While there is a chronic shortage of IT professionals in a number disciplines, the cybersecurity skills gap is especially acute. Mobile, the cloud and the Internet of Things have expanded the attack surface, and new threat detection tools have been created to defend various parts of the network. There simply aren’t enough skilled security professionals to monitor and manage this environment.
By implementing a large number of security point solutions to address specific threats, many organizations have created data silos and visibility gaps. Integrating that data and closing those gaps require significant time and resources. In the meantime, the number of security alerts generated by these solutions continues to increase and overwhelm security teams. Making sense of large volumes of threat and vulnerability data from disparate sources continues to be a slow, manual process.
To automate and accelerate the process of gathering security information, Gartner recommends a technology stack called SOAR – security operations, analytics and reporting. According to Gartner, a SOAR platform uses “machine-readable and stateful security data to provide reporting, analysis and management capabilities to support operational security teams.”
SOAR rationalizes multivendor security controls in the context of both IT assets and the business. Instead of simply monitoring an environment and detecting threats, a SOAR platform uses data to measure risk and inform security decision-making. The goal is to empower security teams to develop agile programs that can keep up with dynamic IT environments and a constantly evolving threat landscape.
The three primary SOAR technologies are:
- Threat and vulnerability management, which supports the remediation of vulnerabilities across their lifecycle and provides formalized workflow, reporting and collaboration capabilities.
- Security incident response, which supports how an organization plans, manages, tracks, and coordinates the response to a security incident.
- Security operations automation, which enables the automation and orchestration of workflows, processes, policy execution and reporting.
SOAR informs decisions by correlating the output of siloed processes and technologies, such as vulnerability assessments, secure configuration management and file integrity monitoring. SOAR also adds context to vulnerability, configuration and other operational state data to assess the risk posture of assets, and applies risk modeling scenarios using the output of tools from multiple vendors. This makes it possible to prioritize security operations activities, formalize and automate incident response processes, and integrate all risk posture data to support executive reporting.
Although a true SOAR solution doesn’t exist today, Gartner expects adoption among organizations with at least five security professionals to reach 15 percent in 2020. A shortage of security skills combined with tightening budgets and an increasingly complex and hostile threat landscape are driving the need for highly automated SOAR platforms.
Gartner suggests taking a simple approach at first and focusing on improving metrics that deliver immediate ROI, such as reducing mean times to detection and resolution. Also, automate routine tasks, orchestrate incident response, and use reliable, external threat intelligence to make security processes more effective.
IT security risk will never be eliminated, but it can be significantly reduced if organizations can automatically bring together and analyze data from various point solutions in the proper context. With practices dedicated to monitoring, automation and security, Technologent can help you move toward a SOAR architecture. Let us assess the current state of your security posture and start laying the groundwork for SOAR implementation.