The document discusses the importance of selecting a security orchestration, automation, and response (SOAR) vendor to enhance the efficiency of security operations centers (SOCs) by integrating disparate cybersecurity tools. Key criteria for evaluating vendors include integration capabilities, alert grouping, visual investigation, customizable playbooks, and reporting features. It emphasizes the significance of due diligence in choosing a vendor that can streamline security processes and improve overall SOC performance.

1. How To Select Security
Orchestration Vendor

2. Introduction
Security orchestration, automation and response (SOAR)
vendors offer SOCs the best solution against the burgeoning
problem of having too many security tools but not enough in-
house talent to use them effectively. They enable security
operations teams to integrate disparate cybersecurity
technologies and processes into a more cohesive security
ecosystem, in turn allowing these teams to work more
efficiently against the growing onslaught of cyber threats.

3. According to Gartner, security orchestration, automation and
response (SOAR) equate to technologies that enable organizations to
collect security data and alerts from different sources. SOAR helps
to combine machine-driven and human-led security operations
activities in a way that drives better, more efficient incident analysis
and triage according to a standardized set of processes and
workflows.
What Is SOAR

4. Based on the interplay between security orchestration, automation and
incident response, it is easy to see why these elements fit together to
form a category of solutions. They encompass what ultimately ladders
up to equal security operations – the management of people, processes
and technology.
Security orchestration vendors seek to empower analysts and
improve incident response through a variety of features. Below we
cover six core pieces of functionality you should explore when
selecting a security orchestration vendor, features to look for and
questions to ask.
Security Orchestration Vendors

5. In a 2017 ESG report on security operations challenges, priorities, and
strategies, 29% of the respondents identified poor integration of
security tools among the top challenges in security operations. That’s
where a security orchestration solution can come in handy. The ability
to integrate disparate security solutions is a basic characteristic of
security orchestration.
Vendors Criterion #1 : Integration

6. One of the seemingly trivial, but actually time-consuming (and often
confusion-inducing) activities in security operations, is having to
switch from one console to another. Console switching is unavoidable
in security operations, especially because you typically must run
different tools and handle different cases at the same time.
Look for a security orchestration vendor with an interface that
minimizes the amount of switching required AND bubbles up the
most critical cases so your team can improve its focus and
prioritization to bring down response and resolution times.
Vendors Criterion #2: SOC Workbench

7. Where a security orchestration vendor can provide tangible value is in
giving your team the ability to work with grouped or clustered alerts.
This must go beyond simply filtering out false positives – which most
security orchestration vendors do – to actually grouping related alerts
into manageable cases.
If each alert becomes its own case to be worked by an analyst, think about
the management impact and collaboration required to effectively handle
those cases vs. analysts working cases containing multiple related alerts
that can be managed, triaged and closed as a single effort.
#3: Alert Grouping & Case Management

8. Virus Found

9. A security orchestration vendor’s solution that mirrors an analyst’s visual
investigation process in an interactive interface – reinforced with graphs,
timelines, flows, and representations of relevant entities – can
significantly speed up investigation and response times.
Be sure to get a look at how a vendor’s platform represents not only the
threat story line but the relationship between the entities – IPs, users,
files – affected. Ensure your team has the ability to quickly identify
relationships, timelines and dig deeper into each entity within a single
snapshot.
Criterion #4: Visual Investigation

10. The beauty of creating and maintaining playbooks via security
orchestration and automation platforms is that it forces the
documentation and codifying of existing manual processes and allows for
the automation of several tasks. But bear in mind that playbook
functionality in a security orchestration solution should be more than
just putting tools into automated processes.
Look for vendors that provide a breadth of features for playbook creation
and customization. Some security orchestration vendors include standard
playbooks to help teams get started that can be customized to your
organization’s needs and desired levels of automation.
Vendor Criterion #5: Playbooks

11. Standard Playbook

12. A security orchestration vendor should be able to help managers and
executives understand how their SOC is performing to then make
informed decisions about everything from processes and tooling to
caseloads and staffing. Not only that, because different stakeholders will
want to look at different metrics and KPIs depending on their role, your
chosen solution should be able to provide the information they need
without adding more burden to your analysts.
Explore vendors that support turnkey and automated reporting,
customizable dashboards, templates, and other capabilities that can speed
up and simplify reporting.
Vendor Criterion #6: Reporting

13. Does your platform group related alerts?
What context is used to determine whether alerts are related?
How are cases created from alerts? Does each alert become its own case?
What are your solution’s visual investigation capabilities?
How are relationships between entities represented?
How many integrations do you currently support and across which
categories?
If you don’t already have an integration I require, how quickly can you
build one?
Questions To Ask To The Vendor

14. Do you provide an IDE so I can create my own integrations?
What level of detail is provided about each entity and how?
How would my analysts build the timeline of a security event?
Do you provide built-in playbooks to help my team get started?
How do you enable my team to create new playbooks?
Is there an IDE?
Does your platform support tests and simulations?
What are your dashboarding capabilities?
More Questions To Ask

15. There’s no question security orchestration solutions can elevate your
SOC’s capabilities, efficiency and effectiveness tremendously. However,
you need to exercise due diligence in selecting a security orchestration
vendor in order to get maximum value from your investment. At the end
of the day, look for a vendor that will streamline your security
operations, reduce missed/uninvestigated alerts, speed up response,
enable the creation of consistent/predictable processes, allow better
transparency of metrics, and increase your SOCs ability to improve over
time.
Conclusion