Event Recording

Panel: Best Practices to Get Started on Your SOAR Journey


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Perfect. So maybe we start with a really, really short introduction round. Maybe we start with Richard in 20 seconds. Who are you?
Yeah, welcome everybody. Great. Having the session. I'm Richard Cassidy, senior director for security strategy for ex been, been working in the security industry for the past 21 years, including instant response, threat management, building socks, managing socks, being the Analyst. So I'm gonna bring hopefully some of that to the discussion today.
Thank you, Harrison.
Hey guys. Great to be here. My name's Harrison Parker. I'm the solutions architect for simplify. I've got quite a few years of cyber security experience around like four or so Harvard graduate, and I'm really happy to be speaking with you.
Perfect. And an ad for those who joined for this session. A few, both about you.
Yes. Thank you. Hello everyone. My daily job is at cyber services, a cybersecurity service provider, a knowledge based service provider that I'm responsible for strategic business development and operations. And my non-AI job is being the president for women for cyber foundation Europe, which works in collaboration with the European cybersecurity organization. So what I didn't have time in my presentation is that to highlight how the EU should actually approach thisor arena. So I'm very happy to share my thoughts on this in the panel discussion.
You're welcome. Yes, we can do that. John few words about you,
John Tolbert, I'm a lead Analyst here giving Cole cover cybersecurity and identity topics. Last last year, I wrote a leadership compass. That's our comparative report on solar platforms and working on the other cybersecurity topics right now.
Very cool. Thank you. So maybe just to give you an idea how we will do this, we have, or I have several questions for you and some of them, I will ask one of you and some of you, all of you kind of give your opinion about that. That's the idea how we do this panel, but as we realize, we have a lot of people, a lot of cool speakers. So let's start quickly. First question. Why should organizations transition to a so model now? And the focus is now not in 10 years. Why really now maybe we start with Harrison.
Sure thing. Great question. So it really has to do with the technological landscape that we're dealing with. You can simply walk into any RSA or black hat convention to understand that the technology is increasing at a incredibly fast speed. As a result, you're gonna be getting all sorts of new types of alerts, new sorts of ways to detect anomalies and breaches and that sort of thing. So it's important to lay down the groundwork to automate as much of those low level alerts as possible. Once you have a good sore platform in place, it's easy to develop and continue to increase and expand upon your automated capabilities for the future as, and keep up with the technology curve.
Great. Richard, what do you think, why should organizations start now with a transition?
You know, I look essentially I'll tackle from two sides of the coin, right? One is as practitioners, right? If you're the Analyst and you are working in security operations, you know that you are fighting a losing battle against the automation that you are, you are seeing in the attacker space. So you are having to respond to more data sets your, your, your companies are on this hybrid digital transformation journey due to the world that we now exist in. So you're getting into a lot of small SaaS environments, a lot more data sets that you have to combine and analyze. So doing that in the old manual styles, isn't, isn't, isn't scaling essentially. So you need security orchestration, automation response to help you bring computing power and capability to the manual task that you previously did. And, and so that's one main reason. If you're CSO, if you're executive in a business, you're gonna have to show how you're gonna be able to improve and enhance your business's capability around risk management and saw, brings that capability to you. There's more layers behind it though, how you do so is important. What comes before saw. But if you're a CSO, you've gotta be thinking about how to, how to enhance what your current workforce can achieve and how you can cover risk much more effectively with your existing data. And that's the two reasons in my opinion.
Hmm. Thank you. Annette, new question for you. What the basic questions corporates need to ask before automating their security approaches?
Hmm. That's a very good question. I believe they have to ask themselves and they have to investigate in-house internally, whether they are really capable for doing that because automation needs to be done in a very, very cautious way. It needs to be prepared properly, and then it needs to be implemented properly not to fall into the trap that, you know, this whole automation implementation is in the rush. And so they don't have the in-house capability to run it. Cuz what I wanted to mention slightly related to the previous question, that it's quite fine that we are rushing this automation thing. It's a must actually because the volume of data is just growing extensively from day to day. And what we don't have growing in that, you know, speed is the available human resource to actually manage it somehow. So on one hand, automation is a must because of the volume of data that we have to deal with. On the other hand, automation is a must because we don't have the necessary human resource to manage that, but automation needs to be done in a very cautious way. So that the limited number of humans who can actually strategically manage that is, is, is limited. So it's a, it's a kind of controversial issue, I believe.
Great. John, you're noted with your head, anything to add from your end.
Yeah, I think, I think, and that is right. You know, it's both the volume of data, the sophistication and frequency of attacks. I think sore tools can help automate a lot of these repetitive Analyst task, but at the same time, you know, no organization should go out and buy a sewer platform thinking that somehow they can get rid of Analyst. You know, these are tools to help Analyst deal with the ever increasing amounts of data and work to do. And really without it, I think that difficult for them to keep up with the, the levels of attacks and the amount of data that has to be sifted through. So there's lots of opportunity to automate, you know, let's say just the initial investigation piece, collecting information from different parts of your ecosystem, putting that together, running that against, you know, CTI sources, seeing if it's been seen elsewhere and then kicking off an exercise to look for that across your entire environment. Those are things that with sore, you can do that very quickly without soar. You can spend days just on that initial evidence collection phase.
