Hackers and analysts do battle with tools and techniques that are constantly evolving. Cybersecurity is an arms race, but it's not a fair one: the bad guys get endless "do overs" during the attack, yet a single InfoSec mistake could invite a breach. This burden of consistency is probably why the good guys are losing. However, something new is coming over the horizon that could even the score.
If ever there had been a day when software automatically stopped breaches, that era is gone. Attackers continually alter malware. Complete certainty in threat detection is only possible for simple attacks. Advanced detection technologies are much more sensitive and require a partnership with humans that can quickly alert analysts to "Take a look at this."
These human practitioners examining alerts represent a weakness. Outlier Security Founder and CTO Greg Hoglund compares them to the weary eyed night watchmen. "Analysts are tired of the doing the same repetitious task," he explains. "They have too much data bombarding them. It doesn't mean you can remove the human from the loop, but it does mean you can make the humans you have more productive."
Today, everyone uses Security Information and Event Management (SIEM) technology to consolidate alerts from their detection products into a single list of priority actions. Yet no aggregation technologies have arisen to organize the response to these alerts. These response activities are most of the work within a SOC, and employ myriad products including antivirus, sandboxes, and forensic tools like Volatility and EnCase.
Introducing Security Orchestration, Automation and Response (SOAR)
SOAR solutions really represent the first effort to act as a quarterback, guiding response activities across many products. Orchestration and automation vendors accomplish this by building connectors against each security product's APIs. Take Phantom, for example. The SOAR vendor boasts third-party apps for "over 670+ APIs across more than 135 security technologies," according to Chris Simmons, the company's director of product marketing.
SOAR orchestrates your many products inside a platform that encompasses:
- Alert Ingestion & Management -- SOAR products ship with connectors to ingest all the SIEM alerts requiring response. Case Management dashboards monitor ongoing activities and alerts that have become real incidents. Analysts can view daily dashboards to see what they're supposed to prioritize and work on.
- Automating Tasks in Playbooks -- Displayed within these platforms are an organization's arsenal of owned security products, and any tasks that can be performed through these product's API calls. These tasks can be dragged into visual playbooks to orchestrate and automate response. For instance, crosschecking alert information against threat intelligence feeds, using endpoint response products to collect telemetry, sandboxing files, or preserving forensic evidence.
- Collaboration and Learning -- Most of InfoSec personnel's work is in chasing down alerts. SOAR products enable multiple incident responders -- "Threat Hunters" or people from IT HelpDesk to coordinate their logistics.
To this final point, Rishi Bhargava, CEO of Demisto, describes his company's product as a collaboration platform for "enhanced learning among analysts." The vision is to replicate what your most skilled practitioners do, and walk junior analysts through these effective playbooks. Yet some take it a step further than humans working together. Bhargava adds that Demisto's machine learning "enables analysts to escalate their knowledge levels."
SOAR market growth expected
Big industry players are banking on SOAR to be a big deal, with few naysayers. Gartner predicts, "A large percentage of the security budget will shift to SOAR." FireEye, Rapid7 and IBM have all purchased SOAR products. Mega IT ticketing company ServiceNow has released an orchestration and automation offering. SIEM giant Splunk has also stepped into the arena. Across the industry, momentum is swelling.
Meet the new players
Innovation usually arrives at the hands of startups, which often operate better autonomously than when pushing against an acquiring company's inertia. Despite the entry of large vendors, history shows that at least one new brand typically arises in the category they founded. These four US-based startups focus exclusively on SOAR, and most of them date back to the birth of this category in 2014 or 2015:
How much will automation impact the SOC?
- Demisto was founded by former McAfee execs and has major venture capital (VC) backing. The company delivers more than the typical SOAR features. CEO Rishi Bhargava, describes the company as a "social platform to collaborate." They were also one of the first to ship a solution with machine learning capabilities.
- Phantom also has an impressive list of VCs backing them. In addition to numerous connectors, Phantom's solution boasts an AI capability dubbed, "Phantom Mission Guidance." It's designed to support analysts, Chris Simmons says, "by suggesting possible steps to investigate, contain, eradicate, and recover."
- Swimlane focuses on a complete platform, going beyond response, compliance and automation to add "the ability to bring these capabilities together where security teams are first class citizens," according to Founder and CEO Cody Cornell. Cornell believes automation "will become a cornerstone capability of the SOC in the not too distant future."
- CyberSponse is building its future with open technologies and a traditional business model. Founder and CEO Joe Loomis says CyberSponse is the only platform with open source playbooks. He's also thinking out of the box with funding: "We are not VC based and happy customers are more important than revenue."
SIEMs have been the main product that SOCs keep on the big screen to monitor overall security health -- they get more of InfoSec's "eyeball time" than any other product. Yet in the end they only produce a "To Do" list. Responses to these alerts encompass most of the SOC's activities. This begs the question, could SOAR products be the first category to steal the SIEM's eyeball time?
Bhargava believes so. "That is absolutely happening," he argues. "The real investigation work is starting to happen in the automation platforms, and I absolutely agree that we will get more." Not everyone is optimistic about slaying the goliaths. Certainly acquisition is in store for some of SOAR's founding startups. Loomis comments: "I think the future is that SIEMs will acquire a SOAR capability or build such an offering within five years."
No matter who brings automation to the people, it will fundamentally change the way SOCs operate.
— Paul Shomo is the Sr. Technical Manager, 3rd Party Technologies at OpenText.