#Soar.. huh… what is it gooood for?#

#Absolutely… quite a lot.#

Whilst I’m not new to SOC/API/Coding/Integrations, I am slightly new to the concept of SOAR.

So in my first few weeks and months what what potential VALUE have I identified? (I will talk about specific detailed use cases in future posts, today I’m just looking at high level concepts).

In no specific order:

  1. Reduce alert volume – automation closing trivial tasks
  2. Reduce alert overhead – automated manual labour of more complex tasks
  3. Quicker to act – With fewer alerts in the first place, and with the remaining alerts having the donkey work done analysts can get to the meat of an incident quicker.
  4. Standardise your workflow – same work process fires every time, no deviation by junior/tired analysts
  5. Standardise approvals – An incident can mandate direct formal involvement and sign off from HR, business owners etc (non repudiation)
  6. Standardise your playbook – use a playbook that maps to a framework (e.g. NIST)
  7. Coach new tier 1 analysts – An interactive log of all tickets, and a playbook helping hand for them to get up to speed.
  8. Automation of boring/simple/repetitive – reduce eye and brain strain by removing the tasks that you have to do every day
  9. Revitalise legacy/simple tools – Things you can’t afford to replace (mission critical, expenseive..), and hook them into your modern security stack using SOAR
  10. Aid Incident Response – Have your IR team review your playbooks so that the right information is collected for post breach analysis.
  11. Reduce risk – Some remote selling services have moved to DTFM Payments to remove risk and scope of internal abuse. I see SOAR having a similar benifit to SOCs.

I have no doubt I will revise and restructure this list as time goes on, and add specific real world use cases.


Leave a Reply