Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.
Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of approach can maximize investments by bringing new and existing security tools together, make SOC analysts more productive by moving their workflow into one place, and provide flexibility for organizations as their IT and security programs change. Our vision for a next-generation, open and integrated security platform is built around three key tenets:
- Open architecture: With the growing number of different tools and cloud platforms that organizations are using today, a next-gen security platform must be open enough to easily work with different tools from different vendors. Consolidating existing tools or moving data is often too expensive and complex to undertake, but adopting a platform that is based on open-source technology and backed by an open standards body allows teams to maximize existing investments by bringing all tools together in a standardized way.
- Centralized hub: SOC analysts can improve their productivity with one primary system of record to manage their workflows. A centralized hub on top of an open architecture provides a way to fuse people, process and technology. This enables analysts to move out of the individual tools they use and streamline their work into one place while still providing the valuable data from the existing tools and decreasing the need to train the entire SOC on all of the tools deployed. The goal is to automatically put the right information in front of the right person at the right time to drive effective and decisive resolution.
- Flexible deployment: Most organizations are using multiple clouds and on-premises solutions to manage their security and IT environments. And each is typically in the midst of their own unique journey to the cloud. A next-gen security platform that can deploy anywhere gives businesses the flexibility to choose what’s best now, and in the future, while avoiding lock-in to a particular deployment model.
SOAR is at the core of a next-gen security platform
Security orchestration, automation and response (SOAR) solutions are built on four engines as defined by Gartner: workflow and collaboration, ticket and case management, orchestration and automation, and threat intelligence management. The fusion of these capabilities improves SOC productivity and incident response (IR) times by bringing together people, process and technology. As such, these engines also provide an ideal basis for a robust security stack. Indeed, SOAR capabilities based on an open architecture and with a flexible, hybrid cloud deployment is the ideal approach for a security platform that fulfills this vision.
Placing SOAR at the heart of a security platform helps teams extend and maximize value across the ecosystem and to any security process while working in a centralized, coordinated manner. Incorporating SOAR capabilities into a next-gen security platform provides a foundation that will deliver several benefits.
Better communication within and outside the security team
Any SOC, especially a virtual one, requires seamless collaboration to guide responses and organize tasks — this is a key capability of a SOAR platform. Rather than starting from scratch, teams can work intelligently by following workflows embedded within dynamic playbooks. Furthermore, security teams can leverage the workflow and collaboration engine of SOAR to communicate with key players in different functions, such as IT, legal, HR or PR, helping to facilitate a coordinated and efficient response.
Improved efficiency with centralized case management
SOC analysts gain efficiencies from case management capabilities that can be managed from the centralized hub of a SOAR solution, eliminating the need to switch between multiple tools and dashboards. When case management is extended beyond the SOAR solution and into a broader security platform, it provides analysts with a common format to use across all connected capabilities. A strong case management function will also include dashboard and reporting capabilities to track metrics and KPIs, highlight trends and gaps, and elevate the business value of the SOC.
Maximum depth and breadth of the ecosystem
Security teams can maximize the depth and breadth of their ecosystems through an open architecture. An open, standards-based approach allows SOC teams to leverage the capabilities of a diverse ecosystem through integrations across a wide variety of data sources and tools and to capitalize on existing investments. The orchestration of these technologies extends SOAR capabilities while providing security analysts greater visibility into the ecosystem.
Placing SOAR at the heart of a next-gen platform allows customers to extend SOAR benefits beyond the incident response process for which SOAR was created to include any security process, such as vulnerability management, identity management, DevSecOps and more. This not only logically extends this investment to generate additional ROI but also yields KPIs about these processes, which can be used to drive continuous improvement and transform security’s relationship to the rest of the organization.
Learn about QRadar SOAR
VP Product Management and Co-Founder of Resilient, IBM
VP, Product Management, IBM Security