If you’re even a casual fan of the original Star Trek, you’ll be familiar with Scotty’s signature phrase, “I can’t do it, Captain! I don’t have the power!” Or better, when he uttered the famous line, “I can’t change the laws of physics!” Scotty’s plight is probably recognizable to security operations (SecOps) today. According to the latest Gartner Innovation Insight for Security Orchestration, Automation and Response (SOAR) report, “Security operations teams struggle to keep up with the deluge of security alerts from an increasing arsenal of threat detection technologies.”
All is not lost, however. Like Scotty, they can find a solution to this seemingly unwinnable fight. A spirit of hopefulness comes through in the new report. SecOps teams can embrace new practices and tooling to enable more effective prevention, detection and response to cyber threats.
What is SOAR?
SOAR represents a new, powerful way to improve SecOps. Gartner recommends that organizations implement SOAR to improve incident response efficiency and consistency by orchestrating and automating threat intelligence management, security event management and SecOps processes.
Gartner estimates that by 2020, 15% of security organizations with five or more security professionals will adopt SOAR. This an increase from the current adoption rate of less than 1%.
SOAR is all about action. The acronym used to stand for “Security Operations, Analytics and Reporting.” However, Gartner has replaced “Reporting” with “Response.” Reporting, it turns out, is a given. All SOAR tools must do it to be effective, as having an efficient response to a security incident is of paramount importance.
Why SOAR and why now?
The Gartner report reinforced the notion that there are too many security alarms and not enough people to deal with them. Without centralized security orchestration and incident response capabilities, SecOps teams are stuck manually collecting and stitching together threat information. This means security professionals are working from manual playbooks specific to individual incidents. It can be time-consuming and tedious. There’s a debilitating reduction in time they could be devoting to proactively hunting and defending their network from cyber-attacks.
Such circumstances are causing SOAR to grow in adoption and influence. Gartner estimates that by 2020, 15% of security organizations with five or more security professionals will adopt SOAR. This an increase from the current adoption rate of less than 1%. As the report notes, “The challenges from an increasingly hostile threat landscape, combined with a lack of people, expertise and budget are driving organizations toward security orchestration, automation and response (SOAR) technologies.”
What’s in the most recent Gartner SOAR report?
Gartner does a fairly comprehensive job of describing SOAR and its functional components in the report. They focus on the common benefits and use cases for SOAR. In addition, Gartner further discusses recommendations for enterprises when considering or implementing SOAR tools and concludes with a list of representative vendors, including Swimlane. The research distinguishes between key SOAR concepts including security automation and orchestration, incident management, collaboration, dashboards and reporting.
Key recommendations in the report include:
- Start with a simple approach where automation can be easily implemented and where organizations will realize immediate ROI – including reduced mean time to detect (MTTD) and mean time to resolution (MTTR).
- Focus on automating tasks and orchestrate incident response.
- Leverage external threat intelligence to improve the efficacy of security technologies and incident response processes.
Swimlane and SOAR
Swimlane enables the realization of SOAR principles as outlined in the Gartner report. It automates security operations for enterprise teams. Swimlane enables security analysts to automate repetitive tasks like data gathering, reporting and responding to false positives. A purpose-built SecOps management dashboard tracks all enterprise security tasks and provides centralized access to cases, reports, dashboards and metrics for individuals and teams.
This is the essence of SOAR. Swimlane brings the report’s recommended machine-based automation to life, reducing incident investigation cycle times.
Maybe Scotty was wrong, after all. Perhaps you can change the laws of physics, or at least the laws of cybersecurity. With SOAR, a lot of things that once seemed impossible are now achievable.