Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

What Are the Pros and Cons of SOAR?

Security Orchestration, Automation and Response (SOAR) is an oft-discussed term in discussions about cybersecurity. It’s commonly positioned as a solution that can help organizations streamline their security programs, relieve workload from their existing security teams,  and increase the speed to eradicate threats - especially as more organizations are adopting remote work postures while accelerating adoptions of cloud applications.      

But are there also drawbacks to SOAR? What kind of organizations would benefit most from its implementation, and under what kinds of scenarios? To find out, we spoke with Kory Daniels, Global Director, Threat Detection & Response Consulting at Trustwave.

What is SOAR – and What Are Its Benefits?

“SOAR is a critical element of an organizations cyber threat detection and response program maturity,” Kory said. “SOAR combines functionality that cyber teams would need to historically seek out as point-solutions, or homegrown effort, for ticketing/case management, threat intelligence, and scripting automation with other tooling in the infrastructure. The problems that SOAR is used to address are helping to alleviate time sinks, so that staff can focus on higher-value activities.”

Organizations will typically use SOAR to automate many of the processes and tasks that their cybersecurity teams had done historically — especially tasks that were inefficient, reactive, or manually intensive. It helps free up capacity as you become more time-efficient by empowering your skilled security staff to focus on what really matters.  

Additionally, SOAR can help you maximize the value of your internal threat intelligence, with better quality data to help contextualize incidents, make better informed decisions and accelerate threat detection and response.  Aggregating data from all of the wide range of sources – both internal and external – can help your security operations center (SOC) become more intelligence driven, as well as more effective with their time. 

The History of SOAR  

While SOAR is a relatively new acronym in the cybersecurity world, the concept has actually been around for quite some time.

Prior to use of the term SOAR, organizations would have been seeking for whatever tools they could find to try to make case management and investigations more efficient. If you go back far enough, you find organizations using ad hoc solutions, like shifting logs that were kept in documents and spreadsheets on a local computer, to knowledge shares kept on SharePoint.

From that basic principle, purpose-built cyber-automation tools and companies began to be created, especially ticketing systems. The challenge for organizations became trying to integrate and apply automation to all the disparate tools they would be engaged with, from a security information and event management (SIEM) system to intrusion detection and prevention systems (IDPS)  and beyond.

Faced with a hodgepodge of systems, organizations attempted to use ticketing systems to create foundational automation of their process workflows and case management, with varying degrees of success. Of course, as time went on and organizations began to realize that there was room for improvement, the concept of SOAR was developed.

Today, cybersecurity providers have created powerful solutions that integrate SOAR capabilities to combine the best aspects of a ticketing system, the best of threat intelligence, the best playbook automation practices for workflows and threat response and more – giving organizations a true security advantage. In a sense, SOAR technology is essentially making good on the original promise of security information and event management (SIEM) systems from the early 2000’s. 

What Type of Organizations Will Typically Benefit from SOAR?

Almost every organization that needs to detect and responds to threats can benefit from SOAR capabilities, depending on where they are at in their security maturity journey. 

"It really comes down to what your security maturity is, and what your goals are, that will determine what use cases are most valuable for you, and when you need to implement SOAR functionality,” Kory said.  

For organizations that are just starting with cybersecurity and are beginning to put basic procedures and processes in place, implementing native SOAR solutions will probably be a step too far. The best step would be engaging a service provider who has out-of-the-box SOAR capabilities that can easily leveraged within your security environment.

Are There Any Common Pitfalls With SOAR?

While SOAR offers powerful benefits, there can also be potential pitfalls.

“Where organizations typically fall down when trying to implement automation technologies is in not having clearly defined use cases, underestimating skills, and operating model requirements ,” Kory said. “For example, who in the operating model is going to be responsible for the ongoing plan, build and running of SOAR for the threat detection and response program?”

Another common pitfall is a misalignment of expectations. Lot of organizations buy technologies with SOAR capabilities not fully understanding what they’re trying to automate, or whether the breadth of the solution they’re picking actually matches the scope of the problem. Many organizations think they’re getting a security operations center (SOC) in a box. Or, they buy SOAR technology to help defend against phishing, instead of dealing with phishing at its source. These common misunderstandings will wind up simply re-creating some of the problems, or the bad internal processes, that organizations bought the technology to help try and solve.

How SOAR Fits into The Framework of Managed Threat Detection and Response

When it comes to managed threat detection and response services (MTDR), providers such as Trustwave built automation into the very core of the service. Leveraging native SOAR capabilities in the cybersecurity platform and rich APIs and bi-directional integrations with a client’s existing security tools and SOAR capabilities, Trustwave provides extended threat detection and response services across the ecosystem.


DATA SHEET

Trustwave Fusion

Trustwave Fusion connects organizations' digital footprint to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence and a wide range of Trustwave services, including Trustwave SpiderLabs, an elite team of security specialists.

Latest Trustwave Blogs

Why Vulnerability Scanning is an Offensive Security Program’s Secret Weapon

Knowing what you don’t know is the key to keeping an organization safe and the best method of doing so is with an offensive security approach that includes vulnerability scanning. By being proactive...

Read More

Upcoming Trustwave Webinar: Maximizing the Value of Microsoft E5

Many organizations license Microsoft 365 E5 to obtain its productivity features, which makes perfect sense because that is what the tool is known for. However, E5 also shines in the security realm...

Read More

Comparably Honors Trustwave with Leadership and Career Growth Awards

Comparably, the leading workplace culture and compensation monitoring employee review platform has recognized Trustwave with two major awards: 2024 Best Companies for Career Growth and 2024 Best...

Read More