident response, such as automation-powered playbooks.
When SOAR Could Shine/When to Purchase
- “Processes and procedures (aka the plays in the SOC playbook) have been established and can be automated.”
- “Existing security controls are modern enough (e.g., there are open APIs) to integrate with an SOAR tool.”
- “A threat intelligence capability exists in the SOC and it requires tooling to drive improved use of threat intel.”
D3: The above excerpts come from a table where the authors list a few bullet points for each security tool regarding “when it could shine/when to purchase”. The points around SOAR are spot on. Having established procedures that can be codified in SOAR playbooks is a good foundation and deriving value from threat intelligence is one of the major benefits of SOAR. We understand the authors as also suggesting to ensure your current tools can integrate with SOAR. While this is sound advice, the integration capabilities of leading SOAR platforms like D3 are so extensive that having the necessary APIs should not be an issue in most SOCs these days.
In our view, the authors are broadly correct in their assessment of when SOAR can add the most value, but potential buyers don’t have to wait to have everything in place before implementing SOAR. For example, some companies use the introduction of SOAR as the catalyst for creating standardized playbooks and procedures. Another example would be adding threat intelligence sources alongside the addition of SOAR, because SOAR makes it easier to leverage contextual data like threat intelligence.
Regarding the Value of SOAR in a Mature SOC
Gartner: “Larger and more mature SOC teams face scalability challenges. Too many events and too much time spent on investigating complex incidents, combined with strong requirements to provide a definitive answer to business stakeholders, drive security leaders to seek tools for improving their SOC productivity. The security orchestration and automation and the threat intelligence platform (TIP) capabilities in SOAR tools can help automate many of the time-consuming activities of SOC and threat intelligence analysts, as well as support threat hunting activities.”
D3: This excerpt is a great summation of the problems SOAR can solve in the SOC. Alert fatigue, resource shortages, and the need for clear reporting are all issues a SOAR platform can help with. As we see it, one of the key themes of the Gartner document is that well chosen tools should reduce confusion and complexity in the SOC. Because of how SOAR integrates with other solutions and streamlines workflows with automation, it is the perfect tool to support this goal.
Threat hunting also gets a mention in this excerpt. While SOAR has always supported threat hunting in some ways, newer features are adding direct value for threat hunters. For D3, a major step forward in this area has been our ability to correlate events with the MITRE ATT&CK matrix. Identifying ATT&CK TTPs is hugely valuable to threat hunters because they can anticipate an adversaries next steps based on the behaviors they have already detected.
No matter what stage of maturity your SOC is at, we recommend reading Gartner’s tips to get some expert analysis. You can download the entire document here.