View More guides on Security Orchestration Automation and Response
Posted on: November 19, 2020
What to Consider When Researching Security Orchestration (SOAR) Vendors
Security orchestration, automation, and response (SOAR) solutions offer robust incident response and threat intelligence tools. Most notably, SOAR brings to the table a level of automation that offloads tedious tasks from cybersecurity teams, enriches threat data, and makes it easier to respond to threats.
Security orchestration vendors come in all shapes and sizes, with the industry quickly evolving to meet the needs of growing organizations. Typically service providers (MSSPs or MDRs) and large organizations with mature SOCs are earliest to adopt SOAR. This makes sense as both ingest a great deal of threat data, and the need for high-fidelity results allows them to prioritize work.
For these organizations, the primary functions of SOAR solutions are for incident triage or response and its related process, and also the automation and orchestration behind that process. In doing so, it reduces human error, makes results more consistent and reliable, offers scalable solutions, as well as a wide range of other benefits depending on which vendor is chosen.
According to the 2020 Gartner Market Guide for SOAR, the primary uses cases an organization should consider when seeking out a SOAR vendor are:
- Case/incident management
- Playbooks (ability to create and pre-built library of them)
- Ability to automate and orchestrate workflows
What to look for in a SOAR Vendor
Cloud vs On-Premise Solutions
The pandemic has changed much of how organizations function, with remote or hybrid teams becoming the norm. Now, as teams are distributed outside of the office, cloud options are an ideal solution, with a notable exception to those only allowing on-premise technology. When seeking a security orchestration vendor, finding a SOAR solution that offers both cloud-deployed and on-premise solutions is ideal. In having both options, the tool can bridge the gap between on-premise tools that are already implemented with other cloud-based offerings.
Having a cloud-based security orchestration solution is also particularly of use as the vendors typically update them more frequently. This means that as new threats and tactics emerge, automation and playbooks are able to adapt to them.
Broad-based or Integrated
There are typically two different types of SOAR vendor types: broad-based or integrated.
Broad-based are platform-agnostic SOAR solutions that are not directly built into another tool. This means that the tool can be acquired and integrated into an existing tech stack without the acquisition of an accompanying second solution such as SIEM solutions.
An integrated SOAR vendor offers a product-oriented solution. This means that the solution is built into an existing toolset such as a SIEM or TIP and the customer, for better or worse, is limited to that platform’s use cases, capabilities, and integrations
API and Integration Availability
Whether a security orchestration vendor offers platform agnostic SOAR tools or one built-in, the ability to connect to other security tools is key. Most organizations have a suite of existing platforms, and having an API to connect disparate systems is a key feature. For example, hybrid organizations that use both cloud-deployed and on-premise technology can use a SOAR solution to integrate with each other, rather than having to develop a custom solution. Finding a vendor that offers such integrations, especially with a wide range of other vendors, greatly reduces the time to implement SOAR.
Security Orchestration Vendor Required Features
There are three primary organizational types that are early adopters of SOAR, and each has a unique set of requirements and features. According to Gartner’s 2020 SOAR Market Guide, both MSSPs and Enterprise organizations are the largest adopters of SOAR; however, growing security teams who seek out more efficient and consistent results also benefit from it.
Growing Security Teams
Growing security teams are often pressed against to do more with less, especially as budgets remain constrained. This means the need for automation is greater than ever, as it can support rapid scaling in times of persistent threats or the status quo when combating the never-ending threat of phishing attacks. Growing security teams should identify a security orchestration vendor that supports rapid scaling, integrates with their existing toolset or helps connect disparate solutions, and focuses on reducing alert fatigue and making teams more efficient. This opens the door to most SOAR solutions, especially those that are platform agnostic.
When researching vendors, enterprise organizations should seek out security orchestration vendors who offer both cloud-deployed and on-premise solutions, broad-based integration (platform agnostic), and a SOAR solution that integrates into their existing tools. In most cases, this is through an API and does not take a great deal of development time.
MSSPs and MDRs
Managing multiple clients’ cybersecurity needs requires a large combination of technology and manpower. Unfortunately, most of the tools available today do not scale well, have added costs per instance or client, and push out more alerts than actions.
SOAR in particular is designed for such a use case, but finding the right security orchestration vendor to meet these requirements isn’t the same process as finding a TIP or SIEM solution. When researching vendors, MSSPs and MDRs should seek out SOAR vendors who offer multi-tenancy, cloud-deployed and on-premise solutions, broad-based integration (platform agnostic), and integration into existing tools.
Once an organization has determined the ideal SOAR use case, there are two other considerations to note while seeking out a security orchestration vendor.
The first is that to fully utilize a SOAR solution, security teams and organizations already need to have specific processes in place. Otherwise, teams will be working in parallel on maturing these processes, which could impede a successful implementation.
Lastly, vendor acquisitions do happen. It is important to keep in mind that connected services like on-going support, cost, and integrations, etc. can be impacted down the line. By working with a vendor who offers platform agnostic SOAR solutions, this should also mitigate any immediate impact.