Five steps to achieving Security Orchestration, Automation and Response success

By Prashant Bhatkal, Security Software Sales Leader, IBM Technology Sales, India/South Asia

The ever-increasing volume and velocity of security threats and events on a global scale are driving enterprises to adopt Security Orchestration, Automation and Response (SOAR) solutions for improved investigation and remediation of threats. As Security Operations Center (SOC) teams scramble to build these capabilities, ‘SOAR’ has evolved – from a neologism to a buzzword, reverberating with high anticipation in IT circuits. 

However, the fact that a robust SOAR platform holds the reins to faster incident detection and reaction times, improved scalability and analytics, and lowering of the security cost, does not by itself make it a silver bullet. Processes and tools being diverse, complex, and disparate, it is not uncommon to see SOAR solutions falter in bringing together security teams, and stumble in integrating those processes and tools in an intelligently orchestrated, automated fashion. As a fallout, the security responses of several organisations to any given security attack can be atypical, varying, and far from effective. 

So how can enterprises preclude the possibility of a dismal SOAR outcome? Well, here are five sure-fire ways of unlocking the most value and getting ahead of enterprise security goals.

Create and integrate dynamic playbooks

Enterprises should create security playbooks and integrate them into the entire security process. While they need to be standardised, they also need to be customisable – evolving to deliver diverse incident responses, depending upon evidenced tactics, techniques, and procedures (TTP). Enterprises must sure to leverage and enrich MITRE ATT&CK TTP from third-party tools to dynamically update response plans. It also helps to incorporate the learning from personal experience into the playbooks to stay better prepared for the next incident.    

Unify security data

Sourcing security solutions from various technology partners often poses a challenge for analysts to toggle through those applications without a single view. Consolidating the security data from various security tools helps not just in providing a unified view, but also in streamlining security-related communication and collaboration, allowing teams to respond consistently and confidently. Unified security data also lends itself for further strengthening – by becoming a single source of truth once the teams infuse it with intelligence from various applications. 

Collaborate with all stakeholders across the organisation

The aim here is to adopt standardised definitions and semantics of security across the organisation such that not just IT managers but all stakeholders understand and speak the same language of security. Informed conversations across the board, coupled with improved visibility into the software estate greatly improves communication and collaboration and facilitates consensus amongst teams. When each department has the necessary information it needs, it becomes the microcosm of the organisation, with the capability to respond to threats in an effective and timely manner.

Deploy intelligent automation

The stress is on the word ‘intelligent’ here. While automation is an integral part of any SOAR solution, its judicious usage can make all the difference between deriving true value on one hand and receiving possible whiplash on the other. On a cautionary note, it is important to register the fact that the indiscriminate use of automation can trivialise it while perilously reducing it to a double-edged sword. This calls for rationalisation while identifying predictable and repeatable processes and incident responses for automation and building effective, repeatable playbooks.

Simulate cyberattacks 

This follows the axiom prevention is better than cure. Just like a fire drill, organisations need to stage mock attacks to ascertain their readiness for a real-life incident. The learning from these practice drills helps tighten the bolts in the security framework while improvising security playbooks and boosting confidence.

To summarise, amidst the constantly evolving cybersecurity landscape, security orchestration and SOAR solutions empower security analysts to respond faster and with confidence to incidents, besides automating incident responses, enriching threat intelligence, and fostering enterprise-wide collaboration and consistency. The key to achieving SOAR success, and more importantly, staying ahead of threat actors, lies in adopting and institutionalising the above practices on an ongoing basis, such that the incident response is uniform and both effective and efficient.