Every Type of SOC Needs a SOAR

 

Many organizations have a Security Operations Center (SOC). It may not be one that has a large room full of analysts, engineers, threat hunters, and incident responders, with a wall of monitors providing a heads-up display for the staff. It may be a couple of staff working remotely augmented by a SOC as a services provider. I like to characterize SOCs as snowflakes, and not with a negative connotation. Rather, that snowflakes look the same from far away, but look closely and they are all unique. SOCs are like this too if you look closely at the goals, responsibilities, people, processes, and technologies that define them and their mission.

SOC       Versus         SOC

 

We believe that the Gartner SOC Model Guide does a great job of laying out the challenges and decision points when choosing and operating the right type of SOC, and also the evolution of the SOC over time. There is also an interesting strategic planning assumption (SPA) where they say “By 2025, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SOC due to resource constraints, such as lack of budget, expertise and staffing.”

So how does an organization avoid failure whether their SOC is fully insourced, fully outsourced (e.g., SOC as a service or managed detection and response), or somewhere in between?

The answer lies with making sure the SOC is properly instrumented for success, and a SOAR platform should be viewed as a critical, foundational technology for a SOC. A unified SOAR platform like ThreatConnect provides the ability for an organization to manage threat intelligence, track incidents and their details in a single repository, document workflows and processes and align those to incidents, and leverage orchestration and automation to augment human analysts with “machine power.”

 

Let’s look at the ways a SOAR solution (Gartner defines security orchestration, automation and response (SOAR) as solutions that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform.)) would support the different SOC models defined by Gartner in their SOC HIT (hybrid, internal and tiered) Model.

Regardless of the SOC model being implemented, a SOAR solution can play a critical role insuring:

  1. Threat intelligence is integrated into SOC processes and tools from the start. Low maturity SOCs might start with integrating some premium threat feeds as contextual information used when triaging and prioritizing potential incidents, especially if they have automated a triage process. As the SOC matures, they can start to expand their use of threat intelligence into other areas like pushing intel into other security tools for protection and detection, integrating with partners and communities (ISACs for example), or creating new and actionable threat awareness from the learnings of incidents and investigations. If they have a cyber threat intelligence function within or adjacent to the SOC they may also fuse internally gleaned learnings and external intelligence to create a dynamic and relevant view of their threat landscape immediately available for various operations and leadership roles to inform decisions and actions.

If a services provider is supporting the SOC, then when a customer owns a SOAR platform it helps solve the concerns of how sensitive or restricted threat intel could be leveraged by the services provider without getting into the acrobatics of whether their delivery platform or SIEM can keep that intel isolated away from other customers.

  1. A common incident management capability within a SOAR platform is used where anyone in, or interfacing with, the SOC have access to incidents and their details, and the knowledge captured over time. In a hybrid model, it ensures there is a single-source of incident truth with the services provider. In a tiered SOC model, a SOAR allows individual companies or lines of business to have a common incident management environment that also rolls up to a command SOC for organization-wide incident visibility, monitoring and reporting.
  2. Documenting and enabling common workflows (sometimes called runbooks) that need to be followed ensures that regardless of who is responding to an incident, that a common process is being followed. This is a quick way to help mature a SOC through capturing knowledge and driving process improvements. It is also a way to identify candidate processes that should be automated.
  3. The SOC team is able to do more, with less resources. Back to the SPA that predicted about 1/3 of SOCs will fail because they are not properly resourced. While SOAR platforms can help a ton with this problem, they are not magic. They are not set and forget solutions. They require investment and ongoing operation, but the payback to the organization achieved through operational efficiency, knowledge capture and re-use, and even the speed of response to minimize the blast radius of a threat is enormous. The time saved in capturing metrics on SOC and analyst performance is a huge win for SOC leaders. And not only are processes more efficient, they become more consistent as processes are moved from manual workflows to automated processes.

 

There is the broader question of whether the SOC mission is aligned to, and helping to mitigate, business risks. How so? Leveraging a cyber risk quantification (CRQ) product like ThreatConnect RQ should also be used to align the priorities of the SOC with business-level risks. CRQ helps leaders prioritize the risks to the organization in financial terms, giving CISOs, Cyber Threat Intelligence teams, and SOC leaders clear guidance on which threats create the greatest financial risk to the organization, which the SOC can integrate into their use cases to help lower business risks. 

Want to learn more? Download the 2021 Gartner®  SOC Model Guide today and reach out to us to discuss how ThreatConnect’s SOAR and RQ solutions can make your SOC a business risk-aligned, high-performing operation.

 

Gartner, SOC Model Guide, John Collins, Mitchell Schneider, Pete Shoard, 19 October 2021

Gartner is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved

Toby Bussa
About the Author
Toby Bussa

Toby Bussa is VP of Product Marketing at ThreatConnect. He has over 20 years of experience in cybersecurity as a practitioner and leader. He recently was a VP Analyst at Gartner where he covered security operations topics, including SIEM, SOAR, MDR, DFIR and SOCs. He previously led IT security operations, data protection, security architecture and engineering, and 3rd party risk management for a FTSE100 enterprise, and the EMEA SOC threat detection team for a global MSSP.