SOAR: Not Just a Buzzword, the Key to MSSP Success


At this point, every company must be concerned for the security of their data. Cyber criminals are constantly coming up with new ways to exploit networks, leveraging advanced technology and systems to do so. In fact, cyber criminals have begun to use automation to carry out attacks at machine speeds that are more effective at circumventing security controls.

Even as organizations become more aware of cyber risks, many do not have the infrastructure in place in terms of team members, processes, and tools required to combat these advanced threats. As such, organizations are turning to managed security service providers (MSSPs) to help them fill in the gaps and protect their networks.

This presents a large opportunity for MSSPs to provide value to their customers and grow their business. However, they must go beyond the traditional expectations of a managed service provider that offers onboarding, asset management, and incident monitoring.

Rather, successful visionary MSSPs must leverage SOAR (security orchestration, automation, and response) to keep pace with modern attacks throughout deployment, mitigation, and triage.

What is SOAR?

Security orchestration, automation, and response, SOAR, refers to the use of various compatible solutions to enable automated incident response with minimized false positives. Effective SOAR allows IT teams to reduce the resources and level of human intervention required to respond to security incidents through comprehensive analysis of baseline network functions. With this understanding of normal baseline behavior, security tools leverage artificial intelligence to determine when there is anomalous behavior on the network and automatically respond to the threat – reducing dwell time and breach potential.

While some think of SOAR as overhyped and too similar to SIEM platforms, for MSSPs, SOAR will be an integral part of creating value for customers. With SOAR, MSSPs will assist customers by reducing security complexity, assimilating massive amounts of network and threat data, and developing and managing people, processes, and services.

Your Customers Have a Big Data Problem

The first key step to SOAR is security orchestration, the goal of which is to aggregate and correlate data from various sources to establish a baseline for secure network behavior. However, this is easier said than done. In order to establish a baseline, your customers’ IT teams and analysts must sort through massive quantities of information.

Analytics engines are collecting an ever-growing library of threat intelligence, from every device, individual, and action performed across the network. Unstructured data surrounding events then needs to be linked from across disparate systems and processed in near-real time in order to minimize threat efficacy.

Furthermore, as threats evolve, data science teams will have to update the algorithms used to correlate and classify all of this data to determine what is normal behavior, and what is potentially threatening.

Overall, this demands too many resources in terms of time and manpower, where neglecting to act quickly can leave your customers vulnerable.

Enabling Rapid Response with Security Automation

The solution to the challenge posed by having too much data to analyze and answer threats in real-time is to leverage AI and automation to enable rapid response.

AI is a key element to SOAR success. Once data is normalized, AI can be used to evaluate the information, searching for trends and historical insights.  This distills large datasets, making them actionable. The analysis enables security solutions to redefine the baseline of normal operations, and better understand what an unwelcome or threatening presence looks like. With this baseline established, AI-driven security playbooks for detection and response can be defined. AI solutions automatically carry out checks on network behavior, acting to isolate legitimate threats once detected. Because actions are informed by an in-depth analysis of threat trends and network behavior, false positives are reduced, ensuring high performance for authorized personnel on the network.

Rapid response capabilities are essential to the security of modern networks. Cyberattacks now move at machine speed, with cyber criminals leveraging machine learning and agile development to more effectively target security weaknesses and evade detection. Your customers do not have the resources to monitor events and respond to each incident in real-time to reduce dwell time and breach impact. By assisting in implementing SOAR methodology, MSSPs create immense value for their customers that will continue to serve their networks as threats become more advanced.

Integrated Security Controls

Essential to the success of SOAR tactics in your customers’ networks is the ability to connect various security controls to facilitate the sharing of data and threat intelligence. This allows separate tools, such as endpoint protections or segmentation tools to act in conjunction when a threat is detected.

For example, each tool within the Fortinet solution set can be woven into a Security Fabric via API, supporting automation and rapid response functionality. As many organizations have strained or limited resources when it comes to security, having a partner that can facilitate the collaboration and sharing of intelligence between these tools is key SOAR success.

Final Thoughts

As cyberattacks become more sophisticated, immediate incident response times is crucial. This is where MSSPs can offer real value to customers, and why SOAR will be an essential offering for MSSPs moving forward. Organizations now seek MSSPs that can go beyond traditional offerings with greater security expertise and acumen. With SOAR, MSSPs enable customers to keep pace with advanced attacks, while minimizing strain on IT and security resources through the use of AI and automation.

Blog courtesy of Fortinet. Read more Fortinet blogs here.