Great. Thank you. So my first question was why to start now and maybe another very important questions for Richard is how can we start with implement so initiatives when we have nothing?
Yeah. And it's a tough question, especially if you have a business that is kind of used to doing things the way they always did them. And so as a leader and even as a manager of a practitioner group saw is a benefit. And it's a benefit when it allows the Analyst more time to do more mission critical tasks for the business. And when it allows the decision making of the executive leadership team to show better outcomes and benefit to the business. So when you're thinking about how to implement, so you should be looking at the tasks that are really a blocker to getting the outcomes you require or are taking too much time or that you could do much, much more efficiently by implementing so correctly. And if you take that story to your practitioners, to your leadership team and you show where this continuous improvement model can be kind of underpinned by store, then you're not gonna get much pushback or, or fight from, from those that are going to be affected by it. And it should always be seen as a positive outcome, but it all comes back to my final point, here is making sure you have the right data in your sore strategy that protects the assets that you're looking to protect in the way that you to protect them. That's the key bridge you have to gap when, when looking at sore implementation of it,
Definitely Annette, what's your opinion about that? How to start with an sore initiative in an enterprise organization
In that part of the, of the world where I live, let's say in Eastern part of is, is, is absolutely beneficial, is, is tackling the shadow it issue. So that that's a kind of added value that, that it managers realize only after implementing the four, the, the really the first steps in saw that how, how much they can gain from, from implementing small measures, tackling this issue and, and figuring out what they have in their systems. On the other hand, the first, the very first steps are, are really useful for what were already mentioned by ha is, which is like you can spare a lot of human efforts, a lot of resources, which can be channeled into more specific, more targeted issues on the other hand, or, or I could even say additionally, implementing the very first steps of store actually can provide a much stronger situation awareness to the organizations or the enterprises. So, so that would be my two sense of it to concentrate on shadow it and to implement those very first steps of, so that can give you even a, a first stage situation of awareness,
Definitely Harrison, so implementing and so is really a challenging thing. There's a lot to do and a lot to prepare and a lot to take care of, but there are also new business applications that can be enabled by am. So what do you think is here the most beneficial thing?
Yeah, that's a, that's a really good question. So man, so, so is so open ended. There's, there's a million different ways you can take it. So the previous company I worked at was actually a threat intelligence company and one of my favorite ways, or sort of business applications of sore technologies, actually to use your operations, to confirm the discovery of new indicators or compromise, you can then take those indicators or compromise, republish them into some sort of threat intelligence platform or repository and have that automatically be distributed to your firewalls, to your network, security tools, anything like that. So that's, that's definitely one of my favorites, but like I said before, there's just a million different ways you can take it.
Definitely. John, what about you? What do you think our new beneficial business applications are implementing a so can give a new organization or any organization?
Well, I think one of the newer benefits is around being able to collect information about how analysts work, you know, the ability to not only collaborate on tickets and, you know, get remediate security incidents in a more timely fashion, but to be able to, after the fact go in and look at, you know, who's spending what time on which tasks and then to be able to take that and think about, okay, next time we have to face something like this, what are the areas for improvement? How can we get even quicker? What are the other things that we can potentially automate and make the, the next event, you know, less impacting and go more smoothly.
Thank you. We have a question from the audience. I'm not 100% sure if one of you can answer it sufficiently, but it goes into direction of new business applications or maybe threats. The question is how is quantum computing going to affect or impact or sore? Does anyone have an idea how to answer this from your end Harrison, you are laughing a little bit maybe.
Well, I mean, first of all, it's gonna break all of security, but I mean, if you have a quantum fueled, so, I mean, it would be really interesting. I mean, you could, you could, I mean, I would hook it up to something really big end, like, like big query, like Chronicle and just to abuse the heck out of, out of predefined searching or excuse me, playbooks to do like large scale threat hunting and have it automatically remediate. I mean, it, it's hard to even imagine it's like asking a question about releasing a nuclear bomb, like what's gonna happen. Well, you're just gonna have a bunch of nukes go off and I don't know, who's gonna be more ahead. The adversaries are us, but it's a really fun thought question.
Yeah. And that's a good one in general because there are various opinions about how critical is quantum computing to cybersecurity in general. And you mentioned this, maybe you can break encryptions in seconds instead of 10,000 of years, or you can build quantum stable algorithms, which, which protect things. And I think this is something which takes into a place here too, but this just a very future oriented question from the audience. Maybe talking about the future, what future developments do you expect in general in that space besides quantum computing? Richard?
