Gartner’s SOAR: An Engineer’s Perspective

Organizations that ramp up their spending on cyber security tools inevitably face the question: “Am I really getting what I need out of this? If not, is it because I am not using things properly; because I need to invest more into information security; or because the threat landscape has changed under my feet?”

Of course, the answer is usually a combination of all three, but there is also a larger element at play. The world of cyber security is currently experiencing a sea of change in terms of what technologies organizations are using and how they’re using them.

Where once you had discrete, independent tools, each with its own purpose, you are now seeing all-inclusive solutions that unite these tools under one roof. What’s more, more and more managed security services providers (MSSPs) are offering to take the whole matter off your hands and handle things themselves as part of their core competency.

In response to these changes, IT research firm Gartner has introduced the concept of a “SOAR” (security operations, analytics and reporting) technology stack – a comprehensive cyber security platform that uses logical and analytical capabilities to support operational information security programs. So, how should you use the idea of SOAR to interpret your own cyber infrastructure?

The Direction of Cyber Security Solutions

Gartner’s SOAR is a natural extension of where information security management is going as an industry; but similar to the discrete point-products that came before it, SOAR is merely a means to an end – effective continuous management of information security risks. Initially, cyber security solutions focused on identifying potential threats. As technology has advanced, these tools have progressed to assessing threats’ severity, to responding to threats and finally to mitigating them.

To accomplish these goals, you need something in the middle of your cyber security operations — something that can bring together your separate systems and data, and find the bigger picture amid all the noise. SOAR technologies give companies this singular perspective by siphoning real data from a variety of sources: SIEMs (security information and event management software), GRC software (governance, risk management and compliance), service desks, forensic tools and so on.

The good news is that all of your Information Security spending was not for naught. As more security operations data becomes visible and available, applying business intelligence techniques to cyber security is now more popular than ever. The true value of your cyber infrastructure comes from assembling the disparate pieces of your organization’s network and systems and gleaning valuable insights and analyses from them.

Final Thoughts on Gartner’s SOAR

There are two things that companies need to consider when they evaluate their SOAR technologies. First, compare the number of tools that you have deployed with their net performance. If you are getting less out of your solutions than you put into them, then you are not being maximally efficient. Having two tools that do almost the same thing does not really make you safer — it should make you question why you need two tools that cover the same territory.

Second, modern security solutions give you a high degree of visibility into your cyber infrastructure. With that visibility, however, comes a heap of work that will always far exceed the amount of resources that you can throw at it. What is more, your organization’s cyber adversaries will always be able to outgun you. It is their core competency to attack you but not your organization’s core competency to defend.

As a result, you need to think smart and have specific priorities for your security operations activities, judiciously deploying the resources available to you. By doing so, you will be able to outflank and beat your would-be attackers, even at a numerical disadvantage. Today, many midsize enterprises look to MSSPs and MSPs to manage their security operations activities. These service providers are able to service many different customers with an automated security solution can scale on-demand.