What are the biggest hurdles to integrating security automation platforms like SOAR?

Each event normally takes a good analyst 30 minutes to go through and write the whole ticket. 30 minutes per event, per day, in an eight hour day: that means do nothing but work and that is a whopping total of 16 events a day. So if you have 1000 events a day, and ideally get 16 per person, you need to have so much manpower, which you can't find, you can't hire, and you can't pay for. So you have to automate. But if you can't automate correctly, to make that decision process, analysis process faster, that's a problem. Automating analyst actions is what makes it really hard for automation platforms. So, I know I need to isolate a machine, that's pretty easy. I need to remove an identity or stop an identity or enact the network lock or take these preventative engaging actions that would stop business but also stop threats. The business owns the infrastructure. So, in my company I do not have the authority or ability to reach into an infrastructure device myself and make change. I have to work through a third party, the network group, to enact that change. And that's where that SOAR platform difficulty gets really hard because to pay for a SOAR platform, it will cost you a million dollars. You have to say, "I'm going to pay a million dollars for SOAR platform, I have to offset $2 million dollars worth of manpower value, or risk." And to get that value, I have to step into that enact/protect state. And the group that owns that, being the network group or the desktop group or the AD group, they don't necessarily want to share their cake. They want to keep you out of their business and keep you from messing up their processes. Because if a step that you take impacts them, they're the ones that are going to be called in front of the boss who’s asking, "Hey, why did email go down?" And if they try to explain it was security the boss says, “Security nothing. It's your thing.” And that to me is the biggest stop: How do I justify the cost when the best value to response comes in implementing into a toolset that does not natively belong to security?

Anonymous Author
Each event normally takes a good analyst 30 minutes to go through and write the whole ticket. 30 minutes per event, per day, in an eight hour day: that means do nothing but work and that is a whopping total of 16 events a day. So if you have 1000 events a day, and ideally get 16 per person, you need to have so much manpower, which you can't find, you can't hire, and you can't pay for. So you have to automate. But if you can't automate correctly, to make that decision process, analysis process faster, that's a problem. Automating analyst actions is what makes it really hard for automation platforms. So, I know I need to isolate a machine, that's pretty easy. I need to remove an identity or stop an identity or enact the network lock or take these preventative engaging actions that would stop business but also stop threats. The business owns the infrastructure. So, in my company I do not have the authority or ability to reach into an infrastructure device myself and make change. I have to work through a third party, the network group, to enact that change. And that's where that SOAR platform difficulty gets really hard because to pay for a SOAR platform, it will cost you a million dollars. You have to say, "I'm going to pay a million dollars for SOAR platform, I have to offset $2 million dollars worth of manpower value, or risk." And to get that value, I have to step into that enact/protect state. And the group that owns that, being the network group or the desktop group or the AD group, they don't necessarily want to share their cake. They want to keep you out of their business and keep you from messing up their processes. Because if a step that you take impacts them, they're the ones that are going to be called in front of the boss who’s asking, "Hey, why did email go down?" And if they try to explain it was security the boss says, “Security nothing. It's your thing.” And that to me is the biggest stop: How do I justify the cost when the best value to response comes in implementing into a toolset that does not natively belong to security?
1 upvotes
Anonymous Author
I came up from an IT background before I moved into IT security. One of the things we learned in IT was, with a SOAR platform, you need integration of multiple platforms coming in to get your telemetry and your information, and you need integration of the outbound. In other words, in order to react. That integration traditionally over the history of IT has not been easy. A matter of fact, it's been a stumbling block for a lot of different types of integration or I should say, applications or solutions that run like this. The premise of a SOAR, if it actually works and is functional, is that it automates the OODA loop: the observe, orient, decide, and act, as we all know it. It is great as long as the solution that we put in place is able to integrate with your input and integrate with the actions that need to be taken. And when you look at some companies, integrating even on the output with different types of firewalls, ACL's and so on may be problematic. I'm not negative against SOAR's, it's just because of my IT background, those are the things I look out for.
1 upvotes
Anonymous Author
When you look specifically at different industries, and the age of the infrastructure or the infrastructure that they have to rely on, it makes it even more challenging. There was no intention for anybody to ever be able to programmatically control some of these things. They were always designed to be manual input. And on a lot of that, the juice is just not worth the squeeze. So, for some of these things you look at it and you go, "Of the percentage of events that I get in, that I can automate, that I can automatically remediate, what can I get out of that?" So, I can take a simple example and I can look at, "Well, how much noise do I get generated just out of phishing attempts? And how many tickets are those doing? And is there automation there I can go through and I can then take care of those automatically? How can I go through and search for it to go through and auto remediate some of those things." I think the key, if you're going to do one, is you have to figure out if there is enough low hanging fruit that you can put in that's going to pay for itself. Because some of those big hairy problems are probably going to be big hairy problems for a long time, they're institutionalized. So, you're not going to get a one year or a two year ROI on those things.
1 upvotes