As cybercrime increases, it’s impossible for employees to keep up with every threat. It’s crucial for cybersecurity teams to work more efficiently with fewer resources. In this never-ending quest to stay ahead of threats, an increasing number of companies are turning to a relatively new category of security tools: security automation and orchestration solutions.
SOAR (Security Orchestration, Automation and Response) is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms vary greatly in terms of what they do and what they can handle. SOAR platforms help fill gaps in SOC workflow automation, streamline manual incident response processes and enhance vulnerability management programs. Soar platforms should augment a well-tuned SIEM and I see the two disciplines merging into a single broader offering.
The advent of the cloud and the consequent dissolving of the perimeter around traditional networks has increased complexity in security operation and in security controls themselves; that makes the need for security orchestration pretty clear and apparent. Greater levels of complexity have been introduced by extending the perimeter out to roaming endpoints, SaaS applications and the cloud itself, where you're shifting entire workloads to infrastructure as a service providers. It’s also increased the number of things that need to be examined, along with tasks that need to be achieved, to maintain an enterprise.
People are excited about using SOAR tools in the cloud—and it certainly has its advantages—but it’s important to weigh your business needs. You must balance security and business objectives.
So what should you weigh to determine whether your organization should consider the cloud for SOAR?
1. Agility: Developers are able to have a “playground” where they can spin up a server in seconds, then deploy their application and start testing in a matter of minutes or hours, depending on the complexity. They aren’t as constrained as they were by some of the rigid processes in the older models they had to go through in order to gain access to a compute environment.
2. Lower Costs: The finance team sees what it costs to maintain a data center. They know the costs for the ever increasing number of on-prem solutions that are required to properly maintain onsite infrastructures. There’s a natural inclination for the finance people to find ways to cut back on those expenses and to move to a “pay by the sip” type of model offered by infrastructure-as-a-service providers. An example of this is a retailer whose busy season is from Halloween through January and who may be relatively slow the rest of the year. Why should they maintain all that computing power for the seven or eight months that they’re not that busy? It doesn’t make sense.
3. Trust Model: Cloud models have gone through certification and, where there used to be doubt about security levels, they now must meet and adhere to regulations. The federal government has instituted a certification processes to ensure these models are secure, and compliance audits ensure that standards are met.
4. Easy to add on services: Cloud providers like Amazon make it easy to add on services. They allow you to have everything you need at your fingertips right there in their environment. That ease is certainly appealing, especially since it’s very quick and cost-effective
1. Lack of mobility: It can be difficult to switch providers once you are entrenched in a cloud platform. A lot of times, frankly, that’s what large software manufacturers are counting on. It can be extremely hard to rip out your system and replace it with something else, especially if you add a lot of services, as mentioned above.
2. Legacy applications: With the freedom the internet provides and the availability of these applications 24/7 around the world, it’s very alluring to corporations--and we can see why. However, there are always some legacy or critical applications that make more sense to run on-prem or in a hybrid model.
3. Lack of transparency: If you don't understand how your information flows and how your cloud product works on a technical level, then your technology might be controlling you instead of vice versa. You must have an understanding of your cloud-deployed products or services beyond just a glossy brochure-level comprehension. You need to know exactly how your information is flowing, where it is, what formats it’s in, and how it's moving. Remember we mentioned the trust model above? While cloud providers must meet federal regulatory standards, it’s on you and your company to ensure security concerns are covered every step of the way. If you don’t understand every detail of the process, you’ll almost inevitably run into issues.
While these drawbacks can be daunting, many corporations use a hybrid type of solution to combine the best of both worlds. After all, putting all your eggs in one basket can be disastrous for your business. Before you make the move to find a SOAR platform, you’ll want to make sure you have a clear understanding of what gaps exist in your current workflows.
That’s where an objective outside opinion can help. For example, if you haven’t designed a system so it can be easily transferred to a new provider if necessary, that cost-effectiveness isn’t saving you any money. Be sure to get some fresh eyes on your project before you commit and run into potential issues.