But just a few of the realities are:
There simply aren’t enough professionals in our career. The vast majority of SOC teams ALWAYS have open head count, and that isn’t going to change in the coming months/years.
Applications increase, traffic increases, network complexity increases, and so the alerts also increase (on top of that your security team is currently POCing even more tools. More tools, each trying to validate their investment by raising their profile with alert volume, oh the irony).
And SLA agreements don’t care, they expect a ticket to be opened, responded to, and closed. I’ve talked with analysts that had less than 3 minutes per ticket, I can’t imagine the quality of work, or even job satisfaction here.
If these weren’t the reality in IT security I might agree with Raj. But for us a more appropriate line is:
“this means that when I arrive in the morning I can actually do my job (the cool stuff), and not have to instead simply copy/paste IOC or rinse/repeat the same task 200 times before lunch?”
I honestly believe SOAR is more like having a Personal Assistant for all the mundane fluff.
Andy
(Thanks James for the inspiration)
One thought on “Analyst’s first reaction to seeing SOAR in action”