Although no two SOAR platforms are completely alike, they should all possess some core functions and capabilities. Depending on your individual set of problems and goals, some of these functions and capabilities may be more important than others. Start by deciding which of these functions and capabilities are most important in achieving your defined goals. This will allow you to focus your evaluation of each SOAR solution based on the functions and capabilities which are most important to your organization. Regardless of their priority, the following should all be considered when you are evaluating a SOAR.
1. Flexible and Open Integrations
The number of security solutions, whether commercial, open-source, or developed in-house, means that any viable SOAR solution must be flexible enough to support a multitude of security products. Any SOAR solution will support many security products out of the box, however, the likelihood that all the organization’s security products will be supported by default is low. For that reason, it is crucial that the SOAR solution is flexible and open, allowing customers to easily create bidirectional integrations with security products that are not supported by default. The methods used to support this type of flexible integration may vary but could include scripting languages such as Perl or Python, APIs, or proprietary methods. Whatever the chosen method, it should be easy to implement and should not involve a steep learning curve on the part of the user.
Bidirectional integrations are crucial in supporting full automation and orchestration, however, in some cases, full bidirectional functionality may not be required by the customer. For some security products, it may only be necessary to support the ingestion data from the security product to the SOAR platform. These unidirectional integrations are generally much easier for the customer to create in cases where full bidirectional integration is not required. For this reason, a SOAR platform should support common methods of data ingestion, such as Syslog, database connections, APIs, email, and online forms, as well as common data standards such as CEF, OpenIOC, and STIX/TAXII.
One of the key benefits of a SOAR solution are the playbooks which allow you to orchestrate actions and automate time-consuming tasks in streamlined processes. They help generate force multiplication and replace analysts by taking care of repetitive tasks via automation. To produce these benefits, a SOAR solution must be flexible in implementing workflow processes without any limitations.
There is one fundamental way to codify process workflows within a SOAR solution, and that’s via Playbooks. The implementation of these workflows must be flexible enough to support almost any process which may need to be enhanced. Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks that need to be completed by an analyst. Allowing control to be passed between the automation engine and an analyst, SOAR provides a much greater level of flexibility and enables the automation to continue beyond the first point at which human decision is required. Building workflows should not require programming knowledge. Given that workflows are at the heart of the automation and orchestration activities of a SOAR solution, extra focus should be placed on both flexibility and ease of use. Workflows that are difficult to build or complex to understand by a wide range of users will cause confusion and sub-optimal performance during an incident.
3. Incident Management
Incident response is a complex process. Orchestration and automation of security products provide obvious value to any security program, but to maximize the time and monetary investment in a SOAR solution, a comprehensive SOAR solution should include additional features to manage the entire incident response lifecycle. This should include basic case management functionality, such as tracking cases, recording actions taken during the incident, and providing reporting on critical metrics and KPIs.
However, a SOAR solution’s incident management capabilities should not consist solely of case management functionality. To properly manage the entire incident response lifecycle, a SOAR solution should also provide the following incident management features:
- Phase and objective tracking
- Detailed task tracking, including assignment, time spent, and status
- Asset management, tracking all physical and virtual assets involved in the incident
- Evidence and chain of custody management
- Indicator and sample tracking, correlation, and sharing
- Document and report management
- Time and monetary effort tracking
4. Threat Intelligence
Actionable threat intelligence is a critical component in effective and efficient incident response. While simple threat intelligence feeds still provide some value and should be supported by a SOAR solution, to be truly effective in today’s threat landscape, threat intelligence must go above and beyond simple feeds. As discussed in the previous section, tracking indicators and samples, such as IP addresses, URLs, malware samples, and TTPs is a critical component of incident management. However, to become actionable threat intelligence, these indicators must be surrounded with further context. Because a SOAR solution has access to not only the indicators but also the rest of the incident information which can provide additional context, it is in a unique position to gather actionable threat intelligence.
To provide true value, a SOAR solution must go beyond simply gathering threat intelligence. A proactive security program requires threat intelligence to be properly correlated to discover attack patterns, potential vulnerabilities, and other ongoing risks to the organization. This correlation should be done automatically, and it should be immediately clear if an ongoing incident may share common factors with any previous incidents.
Although automated correlation is critical for analysts to make informed decisions during the incident response process, visual correlation is also an important factor when assessing threat intelligence capabilities. Many proactive security programs now include various forms of threat hunting; actively looking for attacks and patterns that may not have been detected through automated methods. To facilitate this process, threat intelligence and correlated events should be able to be displayed in an easy-to-understand visual manner to allow analysts to most effectively analyze the information.
A SOAR solution should be considered a long-term investment. Objectively evaluating which vendor has the best solution is a process that should be tailored to each organization’s individual requirements. Once a SOAR solution is deployed and integrated into the security process, the rip-and replace cost will be high. For this reason, it is important to evaluate the vendor of the SOAR solution, along with the solution itself. The vendor chosen should be one that can continue to provide both a leading SOAR solution, that is flexible and supports open integrations with responsive customer service for the foreseeable future.