Waiting for SOAR to soar

October 24, 2019 | By Guy Liberman Cyber Security Division Manager, TrustNet LTD

Most organizations invest their capital after in-depth cost-effective analysis and cause-and-effect analysis. Information security domain, like risk management, suffers from these concepts, since the benefit of mitigating a risk cannot be directly quantified, and the extent of the outcome cannot be estimated precisely. Over the years information security standards and professionals designed generic business use cases to support the claims for different information security solutions, for example:

• Antivirus can prevent malware damage that can paralyze the organization
• Data loss prevention will help identify leak and prevent sensitive data from being stolen
• Firewall can help to protect the company perimeter and set the required boundaries (external and internal)

These controls and solutions can be directly and justifiably linked to business risks. However, this is not the case for security orchestration, automation, and response. SOAR adds another layer to existing security technologies, while it is very useful, it is still considered as an extension of security.

When developing the business case, it is important to emphasize the following:

1. Ease of use when using centralized management tool for information security events
2. Reduce impact by improve response and investigation times using automation
3. Minimizing human error by using structured processes
4. Reveal linked incidents using smarter and enriched investigation processes
5. Reduce the costs to maintain a security operation center (SOC)

Despite all of the above, information security departments still find it difficult to obtain the funding needed to implement a SOAR, especially in organizations where security operation center does not exist.

Although SOAR solutions are struggling to penetrate corporate bureaucracies, the future of information security resides in automation and orchestration; so, we can assume that within 4-5 years, SOAR is likely to be one of the foundational stones of every security operations department.