Member-only story
Detection cannot be outSOARced
After integrating so many tools and data sources into all sorts of security monitoring workflows and processes, let me share a few thoughts in regards to SOAR and how it actually helps (or hinders) the challenge of threat detection based on log telemetry, usually tackled via a SIEM.
Why SOAR?
Before exploring this question, let me share a quick definition I found on a website after picking one of the first search hits:
SOAR: technology that enable organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures.
I believe the first thing to address here is the actual need to acquire and integrate a SOAR into your process.
Besides the cost, the energy employed to make SOAR work and generate value is ultimately what defines the true cost. That actually applies to any new product you need to deploy or integrate.
Note that I'm not anti-automation but the opposite (more below). I'm afraid most buyers have little understanding about what they are attempting to solve by adding a SOAR to their technology stack.
Actually, there's an expectation that it solves the infamous Alert Fatigue problem. That is, with a proper configured SOAR, analysts will no longer need to triage noisy, recurrent alerts.
Is that really the case?
Is that the way to tackle the problem of bad detection signals?
A Case or an Incident management system first?
Terminology aside, Detection Controls will basically generate signals widely known as security alerts which can later become cases or incidents.
Once there's a clear issue that needs deeper attention or investigation, many challenges arise, for instance:
How to…
- … work collaboratively?
- … document the solution for recurrent issues (KB)?
- … make sure the analyst/handler follows a process?
- … link/group/aggregate similar issues?
Now, picking a general term, how those issues come to exist? Where do they come from? When is a management system demanded?
