Security Experts:

How to Go From No Incident Response Program to SOAR

Getting Off the Ground With Security Orchestration, Automation, and Response  

When interacting with companies that are considering purchasing a security orchestration, automation, and response (SOAR) solution, I often hear them express the concern that their current incident response program is not mature enough for them to make the leap to implementing a comprehensive platform, complete with automation and orchestration. When there is little to no foundation in place, the task of getting started seems overwhelming, especially if no one on your team has experience with incident response or security orchestration solutions.

While it’s true that you don’t want to just add automation to inefficient processes and call it a day, it’s a mistake to get further entrenched in the old ways of handling security incidents if those ways are no longer good enough. If you know you want to improve your security operations, but don’t know where to start, here are a few steps that can help get you ready for a SOAR platform.

Take Stock of Your Current Operations

Two organizations might describe themselves as not having an incident response program, but mean totally different things. With or without a SOAR or incident response platform, every organization has some way of managing security incidents, even if they may involve a lot of improvisation and ad hoc processes.

When preparing to implement a SOAR platform, take the time to talk to the stakeholders in your organization to understand the current processes and how effective (or ineffective) they are. This should include an inventory of tools; for instance, what is your existing infrastructure for IT and InfoSec? Do you have any tools for data enrichment? Once you understand what tools you already have, you can map them to an incident response lifecycle—such as the one outlined by NIST 800-61r2—and identify where your gaps are.

Next, take a look at what incident response processes or playbooks your organization is following. How does the SOC collaborate internally, and with other teams such as IT and data privacy groups?  How do you maintain compliance with legal and regulatory obligations during incident response? How does your team currently manage common security incidents like phishing or malware? 

If any metrics are available, review them for insight into what is working well and where improvements can be made. For example, do you know how long it takes to detect and respond to security alerts? What activities are taking up too much of your security analysts’ time? If there are no formal metrics available, ask security analysts and managers for their assessments.

Figure Out What Features are Most Important to You, and Which Platforms Offer Them

There are many different SOAR offerings on the market, so to narrow the parameters of your choices, take some time to identify the capabilities that are most important. What do you want to automate initially? What problems are most pressing for your security team? Do you have recurring incidents, data siloes, or process bottlenecks? Your analysts can help answer these questions.

Each platform will emphasize different aspects of security operations. Broken down into general categories, these features might include: 

● Alert management, which helps SOCs sort, evaluate, and close the steady stream of security alerts that come in from SIEM and other source systems. 

● Triage, which helps analysts make decisions by gathering contextual information from internal and external sources, such as threat intelligence and previous incident records.

● Incident response, which encompasses playbooks, task management, link analysis, and other features that support effective and repeatable response workflows.

● Reporting and analytics, which includes the ability to automate or schedule reporting, generate detailed SOC metrics, and tailor dashboards to the different roles that use the system.

● Compliance and tracking, such as audit trails, chain of custody, and templates for common compliance reports.

Case management, which may include support for collaboration between investigators and other teams, case folders for related incidents, guided investigation workflows, and evidence management.

Try Sketching Out a Playbook

To get a detailed sense of how you will use a SOAR platform, sketch out a playbook for one of your most important use cases. Then, identify where you think automation and orchestration can be used to enhance the steps. You can easily find online examples of playbooks from vendors or industry bodies, which should give you a sense of what steps to include. Evaluating your current processes and interviewing your analysts, as I’ve recommended, will provide more valuable information, including common or important use-cases. Try starting with a use case that you think will be typical in your security environment, such as a phishing attempt, suspected data breach, or malware infection.

If you have no formal incident response program, implementing a SOAR solution, incident response platform, or any other major security tool can be challenging. But after taking the steps I’ve described here, you will have a better sense of where you are now, where you need to go, and most importantly, how you can get there. 

view counter
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.