Essential Guide to SOAR
Discover the benefits of security orchestration, automation and response solutions
Top 5 Considerations for Implementing SOAR Technology
By
Splunk
Swivel-chair security is no fun. It takes more time to investigate and respond to a threat because I need to go on 5-10 different platforms.
We need to find a way to work smarter, not harder.
Does any of this sound familiar?
Security Orchestration, Automation, and Response (SOAR) solutions are becoming increasingly valuable for security teams as they combat the reality of the growing IT security skills gap, alongside a mountain of daily security alerts. Many teams have used SOAR to lower mean time to respond, lower security team burnout and turnover, and streamline security operations. But what are some considerations you should think about when implementing a SOAR technology?
For good reason, new SOAR customers will look for guidelines and certified architectures to ensure that their initial deployment is built on a solid foundation. When deciding how to implement SOAR, you’ll want to consider availability, performance, scalability, security, and total cost to manage.
Before you get started, here are five key questions for you and your security operations team to consider:
- Do you need your SOAR tool to have a multi-site disaster recovery plan?
- Do you want to use your SOAR for case management?
- Do you want to provide your own external infrastructure, or utilize cloud infrastructures like Splunk Cloud?
- How many of your analysts will be using the SOAR tool at any given time?
- How many events an hour will you be forwarding to your SOAR tool?
When preparing for SOAR implementation, you’ll also want to review the main use cases your security team wants to automate to decide whether you need SOAR deployed as a “headless” operation or a case management operation.
If your team will be using the SOAR tool for simple design playbook execution where automation happens in the backend and requires fewer interactive users, a headless operation may be your best solution. But if your team will be using automation on the backend, while also using other user interface functionalities of the SOAR tool to help make sense of the security events coming in, consider a case management operation deployment instead.
For security use cases, we generally recommend a case management deployment, but because SOAR can be used for use cases outside of security, some may prefer headless operation.
To learn more about what you might need to successfully implement SOAR, register for our "Splunk Phantom Deployment Models and Use Cases" webinar by Rob Gresham, a global security architect at Splunk. The webinar will air on December 17, 2020. Hope to see you there!
----------------------------------------------------
Thanks!
Kelly Huang
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
