How To Select Security Orchestration Vendor

1
How To Select Security Orchestration Vendor
2
Introduction

• Security orchestration, automation and response
  (SOAR) vendors offer SOCs the best solution
  against the burgeoning problem of having too many
  security tools but not enough in-house talent to
  use them effectively. They enable security
  operations teams to integrate disparate
  cybersecurity technologies and processes into a
  more cohesive security ecosystem, in turn
  allowing these teams to work more efficiently
  against the growing onslaught of cyber threats.

3
What Is SOAR

• According to Gartner, security orchestration,
  automation and response (SOAR) equate to
  technologies that enable organizations to collect
  security data and alerts from different sources.
  SOAR helps to combine machine-driven and
  human-led security operations activities in a way
  that drives better, more efficient incident
  analysis and triage according to a standardized
  set of processes and workflows.

4
Security Orchestration Vendors

• Based on the interplay between security
  orchestration, automation and incident response,
  it is easy to see why these elements fit together
  to form a category of solutions. They encompass
  what ultimately ladders up to equal security
  operations the management of people, processes
  and technology.
• Security orchestration vendors seek to empower
  analysts and improve incident response through a
  variety of features. Below we cover six core
  pieces of functionality you should explore when
  selecting a security orchestration vendor,
  features to look for and questions to ask.

5
Vendors Criterion 1 Integration

• In a 2017 ESG report on security operations
  challenges, priorities, and strategies, 29 of
  the respondents identified poor integration of
  security tools among the top challenges in
  security operations. Thats where a security
  orchestration solution can come in handy. The
  ability to integrate disparate security solutions
  is a basic characteristic of security
  orchestration.

6
Vendors Criterion 2 SOC Workbench

• One of the seemingly trivial, but actually
  time-consuming (and often confusion-inducing)
  activities in security operations, is having to
  switch from one console to another. Console
  switching is unavoidable in security operations,
  especially because you typically must run
  different tools and handle different cases at the
  same time.
• Look for a security orchestration vendor with an
  interface that minimizes the amount of switching
  required AND bubbles up the most critical cases
  so your team can improve its focus and
  prioritization to bring down response and
  resolution times.

7
3 Alert Grouping Case Management

• Where a security orchestration vendor can provide
  tangible value is in giving your team the ability
  to work with grouped or clustered alerts. This
  must go beyond simply filtering out false
  positives which most security orchestration
  vendors do to actually grouping related alerts
  into manageable cases.
• If each alert becomes its own case to be worked
  by an analyst, think about the management impact
  and collaboration required to effectively handle
  those cases vs. analysts working cases containing
  multiple related alerts that can be managed,
  triaged and closed as a single effort.

8
Virus Found
9
Criterion 4 Visual Investigation

• A security orchestration vendors solution that
  mirrors an analysts visual investigation process
  in an interactive interface reinforced with
  graphs, timelines, flows, and representations of
  relevant entities can significantly speed up
  investigation and response times.
• Be sure to get a look at how a vendors platform
  represents not only the threat story line but the
  relationship between the entities IPs, users,
  files affected. Ensure your team has the
  ability to quickly identify relationships,
  timelines and dig deeper into each entity within
  a single snapshot.

10
Vendor Criterion 5 Playbooks

• The beauty of creating and maintaining playbooks
  via security orchestration and automation
  platforms is that it forces the documentation and
  codifying of existing manual processes and allows
  for the automation of several tasks. But bear in
  mind that playbook functionality in a security
  orchestration solution should be more than just
  putting tools into automated processes.
• Look for vendors that provide a breadth of
  features for playbook creation and customization.
  Some security orchestration vendors include
  standard playbooks to help teams get started that
  can be customized to your organizations needs
  and desired levels of automation.

11
Standard Playbook
12
Vendor Criterion 6 Reporting

• A security orchestration vendor should be able to
  help managers and executives understand how their
  SOC is performing to then make informed decisions
  about everything from processes and tooling to
  caseloads and staffing. Not only that, because
  different stakeholders will want to look at
  different metrics and KPIs depending on their
  role, your chosen solution should be able to
  provide the information they need without adding
  more burden to your analysts.
• Explore vendors that support turnkey and
  automated reporting, customizable dashboards,
  templates, and other capabilities that can speed
  up and simplify reporting.

13
Questions To Ask To The Vendor

• Does your platform group related alerts?
• What context is used to determine whether alerts
  are related?
• How are cases created from alerts? Does each
  alert become its own case?
• What are your solutions visual investigation
  capabilities?
• How are relationships between entities
  represented?
• How many integrations do you currently support
  and across which categories?
• If you dont already have an integration I
  require, how quickly can you build one?

14
More Questions To Ask

• Do you provide an IDE so I can create my own
  integrations?
• What level of detail is provided about each
  entity and how?
• How would my analysts build the timeline of a
  security event?
• Do you provide built-in playbooks to help my team
  get started?
• How do you enable my team to create new
  playbooks?
• Is there an IDE?
• Does your platform support tests and simulations?
  
• What are your dashboarding capabilities?

15
Conclusion

• Theres no question security orchestration
  solutions can elevate your SOCs capabilities,
  efficiency and effectiveness tremendously.
  However, you need to exercise due diligence in
  selecting a security orchestration vendor in
  order to get maximum value from your investment.
  At the end of the day, look for a vendor that
  will streamline your security operations, reduce
  missed/uninvestigated alerts, speed up response,
  enable the creation of consistent/predictable
  processes, allow better transparency of metrics,
  and increase your SOCs ability to improve over
  time.