We are currently seeing a trend toward the adoption of security orchestration, automation, and response (SOAR) tools that shouldn’t waver in the coming years. Research firm Gartner who coined the term has predicted that by the end of 2022 30% of organizations with security teams larger than five people will make SOAR tools part of their operations.

SOAR is said to be a combination of three types of technology—a security orchestration and automation (SOA) tool, a security incident response platform (SIRP), and a threat intelligence platform (TIP). These three distinct technologies make SOAR tools valuable in the eyes of security teams. Their primary purpose? Improving the efficiency of an organization’s cybersecurity processes.

However, not every organization may be ready for successful adoption. According to Gartner, organizational and process maturity is a crucial factor in successful SOAR implementation. Without this, organizations may not be able to maximize the promised benefits.

3 Questions to Determine SOAR Readiness

Are There Well-Defined Internal Processes That Should Be Automated?

Before the automation and response component of SOAR can be set up, organizations need to orchestrate event types and define well-structured internal processes. More specifically, they have to identify specific events to incorporate into the SOAR tool implementation.

After determining event types, companies need to define the appropriate responses to each, taking into account their capabilities and risk tolerance levels. Only then can they start developing specific internal processes to address each event type. They may need to observe and test the outcomes of the different responses before coming up with an efficient process.

Afterward, organizations can determine repetitive processes for automation so they can be sped up. Only security operations centers (SOCs) that have undergone these steps can be deemed genuinely ready for SOAR implementation since it is meant to analyze events they expect to crop up. This step is commonly called “creating a playbook.”

Do You Have the Development Skill Set Needed to Implement SOAR Tools?

Perhaps the most eye-opening statement about SOAR implementation is “SOAR by itself is not a substitute for humans.”

Event orchestration, outcome observation, and process identification as discussed in the previous section are not possible without well-trained and highly skilled security operations staff. The same staff members are also needed to maintain the playbooks that run behind SOAR tools. And so while it may be tempting to choose products that forego the need for skilled human intervention, organizations need to keep in mind that most tools require different levels of customization.

Security operations team members must have coding and scripting skills if their companies want to use SOAR tools effectively.

Do Your Tools Already Have SOAR Capabilities?

SOAR tools require reliable threat intelligence to function. Without threat data to compare internal traffic logs, they may not be able to contextualize information to block malicious events and respond to incidents effectively.

That said, before even considering SOAR use, companies may need to obtain access to actionable threat data from third parties. This approach lessens the amount of time and effort that limited security staff would spend on gathering data on their own.

Also, depending on current cybersecurity solutions in place, companies that already have access to third-party threat intelligence APIs for indicator of compromise (IoC) gathering and analysis may not even require designated SOAR tools. Maybe all that’s left for them to do is to automate threat detection and response as part of their existing systems.

* * *

There is no doubt that SOAR tools can help security operations teams improve efficiency. Before jumping on the bandwagon, however, it’s crucial for organizations to determine first if they are ready to adopt the technology so they won’t waste valuable time, money, and effort. They should also assess their existing toolsets as the functionalities they may be looking for in SOAR tools may already be there just waiting to be harnessed.