Security teams today are facing increased challenges due to the “new normal” created by the recent global health crisis. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees must move to a virtual security operations center (SOC) model while addressing an increasing number of threats and devoting more time to family needs and home demands.

Disconnected teams accelerate the need for an open and connected platform approach to security. Adopting this type of approach can maximize investments by bringing new and existing security tools together, make SOC analysts more productive by moving their workflow into one place, and provide flexibility for organizations as their IT and security programs change. Our vision for a next-generation, open and integrated security platform is built around three key tenets:

  1. Open architecture: With the growing number of different tools and cloud platforms that organizations are using today, a next-gen security platform must be open enough to easily work with different tools from different vendors. Consolidating existing tools or moving data is often too expensive and complex to undertake, but adopting a platform that is based on open-source technology and backed by an open standards body allows teams to maximize existing investments by bringing all tools together in a standardized way.
  2. Centralized hub: SOC analysts can improve their productivity with one primary system of record to manage their workflows. A centralized hub on top of an open architecture provides a way to fuse people, process and technology. This enables analysts to move out of the individual tools they use and streamline their work into one place while still providing the valuable data from the existing tools and decreasing the need to train the entire SOC on all of the tools deployed. The goal is to automatically put the right information in front of the right person at the right time to drive effective and decisive resolution.
  3. Flexible deployment: Most organizations are using multiple clouds and on-premises solutions to manage their security and IT environments. And each is typically in the midst of their own unique journey to the cloud. A next-gen security platform that can deploy anywhere gives businesses the flexibility to choose what’s best now, and in the future, while avoiding lock-in to a particular deployment model.

SOAR Is at the Core of a Next-Gen Security Platform

Security orchestration, automation and response (SOAR) solutions are built on four engines as defined by Gartner: workflow and collaboration, ticket and case management, orchestration and automation, and threat intelligence management. The fusion of these capabilities improves SOC productivity and incident response (IR) times by bringing together people, process and technology. As such, these engines also provide an ideal basis for a robust security stack. Indeed, SOAR capabilities based on an open architecture and with a flexible, hybrid cloud deployment is the ideal approach for a security platform that fulfills this vision.

Placing SOAR at the heart of a security platform helps teams extend and maximize value across the ecosystem and to any security process while working in a centralized, coordinated manner. Incorporating SOAR capabilities into a next-gen security platform provides a foundation that will deliver several benefits.

Better Communication Within and Outside the Security Team

Any SOC, especially a virtual one, requires seamless collaboration to guide responses and organize tasks — this is a key capability of a SOAR platform. Rather than starting from scratch, teams can work intelligently by following workflows embedded within dynamic playbooks. Furthermore, security teams can leverage the workflow and collaboration engine of SOAR to communicate with key players in different functions, such as IT, legal, HR or PR, helping to facilitate a coordinated and efficient response.

Improved Efficiency With Centralized Case Management

SOC analysts gain efficiencies from case management capabilities that can be managed from the centralized hub of a SOAR solution, eliminating the need to switch between multiple tools and dashboards. When case management is extended beyond the SOAR solution and into a broader security platform, it provides analysts with a common format to use across all connected capabilities. A strong case management function will also include dashboard and reporting capabilities to track metrics and KPIs, highlight trends and gaps, and elevate the business value of the SOC.

Maximum Depth and Breadth of the Ecosystem

Security teams can maximize the depth and breadth of their ecosystems through an open architecture. An open, standards-based approach allows SOC teams to leverage the capabilities of a diverse ecosystem through integrations across a wide variety of data sources and tools and to capitalize on existing investments. The orchestration of these technologies extends SOAR capabilities while providing security analysts greater visibility into the ecosystem.

Placing SOAR at the heart of a next-gen platform allows customers to extend SOAR benefits beyond the IR process for which SOAR was created to include any security process, such as vulnerability management, identity management, DevSecOps and more. This not only logically extends this investment to generate additional ROI but also yields KPIs about these processes, which can be used to drive continuous improvement and transform security’s relationship to the rest of the organization.

SOAR on IBM Cloud Pak for Security

IBM Cloud Pak for Security is an open, integrated security platform with SOAR capabilities that allows you to connect to your existing data sources to generate deeper insights and quickly orchestrate actions and responses to those threats — all while leaving your data where it is.

To learn more about how IBM Cloud Pak for Security provides a platform approach with SOAR as a foundational and core component, join us for our upcoming webinar. Product leaders from IBM Security will provide an overview of how security teams can leverage the IBM Cloud Pak for Security platform with proven, mature SOAR capabilities from IBM Security Resilient to improve collaboration and management of security incidents across disparate data, tools and teams.

Register for the webinar

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read