Insider Insights: A CISO Perspective on the value of SOAR

Gartner’s latest report on Security Orchestration, Automation, and Response (SOAR) has ignited a heated discussion within the cyber security community. The report critiques how SOAR has not lived up to its initial hype, revealing significant shortcomings and overstated promises. It highlights how it often falls short due to the complex threat landscape and operational challenges. As a result, many organisations are struggling with high costs and disappointing returns on their SOAR investments.

Our Chief Information Security Officer (CISO), Darren Humphries, shares how Acora handles these challenges. He talks about how Acora’s approach not only addresses the shortcomings identified in Gartner’s report but also optimises SOAR effectively from both a technology and partner standpoint, all whilst making sure that it complies with realistic security needs.

Handling Initial Setup Costs

Initial setup costs are addressed by defining which alert is most critical. This is done through integrated workflow intelligence and automated threat hunting built to efficiently identify attack, compromise, and phishing attempts. Analysts have all information at their fingertips as a package of data to work on, allowing them to handle multiple cases as one and focus senior roles on high-priority issues. We have our goals, methodologies of how we want to achieve and as end users, we have that knowledge as things evolve. All lessons learned are incorporated into the playbook data, saving analysts time and money when they check out credentials and enter into systems and metricate them.

Mitigating Ongoing Maintenance and Support Costs

To lower continuous maintenance and support expenses, Acora employs a well-structured team of analysts and detection engineers. For every 100 L2 in the world, there is one good detection engineer, which guarantees the support and expertise required to enhance detection capabilities. This setup is similar to that of a racing car driver and technician, where a thorough knowledge of the system enhances overall performance.

Specialised Personnel and Coding Skills

As an outsourced provider, Acora offers a flexible service model that incorporates SIEM and SOAR platforms. With this setup, we cater to 84 clients with up-to-date threat intelligence. By utilising crowdsourced intelligence from our partners and customers, we have the ability to enhance our SOAR and SentinelOne platforms without the need for specialised personnel or analysts with extensive coding skills.

Integration and Interoperability

Acora excels at integrating third-party connections and customised tools to improve and integrate primary security processes. Whilst SOAR systems are central to the workflow, additional tools like Tenable NESSUS are used for specific tasks, ensuring that the best resources are available for each need thus, avoiding disillusionment with unrealistic expectations of SOAR as a standalone solution. Rather than replacing the current systems, we concentrate on improving the main use cases.

Managing Expectations of SOAR

SOAR systems are tools meant to support human decision-making not a replacement for existing security solutions. Acora’s service architecture is centred on improving these tools to support human intervention and decision-making processes as opposed to resolving every security issue on its own.

Staying Up-to-Date with Evolving Threats

Acora ensures that its SOAR system stays current with changes in hacker tactics, techniques, and procedures (TTPs) by using it as a central workflow system to guide analyst activities and priorities. Whilst SOAR enhances security operations, it does not replace essential tools like SIEM or cloud systems. Rather, it complements them, similar to how a Swiss Army knife has various tools for different tasks. The key is understanding and using each tool for its intended purpose, avoiding misconceptions about SOAR’s purpose in the broader security ecosystem.

Innovative Approaches and Future Outlook

Despite Gartner’s concerns about the decline of SIEM and SOAR, we actively maintain and make use of these tools by rigorously testing them, engaging with customers, and innovative approaches from Picus and detection engineering to ensure they remain relevant and up-to-date. We collaborate with our ecosystem partners and utilise top-tier tools and training to support our hybrid models, including SOCaaS. Acora’s proactive strategies and innovative models address the evolving challenges of SOAR systems, ensuring that they provide top-tier security services and maintain resilience against emerging threats.