This is the first in a series of blogs that focus on sections of Demisto’s State of SOAR Report, 2019.
The challenges facing security teams are, perhaps unfortunately, common knowledge by now. A constant rise in alert volume, a stark security skills gap, and disjointed processes have made security operations a tough place to be. In fact, these challenges are so established in the mainstream that the industry has tended to overlook other struggles that are just as troublesome.
Security Tools, Security Tools Everywhere
It’s a well-accepted if regrettable truth that no one security product can solve all SOC problems. Security teams end up using a suite of products that span across vendors, functions, and data standards. While each product brings unique value to the table, security teams struggle to switch context, centralize data, and coordinate actions across different tabs and consoles.
These pain points were borne out in both the 2018 and 2019 reports. For both reports, we asked respondents to estimate the number of distinct security products they needed to manage for incident response.
Even though the respondents were different for each survey, we observed a similar split in responses across both years. Close to 50% of respondents claimed using six or more distinct security products for incident response in both 2018 and 2019 (Figures 1 and 2).
Figure 1: No. of security tools used in 2018
Figure 2: No. of security tools used in 2019
These results can help us infer that product proliferation is not going away any time soon. Security vendors should aim to improve user experience in the face of multiple tools by encouraging product inter-connectivity, data standardization and transfer, and remote execution of actions across products.
Security is a Team Effort
We asked respondents which non-security teams they had to regularly work with for their day-to-day operations (Figure 3). A whopping 85.5% of them cited the IT team as their constant companions during incident response. Roughly 53% stated the same of the Network Operations Center (NOC) team, with the DevOps team (39.1%) coming in at third.
Figure 3: Non-SOC teams that respondents worked with for IR
SOAR products have the potential to be the connective fabric across security and non-security teams whenever multi-stakeholder collaboration is required during incident response. Playbooks can coordinate actions across products that are used by multiple teams (such as firewalls and ticketing systems) to ensure that cross-team communication keeps flowing and repetitive tasks are automated whenever possible.
Wearing Many Use-Case Hats
We studied the general-purpose nature of SOAR through another lens as well: use cases. We asked respondents which non-IR use cases they had to manage on a day-to-day basis (Figure 4). Common use cases that resonated were vulnerability management (71.6%), security audits (67.8%), compliance checks (61.1%), and cloud security (41.1%).
Figure 4: Non-IR processes managed by the security team
The common theme among most of these use cases is that they are operational (proactive) rather than response (reactive). SOAR playbooks are multi-functional enough to cover both scenarios. While playbooks can be triggered upon incident ingestion, some vendors’ playbooks can also be scheduled to run at pre-determined intervals or triggered in real-time. These playbooks can cover use cases such as security audits and compliance checks.
As for cloud security alerts, SOAR tools can play the critical role of coordinating response procedures across cloud and on-premise infrastructures. Most organizations have one metaphorical foot in the cloud and the other on-premise, with products across the divide rarely ‘speaking’ with each other. SOAR tools can connect these tool sets and impart agility – something that’s sorely needed in cloud security – by automating actions such as provisioning/deprovisioning cloud instances, blocking indicators, changing security groups, and so on.
Regulation and Compliance
While responding to breaches on a security front can involve isolated teams, broader response usually requires coordinated participation from PR and media teams, legal departments, and IT teams to implement correctly. With the enforcement of GDPR and US state breach notification laws, the organizational consequences of handling a data breach in a sub-optimal manner are dire.
We asked respondents which regulations impacted their SOC policies and procedures (Figure 5). A considerable 61.5% highlighted local security breach notification laws as regulations that necessitated changes in their SOC. Roughly 48% cited GDPR as well which, while encapsulating certain breach notification laws as well, covers a wider range of guidelines overall. This was followed by industry-specific regulations such as PCI DSS (44.3%), HIPAA (43%), and GLBA (13.4%).
Figure 5: Regulations impacting SOC policies & procedures
Security orchestration tools, when combined with process knowledge within the organization, can be used to execute compliance and breach notification playbooks that will run in parallel to standard incident response playbooks. These playbooks can be populated with notification templates, contact details of law enforcement officials, and best practices to follow in the event of a breach.
Just like with incident response, these compliance playbooks will ensure that organizations follow the same process every time and eliminate any variance in response quality.
Stay tuned for more in-depth blogs on the State of SOAR Report, 2019. If you’re interested in accessing the entire report and learning how SOAR tools can elevate security teams across the incident lifecycle, click the link below.