The evolution of security operations, automation and orchestration

The basic functionality of SOAR products is being supplemented with strong integration, canned runbooks, and case management.

The evolution of security operations automation and orchestration
Thinkstock

The market for security operations, automation and orchestration products is rapidly maturing. The most recent proof point of this maturation was Splunk’s acquisition of Phantom in February, but other vendors, such as FireEye (acquired Invotas), IBM (acquired Resilient), Microsoft (acquired Hexadite), and Rapid7 (acquired Komand), saw the light and bought into this market over the past few years.

I first discovered this market several years ago. In a 2015 blog post, I introduced the concept of integrated cybersecurity orchestration platforms (ICOPs). I stated that ICOPs would be used to integrate inputs (i.e. alerts and data from different security tools), correlate, enrich, and manage security data, and initiate outputs (i.e. trigger remediation actions and workflows). 

In retrospect, the acronym ICOP never caught on. (Most people use the Gartner acronym SOAR for security orchestration, automation, and response, so, alas, I will too.) That said, enterprise organizations are embracing security operations automation and orchestration technologies. According to ESG research, 19 percent of enterprise organizations have adopted security operations automation and orchestration technologies "extensively," 39 percent have done so on a limited basis, and 26 percent are currently engaged in a project to automate/orchestrate security operations. (Note: I am an ESG employee.)

Given the growth in interest and demand, it’s not surprising to see so many SOAR offerings in the market. In addition to the M&A activities detailed above, there are several others, including D3 Security, DFLabs, Demisto, Resolve Systems, ServiceNow, Siemplify, and Swimlane. Others, such as Exabeam, LogRhythm, and ThreatConnect, offer SOAR capabilities that are tightly coupled to their core security operations offerings.

CISOs want SOAR products to do these things

Since my 2015 blog post, the SOAR market has certainly matured. Beyond basic connectivity, data flow, and automated outputs, enterprise CISOs now demand additional functionality, including:

  • Advanced automation. Rather than simply trigger a discrete remediation action, SOC teams want to automate their standard operating procedures (SOPs) to the fullest extent possible. This means aligning automated actions with runbooks in an easy and intuitive way. Some vendors provide for scripting and GUI-based configurations while others take care of this through templates and canned runbooks. Advanced automation also includes the ability to help automate analysts activities (i.e. triage, prioritization, investigations, etc.).
  • Process orchestration across heterogeneous tools. The key word here is "process." For example, a phishing investigation process requires fetching data, analyzing the data, determining phishing incidents, communicating the results, and then taking some type of action. Doing this right means nailing the process and integrating with the right technology elements to make it happen. This means that leading products must have open APIs, developer support, and cybersec technology ecosystem partners. Once again, some vendors make it easy for organizations to roll their own orchestration, while others supply runbooks based upon best practices.
  • Case management. Large organizations need central management capabilities to initiate, monitor, and communicate SOC activities throughout event lifecycles. For cybersecurity, case management should also include strong communications functionality to allow for processes that require multiple SOC team individuals or shared processes between cybersecurity and IT operations. Note that many organizations try to use generic case management and ticketing systems, but I’m often told that these tools are inadequate for cybersecurity needs. 

A few other market observations:

  • Vendors are gaining a lot of experience as they work with large enterprises, driving the enterprise functionality advances described above.
  • Scalability is key.
  • There is a blurring of the lines between security operations automation and orchestration and advanced analytics. In other words, many vendors are adding machine learning capabilities to help correlate and prioritize heterogeneous security alerts.
  • Bridging the gap between SOC and IT operations is critical. Resolve Systems and ServiceNow have a bit of a market advantage since they address both constituencies.
  • Before deploying SOAR technologies, many organizations turn to professional services organizations that can help them define process gaps and help them establish best practices. In other words, they’d prefer to fix SOC processes rather than orchestrate broken processes.
  • Some SOAR vendors are staffed with employees who have deep security operations experience. Many of these are focused on coding this institutional knowledge into their products. This may be especially useful for organizations that have immature SOC processes.
  • There is a burgeoning MSSP market, but it remains fairly immature to date.

When I first wrote about ICOPs, I believed that this technology would be something akin to a "helper app." In retrospect, I underestimated the market potential here.  ICOPs (SOAR) are evolving into security operations platforms — a manager of managers for security operations. This is why SOAR is the top layer of ESG's security operations and analytics platform architecture (SOAPA). Given this lofty role, CISOs should cast a wide net and choose a SOAR technology that aligns with their staff, skills, processes, maturity levels, and future strategies. 

NEW! Download the Winter 2018 issue of Security Smart