SOAR Trends and Questions from RSAC 2019

Just like at RSA Conference 2018, and 2017, it was great to connect with clients and partners at our booth and on the show floor this year, 2019. Some of the main differences this year were the sheer volume of clients we saw—which makes sense, since we closed deals with more than 50 Fortune 500 companies in 2018—and the continually growing demand among attendees for security orchestration, automation and response (SOAR) solutions. Improving investigations and automating workflows was clearly top of mind for most SecOps and IT Security professionals. Media attention on SOAR was higher than ever as well.

With that in mind, in this post we’ll explore the most prominent SOAR trends and questions, fresh from the D3 booth, which was truly the SOAR headquarters for RSAC 2019.


1. The Need for an Open Platform

The market is consolidating, making SOAR buyers wary of purchasing an orchestration platform that might not “play nice” with other technologies. Already, some directives from “big brothers” have disrupted and complicated what should have been straightforward SOAR integrations and use cases. The risk is that vendors may start using SOAR as merely an upsell opportunity for other tools, such as SIEM or NGFW.

With D3, you get the most open SOAR platform available. Certified integrations with 200+ apps ensure silo-free event escalation, enrichment, and incident response. In fact, D3’s architecture is designed to extend to any security product or data feed, without the need for complex coding or Python scripting. Which brings us to our next point.


2. Does this SOAR Tool Come with Python Coders?

SOAR should solve the problem of a lack of skilled cybersecurity workers, not exacerbate it. Complaints that were shared with us on the show floor included that other SOAR tools require extensive Python libraries to operate, and coders to create them. In fact, many organizations that have deployed Python-intensive tools are already looking to replace them with something more comprehensive.

D3 is that comprehensive tool. It provides pre-built integrations with full feature-sets and functionality, with minimal coding or no coding at all required. When you drag and drop an applet using D3’s Visual Playbook Editor, it is already coded and ready to rock and roll.


3. Pricing!

Action-based pricing is a major turnoff, say RSA attendees, and we agree. D3 has fair pricing, meaning the more you automate, the more efficient you become, and the price stays the same. D3 has a standard per-user license-based cost. So you can plan your budget without worrying about skyrocketing prices during a major incident.


4. A Task-Based View of Security Operations

RSAC gives use the opportunity to talk to a lot of people who are actually on the front lines using tools like SOAR, and something we heard frequently is that a lot of platforms might have good automation technology, but they don’t do enough to support human users. For example, with the standard SOAR interface, little thought is given to how analysts will receive important information, view their outstanding tasks, and quickly make sense of what they should do next. Obviously, when you’re responding to a cyberattack in real time, you don’t have long to figure this out.

Because we designed D3 with input from Fortune 500 security professionals, our interface follows an analyst-centric approach. There’s no sorting through irrelevant information, other people’s tasks, and screens that are irrelevant to your role. Instead, everything is based on detailed tasks that reflect industry and organizational standards, as codified into your playbooks. This makes it easy and intuitive to assign, assess, and complete tasks, with full visibility given to management.


5. Incident Response is an Inter-Department Effort

Another thing we heard on the show floor is that people would like the “automation” part of SOAR to extend further into reporting and communication. If a SOAR tool can’t support all team members with the metrics and insights they need, someone will have to mine that information manually. So yes, SOAR should reduce MTTR through workflow automation and by filtering out false positives. But it should also help with overall SecOps visibility, reporting, audits, and compliance.

D3 can generate automated or manual reports on almost any data in the system, enabling our customers to track metrics like:

  • Dwell Time
  • Containment Time
  • Analysis Time & Volume
  • False Positive Rate for Detection
  • % of Reported Incident Investigations Resolved Within Defined Timeframe
  • # of Vulnerabilities Exploited
  • Accuracy of Protection Assets
  • $ Assets Defended Against Incident
  • $ from Cyber Incidents, Including Damage to Assets & Time to Recovery

If you were one of the thousand-plus people we connected with at RSAC 2019, thanks for coming by! If you missed us, don’t worry. We’ve just launched a weekly demo series, where you can see a 25-minute deep dive into our SOAR technology every Wednesday at 2 PM Eastern/11 AM Pacific. We hope to see you there!

Social Icon
Alex MacLachlan

Alex is a marketing leader in the cyber security industry. He runs worldwide marketing for D3 Security, which include recruitment campaigns for enterprise and MSSP buyers, public relations, digital marketing, and business planning. On the weekends, you can find Alex fishing deep in the outdoors, rain or shine.