Now that we know how SOAR can benefit an organization, it’s time to go over some common pitfalls that can keep security teams from using a SOAR solution to its full potential.
1. Choosing a solution with a steep learning curve:
As with other threat hunting technologies on the market, every SOAR solution has a slightly different approach to implementing automation within a cybersecurity pipeline. Some are better suited to highly skilled security analysts, while others are
designed for ease of use at all skill levels.
For example, when it comes to integrating security tools, adding plugins and building automation playbooks, some solutions depend heavily on users’ coding skills. Before analysts can start integrating or creating playbooks in these solutions, they need
to be comfortable with scripting languages like Python or Perl.
To promote a smooth implementation process and avoid delays in adopting and using the chosen solution, security teams should choose a SOAR solution that is aligned with the resources available to them. For example, teams may need to ask SOAR vendors whether
a particular product offers both GUI- and code-based script creation tools. An intuitive graphical interface can enable analysts who are not well-versed in coding to leverage the power of the SOAR solution from the start. Meanwhile, analysts who
are comfortable writing scripts themselves can handle the creation of more sophisticated scripts.
2. Not knowing which processes to automate:
As the cybersecurity talent shortage continues to widen, it can be tempting for SOC managers to go all-out with automation. However, there are two problems associated with this approach.
First, when processes themselves have not been tested for efficiency, trying to automate everything at once can make it hard for teams to understand the effect playbooks have on the processes being automated. Under these circumstances, it’s easy to blame
automation in the event of a failure.
Second, security teams must know that they can’t automate everything. The most complex attack vectors still demand hands-on investigation and critical thinking that only a security analyst is capable of. Thus, any SOAR implementation needs to strike a
balance between manual, analyst-led processes and automated, machine-led processes.
For teams that are just starting out with SOAR, identifying processes that are suitable for automation should be the first step. Using this as a foundation, teams can move forward in determining what should and should not be automated.
3. Taking a set-and-forget approach:
As the saying goes, “You can’t get everything right the first time.”
Even if a team of devoted and skilled security analysts has dedicated a lot of time and energy to designing a series of response playbooks, there is still a good chance that at least one won’t work as expected. Besides, in light of the fact that the cybersecurity
landscape is constantly evolving, it should come as no surprise that playbooks will need frequent updates to remain useful.
To assist teams in keeping these playbooks updated, some SOAR solutions offer a sandbox feature for testing playbooks against simulations. Using such a feature can help analysts continually improve automated response processes.
4. Not taking collaboration into account:
When each team in an organization works with a different set of software tools, the resulting lack of interoperability creates barriers to collaboration between teams. For example, when security teams identify an incident that needs handling, the
most they can do in many environments is to send the incident handling team an email. This is inefficient, since the incident handling team is forced to manually transfer the relevant information into their own software. If the incident handling
team needs to work with a third team, that team will have to repeat the process yet again..
A single, centralized platform that supports users beyond the security team eliminates this issue. Automated notifications, reporting, and task assignments from a central SOAR platform make collaboration part of the everyday process. Case management features
and task management dashboards let users easily track and share incident details between teams.
5. Treating SOAR like magic:
There is no one feature in the market that can instantly solve all the challenges facing a security operations center. The major benefits are related to operational metrics (like reduced threat response times), standard investigation procedures and
Before beginning a SOAR implementation project, evaluate how SOAR can best empower your team (not replace it) to leverage the existing technology stack and add structure to your processes and techniques.
Want to read more about how SOAR can help your business? Learn more in our blog post about how SOAR can transform your security operations.