Over the past few years, Security Orchestration, Automation, and Response (SOAR) tools have emerged as multi-faceted and ever-present components in a Security Operations Center (SOC), enabling security teams to centralize incident management, standardize processes, and reduce response times through automation and artificial intelligence (AI).
The security orchestration, automation and response (SOAR) market, as defined by Gartner in 2017, evolved from three previously distinct technologies: Service Oriented Architecture (SOA), security incident response platforms (SIRPs) and threat intelligence platforms (TIPs).
In 2019, Gartner released their latest and most comprehensive research on the SOAR market to date– Market Guide for Security Orchestration, Automation and Response Solutions. In it, Gartner tracks the growth of the market over the past few years, provides a representative list of SOAR vendors, and delivers advice that security practitioners should keep in mind while procuring SOAR tools.
Moreover, AI security is listed in their Top Ten Strategic Technology Trends for 2020, which says:
“AI and ML will continue to be applied to augment human decision making across a broad set of use cases. While this creates great opportunities to enable hyperautomation and leverage autonomous things to deliver business transformation, it creates significant new challenges for the security team and risk leaders with a massive increase in potential points of attack with IoT, cloud computing, microservices and highly connected systems in smart spaces. Security and risk leaders should focus on three key areas — protecting AI-powered systems, leveraging AI to enhance security defense, and anticipating nefarious use of AI by attackers.”
Gartner states that SOAR tool deployment is now more use-case driven than ever. The use cases depend on the maturity of the organization, the capabilities of the SOAR tool, and the processes most ripe for automation, among other things. According to Gartner:
“SOAR selection in 2019 and beyond is being driven by use cases such as:
- SOC optimization
- Threat monitoring and response
- Threat investigation and response
- Threat intelligence management”
SOAR Doesn’t Know What It Doesn’t Know.
The problem we see with deploying security automation is the quality of the information put into it. How do you deploy a SOAR tool if you don’t know for sure if the data being used is accurate? Is good enough good enough?
Security solutions based on automation can also have blind spots. How do they know that they can see everything? In fact, they don’t know what they don’t know.
RedSeal data can better refine how a SOAR solution makes its decisions to take or not take actions in the above use cases. RedSeal gives a SOAR tool a deep understanding of the network environment it operates in. It is not enough to identify and react to an indicator of compromise, we need to understand what an intruder can reach from there.
Does the device have access to a high value asset (HVA) or to the key cyber terrain of your environment?
If not, don’t worry and carry on with the automated processes.
If yes, then that is an indication to do more investigation and look at how this access could have happened in the first place.
And during a follow-on, after-action review you can investigate important issues like how the intrusion happened in the first place. Only RedSeal shows you what’s on your network, how it’s connected and the associated risk, so you can better prepare for and contain problems within minutes and not days.
What if RedSeal could improve your understanding? Would that interest you?
If yes, click here to set up a time to speak with a RedSeal representative about how to integrate RedSeal with your preferred SOAR tool.