Does Homebrew SOAR scale?

I don’t believe it does.

Short answer

“A lazy sysadmin is a good sysadmin”.

For 30 years people have been writing scripts to do our job for us, and it’s still a mess.

  • Different scripts, with different standards/styles
  • Hardcoded cleartext passwords
  • Running on different servers
  • Maintained by different teams
  • With no documentation
  • No error handling
  • No RBAC
  • No reporting/visibility
  • And when that employee leaves the organisation? All knowledge is lost

We’ve had the ability to script for 30 years and we are still in this mess.

Long Answer

Engineers typically design and build “bottom up” (rather than project owners who design “top down”).

It took only 20 minutes to get product A talking to product B”? High Five!!!

pngrepo.com
pngrepo.com

But as you add more technologies the integration permutations (not just combinations) of integrations goes exponential. 2 technologies is 2 bits of code (1 each way), 5 platforms becomes 20. You have 20 technologies to integrate? Now get ready for RESTful, SOAP, JSON, XML, Oauth, etc

As you start processing lots of incidents you realise you have lost overall visibility, so you need to engineer in dashboards, reports, alerting, all need to be both Engineer friendly and CISO friendly

Then you realise that to investigate and manage specific incidents you need full case management for particular incidents with chat, attachments, SLA timers, ownership, team members, etc

Then you realise the platform holds API keys (aka keys to the kingdom) so it needs encryption and hardening. Does this now require pentests and code reviews?

You then discover that repeatable playbook design requires UI friendly building and debugging for tasks, conditions, loops, subplaybooks, etc

As the platform grows you realise that integrating a workflow with people is equally crucial (questions over slack, email, questionnaires) so you need to bake in communication tasks, data collection, non repudiation, etc

Then you realise that Threat Intel is a huge part of incident enrichment and decision making, SOAR so you need to double up your case management to also represent each Indicator type

The business then wants to realise this huge investment by opening it to more than just SOC, but the interface isn’t overly user friendly. So you have to redesign it.

Now everyone has access you need to retrospectively add RBAC to everything

On a random Sunday night someone updates a key piece of technology, without informing you, the vendor API has changed from version 6 to version 7 and your playbooks don’t work, you have to start programming very quickly.

Then to really annoy you. management strategically change vendor alliances, so all your API calls need rewriting

…and so much more, starting to get the idea?

None of that is considered when the engineer first puts pen to paper and says “give me 20 minutes to get the basics working”.

We recently won a POC, they have been managing a home brew for years (compared to full SOAR it was tiny) and they simply got exhausted maintaining it. Every time they wanted two teak anything they had to essentially rewrite huge parts from scratch… when I showed them how SOAR has done all the basics, they realised they were fighting a losing battle.

Andy