“Good enough” may check the box, but it’s probably not going to solve the problem.
CISOs are scrambling to keep up with an expanding attack surface, limited resources, and increasing compliance mandates, which makes “good enough” an attractive, check-the-box option. Unfortunately, while the intention of implementing a “good enough” security orchestration, automation, and response (SOAR) solution may seem to increase your team’s productivity while decreasing risk, you could actually be causing more harm than good. Good enough security solutions can lull you into a false sense of security in the short term, but in the long term, it could mean that you have to go through a painful rip and replace project. You can avoid this pain by selecting the right SOAR solution upfront.
Selecting the right solution
Choosing the right tool for any job is critical. You don’t select a steak knife when you really need a saw. With so many SOAR solutions out there (the 2020 Gartner Market Guide for SOAR lists 20 vendors!), how do you know which one best suits the unique needs of your security operations center (SOC)? As you go through your selection process, you may find yourself drawn to the first solution that looks simplistic and easy to use but be aware that these types of solutions typically come at the expense of scalability and long-term productivity.
How do you differentiate a “good enough” SOAR solution from a complete one? There are several ways to do this but start by keeping your focus on solutions that allow you and your team to be more productive, while also looking to future proof your long-term operations strategy.
There are several red flags that will lead to buyer’s remorse. Let’s look at six of these:
Limited real-world applicability – Security operations is a hectic job, and it is easy to get focused on closing out alerts, cases, and tasks so you can move on to the next one. However, researchers are seeing more and more attackers using less centralized infrastructure to stage their attacks, which means threat intelligence is not always as quick to identify malicious command-and-control (C2) infrastructure. Your SOAR product needs to have long-running automation that rehydrates telemetry as threat intelligence and other investigation sources are updated. Otherwise, that case you with no threat intel hits that you closed out hastily, might actually be a brand new C2 server just for you.
Inflexibility – One of the key ways to identify a “good enough” SOAR solution quickly is by examining the flexibility of the major aspects of the platform: the automation engine, the user experience, and the integration framework. ”Good enough” solutions require you to follow rigid, vendor-dictated steps that are not applicable, duplicative, or irrelevant to your environment. It’s important to find a configurable, agile solution. An extensible automation platform is flexible, resilient, and feature-rich, allowing you to build out your use cases, taking into account your unique environment, internal processes, and compliance requirements. Without such a comprehensive platform, your team will quickly feel restricted and frustrated by limited opportunities to apply automation to their day-to-day activities.
Lack of vendor integrations – Integrations are core to SOAR functionality. Does the solution you are evaluating offer integrations with the tools you currently use? How quickly and how often do they add new integrations? Beware of vendors that favor integrations with their own product lines versus those from third-parties. Also, consider what integrations you will need in the future. Will those all come for a single portfolio company, or will they come from a diverse technology stack that spans security, DevOps, IT, and cloud infrastructure?
Focus is not on SOAR – Some SOAR vendors have extensive product lines, and SOAR is just a very small contribution to their overall product line. It is important to be aware when a company’s bread and butter is not SOAR. Will they spend the time properly innovating and iterating on your SOAR solution, or is it just bundled in for a nominal cost or used as a sweetener to purchase a different product? Building technology is a craft like any other and along with using the right tool for the job, you also want to pick the right partner for the job—a partner with deep expertise and aligned objectives.
Does not scale – As your organization grows, your SOAR solution needs to as well. Whether you’re at an enterprise organization or an MSSP, a lack of scalability can have a huge negative effect as you try to push beyond the capacity limits of what a “good enough” SOAR solution is capable of. The amount of data security teams have to manage is increasing, not decreasing, right along with the surface area you have to secure.
Focusing on cost vs capabilities – Everyone has a limited budget. It is appealing when it looks like you can get a full-fledged SOAR solution for a cheap price or get most of what you think you need as a bolt-on. But what these cheap options are glossing over is the fact that you are trading out required capabilities for this lower cost. A complete solution may look more expensive at first, but the return on investment (ROI) will more than make up for that cost differential.
Ultimately, the right SOAR solution helps your security operations team be more effective and efficient. So while some solutions might catch your eye with a seemingly simple interface or a low price, it’s worth it to spend the time and effort evaluating solutions to make sure your SOAR solution can scale with your team.