Yeah. I'm glad this isn't a quantum computing discussion, cuz this could go on a long time, but well said Harrison. So look, I, I, again, to Harrison's point, right. Saw is many things to many people and I think that's part of the problem. So the development has to be in the frameworks and the implementation of saw technology to be effective. Cuz I always look at this from a, why should you care as a business about, so how do you implement, how do you get the best out of it? And there's kind of four key layers to it. To me that need to be better defined. The first is kind of that common data service layer. What do you bring in? I've said it earlier. Why is what you're bringing in important? How do you do that? And then how do you integrate all of the platforms that can work in that?
So ecosystem effectively and then probably one of the most underappreciated layers for me at least is the analytics layer. How do you analyze all this data that you're getting and how do you work with your tools in a, in a, in a kind of a structured fashion to provide the business outcomes you're looking for. Don't just look at source of technology as another thing that you can do, look at how it aligns to business outcomes and the kind of final advancement that I'm, I think we're gonna see in the kind of saw, you know, ecosystem, is it becoming a security operations platform there? So to become just part of the security operations, sec sector, devs ecosystem, and that's gonna allow organizations to, to get to cloud based kind of services much more effective than they used to to get more visibility points. We talked about integration with CTI. So when saw gets implemented effectively, we think about lead approach. We're able to do a lot more, a lot more quickly and be far more agile. And most importantly as the business remain very competitive. And I think that's where we're gonna see some massive advancements in the saw space. So the next 2, 3, 5 years.
Cool. Thank you, John. You wrote the latest leadership compass about, so what do you expect from future development?
You know, I think it'll be evolutionary rather than revolutionary, but you know, for so integrations or kind of the lifeblood of it, you need integrations to all the tools that you have in, in your environment without it. So, you know, is not nearly as useful as it could be. So there are still plenty of other security tools that need integrations written for them for most of the major. So vendors that are out there, I think there's, you know, a couple of years worth of work there, but I also see that, you know, there's always a trend toward reducing the number of different applications that a business or an enterprise has. So I think we'll continue to see even though, so is kind of an outgrowth of SIM. I think we're gonna see that start to fold back together where you have more SIM or combination platforms in the future.
Definitely. Annette, anything to add from your end about
Future? Yes, definitely two things. I believe I can jump on what, what was said by Richard Richard about the, the analytics and, and Analyst, I believe where quantum computing or saw could grow quite a lot is the security, big data analysis. So if we can integrate security, big data analysis, output into the source systems on, on one hand, from another direction, if we can integrate CT automated CT, I inputs, we create such a massive situation awareness that that will be absolutely absolutely useful for, for, for preventive security. Let's say, and this is the point what I also wanted to highlight in my previous presentation that we need to move away from the, the responsive approaches and implementing saw takes a huge step into that direction that we are, we are just making a huge step towards preventive security. And this is what, what would be absolutely advantage. So I believe because the, the number and the volume of a text is just growing exponentially. I don't need to explain that all of you know that, so it's, it's not a question. And somehow, somehow we have to give an answer to that. I dunno if quantum computing is a good answer to that. I really don't know that. But if you combine the potential in quantum computing with security, big data analysis, that may be interesting.
Definitely. Okay. So it's incredible. We almost talked 20 minutes already. It felt like two minutes. Very interesting session, maybe. So some closing round with all of you was a short statement. Maybe one of you saw it. I didn't LinkedIn Paul, where I ask, what is the most important thing for you when thinking about to start the journey to soar, maybe from all of you a final sentence about that, starting with Harrison,
Make sure you have a good tool coverage. I mean, you need an alert source. You probably need something to contextualize the basic like entities or indicators inside of your, your case or your alert and just make sure you have a couple of pieces. Like an EDR tool would be good, a way to respond network security tool would be good. An email protection system, it's integrations product. So you need to have, you know, enough integrations to make sure that it makes sense for you. So that that would be my two bed.
Richard
Quite simply align your sore requirements to business outcomes and needs. Don't look at it as a standalone technology. We we've fall into that trap far too much. And now I have, I hand on heart, I've done the same in making decisions for businesses in the past two decades, we know what we need to solve, know where our risks are, where our assets sit, what we're trying to protect, what represents a very bad day for our business, if we don't detect or triage effectively or get it right and align your sore outcomes to the business needs, that's really critical for any decision making process, not just in saw
Annette, your opinion,
Make sure you have the right people, the right expert, you castor is brilliant, but you need to handle it properly. It's like, it's like a very powerful, you know, sports car or something. It's, it's brilliant as it, but you need to have a good driver to gain the most of it.
Thank you. Antron final statement from your end about what is important thinking when you, what, where to start with sort,
I would say understand your current security architecture, the tools that you have in place, where you want to go with that and kind of aligning with Richard was saying, you know, what business outcome do you want to achieve before you go out and start looking to do RFPs for sort, you really need to know what you've already got, where your gaps are and where you want to be.
Cool. Thank you. And maybe just to give you an insight, the winner in my poll at LinkedIn was close potential security gaps. So I honestly, I think that's the best answer. The other one was about money and the other one about architecture, just to give you an insight here. So thank you very much for this really, really interesting session. Thank you to Richard Harrison, Annette and John have a good day. It was great for having you and talk to you soon. Thank you very much.
Bye.