We’ve said it before, and we’ll say it again: “Good enough” may check the box, but it’s not going to solve the problem.
In our last blog post about the pitfalls of choosing a “good enough” solution for security orchestration, automation and response (SOAR), we discussed the six key red flags you should be on the lookout for. To recap, they are:
Limited real-world applicability
Lack of vendor integrations
Focus is not on SOAR
Does not scale
Focusing on cost vs. capabilities
Beyond these limiting factors, the biggest issue with a “good enough” SOAR solution is that it is typically built for a finite, limited number of use cases, and a true security automation solution is so much stronger than that—with applicability that stretches far beyond security operations centers (SOC).
So, now that we know what you don’t want in a comprehensive security automation solution. What do you want?
To start, we need to reorient our thinking when it comes to SOAR. Before, when we would talk about SecOps, we were mostly talking exclusively on-premise options—endpoints, firewalls, datacenter infrastructure, enterprise IT, etc. However, with the dramatic digital transformation that came with the rapid shift to remote work in 2020, most of those tools and functions are living in the cloud. And with a focus on cloud infrastructure, the visibility you need has changed because your risks and methods for mitigating and remediating those risks have changed. What does all of this mean?
Digital transformation from an IT perspective has been successful because it was necessary to keep business operations going during a time of extreme uncertainty. Now it’s time for InfoSec to catch up. SOAR can help by breaking down the barriers between SecOps and business operations.
Traditionally, people have looked at SOAR as an automation tool for the SOC rather than a business tool for the entire security organization. It’s time to change that. In 2020, we learned how beneficial a remote workforce can be for some individuals and organizations, and some of them never want to go back to the way things were before. Meanwhile, other individuals can’t wait to get back into an office for a number of reasons. While we continue to navigate what these hybrid work models look like, one thing is for sure: The work model has fundamentally changed.
With employees working onsite and remotely—potentially across time zones and even continents—figuring out how to collaborate effectively is going to continue to be a challenge for the entire organization. As an example, let’s take a look at DevOps and how SOAR can help DevOps teams collaborate in this hybrid work environment.
Before the pandemic when developers were working in an office and had an issue or a question, they could lift their head or walk down the hall and discuss it with their colleagues. After the shift to remote work, these same people could collaborate over Zoom, Slack, etc. But in a hybrid model, if you’re one of the people in the office, you’re likely only going to talk to others in the office, and your work model is about to get very wonky in the coming months.
A true SOAR solution can help solve this with centralized data and collaboration within a single platform from which everyone is working. Whether they are in the office or working remotely doesn’t matter. What’s more, this single platform empowered by automation with centralized information increases your efficacy when completing shift turnovers, aggregating data, looking at long-running automation and historical baselines, capturing information to uncover recurring themes and patterns, etc.
Beyond the centralized data and collaboration element, SecOps automation tools need to be applied as business tools—something that can only happen when your SOAR solution is built with scale and horizontal applicability in mind. A true SOAR solution can enable a business unit to transact business faster with a partner or team without having to incur more cost from an IT perspective—including increased personnel—thanks to automation.
Ultimately, the job of the business is to innovate and create new things that require new systems. A “good enough” SOAR solution built specifically for endpoint or vulnerability management or threat intelligence isn’t going to help move the business innovation needle the way a powerful and complete orchestration and automation solution can. “Good enough” may check the box you have right now, but it’s not going to scale and evolve with you and your unique SecOps and business needs.