- SOAR 101
A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. Something we often hear from prospective customers is that they don’t have any substantial incident response program in place and are apprehensive about jumping straight into implementing a comprehensive platform like D3. While this is undoubtedly a big step to take, it’s an important one for your long-term security posture. In his new article, Stan lays out a few steps that companies can take to ease the transition from having no formal incident response program to having an enterprise-wide SOAR solution.
In this excerpt, Stan describes the first step: taking stock of your current security operations, so that you know where you’re starting from.
Two organizations might describe themselves as not having an incident response program, but mean totally different things. With or without a SOAR or incident response platform, every organization has some way of managing security incidents, even if they may involve a lot of improvisation and ad hoc processes.
When preparing to implement a SOAR platform, take the time to talk to the stakeholders in your organization to understand the current processes and how effective (or ineffective) they are. This should include an inventory of tools; for instance, what is your existing infrastructure for IT and InfoSec? Do you have any tools for data enrichment? Once you understand what tools you already have, you can map them to an incident response lifecycle—such as the one outlined by NIST 800-61r2—and identify where your gaps are.
Next, take a look at what incident response processes or playbooks your organization is following. How does the SOC collaborate internally, and with other teams such as IT and data privacy groups? How do you maintain compliance with legal and regulatory obligations during incident response? How does your team currently manage common security incidents like phishing or malware?
If any metrics are available, review them for insight into what is working well and where improvements can be made. For example, do you know how long it takes to detect and respond to security alerts? What activities are taking up too much of your security analysts’ time? If there are no formal metrics available, ask security analysts and managers for their assessments.
This article can be found in its entirety on SecurityWeek. To continue reading, please click here.