Every year new products and technologies emerge as solutions to the most pressing problem companies have in the cyber realm – the lack of resources. In cyber, like in many other areas of life, introducing techniques well above your current skillset is a waste of time.
It’s human nature to look for a new tool to solve a problem. The advertising industry knows this. From 1990s shady TV-shop commercials to present-day cyber security marketing material, new tools are commonly pitched as solutions to old problems.
New tools are not necessarily a bad idea. Often, they make you more productive. But there is a problem: You might not be ready for them.
In a way, SOAR is like SIEM a decade ago. Many bought into the concept, and have implemented it. Most are disappointed, because it did not deliver on the promise of more security out of the box. Truth be told, they would have gotten more value out of focusing on the elementary stuff instead.
When it comes to SIEM and SOCs, the elementary stuff is collecting the right telemetry. For Windows, this means Sysmon. For Linux, this means audit.d. Next is configuring the proper detections and making sure you know how to react when the incidents start coming in.
Some vendors are pushing SOAR platforms as “the next big thing”. They are selling into you not having enough resources to protect your infrastructure with the promise that SOAR is a short-cut by out-of-the-box “automated responses”. It’s not. SOAR is a lot of work. And very little of that is provided out of the box.
Don’t get me wrong: SOAR is a great concept. It can augment and automate what you already have in place in your SOC. The “already have” part is the important part here. Unless you already have mature processes and procedures, it’s not worth considering.
For more info on SOC and SIEM, please read: How to build excellent detection — Improsec | improving security