Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

How to Go From No Incident Response Program to SOAR

Getting Off the Ground With Security Orchestration, Automation, and Response  

Getting Off the Ground With Security Orchestration, Automation, and Response  

When interacting with companies that are considering purchasing a security orchestration, automation, and response (SOAR) solution, I often hear them express the concern that their current incident response program is not mature enough for them to make the leap to implementing a comprehensive platform, complete with automation and orchestration. When there is little to no foundation in place, the task of getting started seems overwhelming, especially if no one on your team has experience with incident response or security orchestration solutions.

While it’s true that you don’t want to just add automation to inefficient processes and call it a day, it’s a mistake to get further entrenched in the old ways of handling security incidents if those ways are no longer good enough. If you know you want to improve your security operations, but don’t know where to start, here are a few steps that can help get you ready for a SOAR platform.

Take Stock of Your Current Operations

Two organizations might describe themselves as not having an incident response program, but mean totally different things. With or without a SOAR or incident response platform, every organization has some way of managing security incidents, even if they may involve a lot of improvisation and ad hoc processes.

When preparing to implement a SOAR platform, take the time to talk to the stakeholders in your organization to understand the current processes and how effective (or ineffective) they are. This should include an inventory of tools; for instance, what is your existing infrastructure for IT and InfoSec? Do you have any tools for data enrichment? Once you understand what tools you already have, you can map them to an incident response lifecycle—such as the one outlined by NIST 800-61r2—and identify where your gaps are.

Next, take a look at what incident response processes or playbooks your organization is following. How does the SOC collaborate internally, and with other teams such as IT and data privacy groups?  How do you maintain compliance with legal and regulatory obligations during incident response? How does your team currently manage common security incidents like phishing or malware? 

If any metrics are available, review them for insight into what is working well and where improvements can be made. For example, do you know how long it takes to detect and respond to security alerts? What activities are taking up too much of your security analysts’ time? If there are no formal metrics available, ask security analysts and managers for their assessments.

Figure Out What Features are Most Important to You, and Which Platforms Offer Them

There are many different SOAR offerings on the market, so to narrow the parameters of your choices, take some time to identify the capabilities that are most important. What do you want to automate initially? What problems are most pressing for your security team? Do you have recurring incidents, data siloes, or process bottlenecks? Your analysts can help answer these questions.

Each platform will emphasize different aspects of security operations. Broken down into general categories, these features might include: 

● Alert management, which helps SOCs sort, evaluate, and close the steady stream of security alerts that come in from SIEM and other source systems. 

● Triage, which helps analysts make decisions by gathering contextual information from internal and external sources, such as threat intelligence and previous incident records.

● Incident response, which encompasses playbooks, task management, link analysis, and other features that support effective and repeatable response workflows.

● Reporting and analytics, which includes the ability to automate or schedule reporting, generate detailed SOC metrics, and tailor dashboards to the different roles that use the system.

● Compliance and tracking, such as audit trails, chain of custody, and templates for common compliance reports.

Case management, which may include support for collaboration between investigators and other teams, case folders for related incidents, guided investigation workflows, and evidence management.

Try Sketching Out a Playbook

To get a detailed sense of how you will use a SOAR platform, sketch out a playbook for one of your most important use cases. Then, identify where you think automation and orchestration can be used to enhance the steps. You can easily find online examples of playbooks from vendors or industry bodies, which should give you a sense of what steps to include. Evaluating your current processes and interviewing your analysts, as I’ve recommended, will provide more valuable information, including common or important use-cases. Try starting with a use case that you think will be typical in your security environment, such as a phishing attempt, suspected data breach, or malware infection.

If you have no formal incident response program, implementing a SOAR solution, incident response platform, or any other major security tool can be challenging. But after taking the s
teps I’ve described here, you will have a better sense of where you are now, where you need to go, and most importantly, how you can get there. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...