Integration is key for organizations today across pretty much every technology stack they own, which is probably why it’s a major factor in Gartner’s Top Strategic Technology Trends for 2022. But, there is a risk that integration has become a feature rather than an outcome we work toward, a checkbox if you will, rather than a primary goal that delivers significant and measurable value. This is especially true in security, where ‘integration’ questions have been included in every enterprise and service provider product and service RFP for the past decade or more—yet many security stacks are still poorly integrated.
When selecting a security product, a fully-featured API is crucial, but that is just the start of the integration journey. An API only tells us what we can do, not how to do it; we need the right tools and people to get from one to the other. Some organizations are resourced for this—service providers, for example, tend to have teams of people who are skilled at developing integrations, so they can use an API to integrate products and build value. This is also true in many larger enterprises, such as at banks, and insurance and technology companies. These categories of enterprises can work with APIs to build genuinely interesting things from the ground up, but there is a long tail of other organizations that don’t have the engineering resources for this.
However, every organization wants to see the value of its investments in security multiplied as new capabilities are added and integrated. And, more importantly, the risk to a business is materially reduced with an integrated security stack, as there are fewer gaps for bad actors to exploit, and the potential for a more streamlined operational process allows resources to focus more time in the right places. Integration is key; it’s about maximizing the value of things that can be used and re-used—such as pervasive broad and deep visibility—which can fuel both investigative and hunting processes.
THE SHIFT IN ENTERPRISE SECURITY PROCUREMENT TO FOCUS ON ‘ECOSYSTEMS’
Multiplying investment value and seeing how measurable risk can be reduced are priorities now as security becomes more aligned with other business risk management processes. Increasingly, organizations are selecting products that will work together without the need for significant engineering effort. This is where ‘ecosystems’ come into play, where sets of solutions from one or more vendors can work together in a much more plug-and-play manner. Many SOAR and SIEM vendors have ecosystems, but how open they are depends on their customer base, the vendor’s broader product portfolio and whether the platform was developed or acquired.
THE ROLE OF THE MODERN SOAR PLATFORM AND THE BENEFITS FOR ORGANIZATIONS
SOARs are all about multiplying security capability and decreasing risk. They orchestrate activities across the stack, providing automation for repetitive tasks. And, finally, they coordinate response, optimizing the use of technology and people to deliver better security outcomes. The SOAR should be the glue between different elements of technology, data, and process. With SOAR, playbooks can be configured to automate actions, enriching individual events, so that analysts can make better, faster, and more consistent decisions.
Fundamentally, SOARs are about maximizing the effectiveness of security resources by delivering the right information to the right people—in the right way—so that security outcomes are improved. For example, a SOAR can enrich an event detected by one vendor’s solution with intelligence and context from multiple sources, and could even extract session and packet forensics data from another platform that may have organization-wide visibility, saving time for the analyst and making sure that best sources of data are used consistently.
GETTING THE MOST OUT OF YOUR SOAR
Out of the box, a SOAR won’t be as valuable as it could be—customization is essential. As with many things, the value you get from a SOAR is dependent on the effort put in when configuring it. The playbooks you utilize within a SOAR must maximize the value of your stack, using your data, to defend your business. You don’t use a SOAR to replace security operations resources, you use it as a tool to improve the effectiveness of both the security operations and technology resources within your organization. For instance, if we have a platform that can deliver consistent deep visibility across the office, home-working, data-center, and multi-cloud environment, then that is the best place to go when an analyst needs context around an event, regardless of how it was detected.
WHY IS INTEGRATION ESSENTIAL IN 2022?
We all know that threats are getting more complex, and as organizations continue with iterative investment in new security technologies to address new threats and improve security, our security stacks are also getting more complex. Having lots of disparate datasets and views into what is going on doesn’t help us better secure our businesses, and this problem is exacerbated as organizations adopt new cloud and virtualization or containerization platforms, with their own platform-specific visibility and security add-ons. We need to maximize the value of security capability (and investment) from a business perspective, and that means driving our processes from consistent visibility and orchestrating those processes with SIEM or SOAR.
If we can streamline how our operations teams interact with the different elements of our security stack, so that events are better prioritized and pre-enriched, and we use the best data sources for investigation and remediation, then we can close gaps and focus our security on reducing risk.
Darren is CTO for Security at NETSCOUT, which helps assure digital business services against disruptions.