Shulou(Shulou.com)06/01 Report--

Automation and orchestration have developed into indispensable security tools.

In 2017, Gartner coined the term "Security orchestration, Automation and response" (SOAR) to describe a range of emerging platforms born out of incident response, security automation, case management, and other security tools.

Two recent articles by Jon Oltsik, chief analyst of Enterprise Strategic Group (ESG), "the evolution of security operations, automation and orchestration" and "the rise of analyst-centric security operations technology" point to the significant growth of the SOAR platform. SOAR tools are becoming more and more effective in dealing with the most pressing security issues today, and the demand for SOAR tools is becoming more and more exuberant. As Oltsik points out, a series of mergers and acquisitions of SOAR suppliers by tech giants in recent years have reflected the prospects for such platforms.

The rapid rise of SOAR's status is driven by some key improvements provided by current solutions, including lowering the barriers to implementation and making these platforms more likely to be adopted by more security teams and industries such as retail, healthcare, and government that are slow to respond to new technologies.

Expansion of native functions

Initially, many SOAR platforms on the market had very limited capabilities, and automation and orchestration were only suitable for handling a small number of events. Although these products offer some time-saving possibilities for security teams, their effectiveness is limited by narrow scope and lack of depth.

Part of the current evolution of SOAR is the increasing maturity of the functions it provides. With increasingly complex automation strategies and blowout integration with other security tools, automation and orchestration capabilities have matured, extending the ability of analysts to use SOAR to filter large amounts of noise to identify real threats.

The SOAR platform now also offers a deeper feature set that makes it easier to deal with large surveys and major events. It includes the case management module, as well as a series of tools that facilitate communication, collaboration and task management within and outside SOC. Today's events are too complex for response teams to afford the cost of manual coordination between workflows and reporting processes, especially in companies with strict compliance requirements. With the deepening of its functions, SOAR has become a tool for long-term systematic improvement, not just as a short-term alarm diversion tool.

No need for more experience

The evolution of the SOAR platform reduces the need for user experience. The supplier has built-in security expertise in the product in the form of pre-built policies, oriented survey workflows, and automated alert ratings.

Automation and orchestration capabilities have also evolved to the point where users do not need to know what to automate to integrate with existing security frameworks. The SOAR platform still seeks approval from analysts on major moves, but analysts no longer need to be experts in automation and orchestration.

In addition, the ability of the SOAR platform to collect and context-rich threat intelligence makes it easier for junior analysts to make the right decisions in the event response process. Technology is developing so fast that companies are often eager to buy new technologies, but neglect to train and recruit people needed to integrate and apply new technologies in their unique environment. The functional evolution of SOAR in assisting junior analysts in making correct decisions just makes up for the shortcomings of companies and enterprises in this respect.

"single panel"

The term "single panel", which refers to a unified console that holds all the information analysts need, is a miracle in the world of secure operations. Unfortunately, vendors tend to exaggerate their ability to deliver such interfaces. However, the evolution of the SOAR platform is bringing them closer to the prospect of centralizing dashboards.

The main advantage of SOAR platform in pursuing a single panel is orchestration, and the concept of orchestration has the potential to integrate the entire security technology stack. The SOAR platform can use partnerships with other products to exchange details in real time, analyze data from threat intelligence sources, and even give analysts the ability to act directly from the SOAR interface. The complexity of current security events requires this seamless collaboration across people, technologies, and processes, otherwise, every second wasted by switching between faces increases risk.

Where will SOAR go?

Although great progress has been made, SOAR is still a relatively new field, and there are still many innovations waiting for us to detonate. Automation and orchestration have evolved into indispensable tools, and they will soon be complemented by machine learning, artificial intelligence and other emerging technologies on many platforms.

It is easy to worry about the future of cyber security because of the increasing complexity of attack methods, the proliferation of state-backed hacking operations and the growing shortage of security personnel. However, the multiplier effect of SOAR on SOC capabilities should bring some comfort to the security team.

This article is reproduced from "Safety cattle", original author: nana

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.