Our recent webinar, How to Prepare for Cyber Security Orchestration, was designed to help security folks understand what is needed to prepare your SOC for security orchestration, automation, and response technology.
For those who are further along in the process, many questions remain regarding implementations. Because SOAR is so new, many security pros don’t have experience implementing a SOAR tool and operating it within their security environment.
For this article, I sat down with Stan Engelbrecht, D3’s Director of Cyber Security Practice, to get his take on some of the best practices—and pitfalls—of SOAR implementation. Stan, a member of our SOAR Customer Success Team, is an accredited CISSP who works closely with D3’s largest clients and has overseen many complex SOAR and incident response implementations.
Walker: Let’s talk first about some of the best practices for SOAR implementation. What things do you see in successful implementations that provide a good blueprint for companies thinking about implementing SOAR for the first time?
Stan: The most important thing is to be prepared. Index your tools, procedures, and business requirements. Determine your main priorities and reasons for implementing SOAR. Figure out where your existing issues are, such as information silos or procedural bottlenecks. If you want a crash course, check out our webinar, How to Prepare for Cyber Security Orchestration.
A good way to gather valuable information and build internal consensus is to communicate closely with your security analysts. All analysts have pain points and tiresome manual tasks that can be improved using SOAR. Ask them what they are and you’ll get a good idea of where to start when you’re building your workflows.
When companies are ready to start augmenting their workflows with automation and orchestration, I recommend that they start small, with a few key use cases, or even just one. For many organizations, phishing is a good place to start. Our research indicates that large SOCs can spend upwards of 40 hours per week just responding to phishing attempts. Such responses require analysts to log in and out of many tools (e.g. PhishMe, Carbon Black, sandbox environments, and open source intelligence platforms) to investigate the threat. A good SOAR platform like D3 can automate those steps so that it only takes an analyst a few minutes to assess the situation and act appropriately.
Walker: Next, let’s talk about potential pitfalls. What common mistakes do you see among companies that are implementing—or thinking about implementing—SOAR solutions?
Stan: One thing about security professionals is that they sometimes want to do too much too quickly. SOAR is a powerful tool, but it’s best not to try and leverage every single capability on day one. By keeping your focus small to begin with, you can get some early wins and build from there. If you try to put too much weight on SOAR right off the bat, it’s going to disrupt normal security operations so much that you might lose support among your team before you can realize the results that SOAR is capable of.
Another potential pitfall is hanging your SOAR functionality on integrations that are unreliable. Integrations that aren’t certified are likely to cause trouble in the future, and some integrations will require custom development from the user side. At D3, we focus on providing certified integrations so that clients can be certain that we are on top of all version changes and updates.
A SOAR tool can only be as good as the information it’s working with, so another pitfall is not carefully managing the content going into the system. This includes response playbooks, roles and responsibilities, and compliance requirements. Leaving these considerations too late can result in duplicated work and wasted efforts, which is exactly what you’re trying to avoid.
Thanks to Stan for sharing his thoughts on SOAR implementation. As previously mentioned, you can check out our recent webinar for expert insight on how to prepare your SOC for SOAR. Or if you want to see D3’s software for yourself, schedule a one-on-one demo with one of our product experts.