1、The SOAR Buyers GuideThe who,what,where,when and why of buying a security orchestration,automation and response solutionTable of ContentsWhat Is SOAR?.3What is security orchestration?.3What is security automation?.4What is security response?.4Top SOAR use cases.5SOAR Essentials.6Evaluation criteria.
2、6 Core capabilities.6 Platformattributes.13 Business considerations.16Enter Splunk.17More ways to integrate.17The SOAR Buyers Guide|Splunk1The SOAR Buyers Guide|Splunk2Theres never been a better time to invest in a security orchestration,automation and response(SOAR)solution.Gone are the days where
3、security teams had to manually respond to incidents;now,security teams can work smarter not harder by automating repetitive tasks,increasing analyst productivity and accuracy,and better protecting the business.Alltoooften,securityteamsfindthemselvesplaguedbyanalystgruntwork.Security operations work
4、is rife with monotonous,routine and repetitive tasks,especially at the Tier-1 analyst level.Theres also a shortage of over one million cybersecurity professionals with the necessary knowledge and expertisetostaffsecurityoperationscenters(SOCs)aroundtheworld.Other common challenges include(but are ce
5、rtainly not limited to):Too many alerts:Analysts are overwhelmed by hundreds(if not thousands)of security alerts.The sheer volume can quickly overwhelm a security team increasing security incident backlogs and leading to the much-dreaded“alert fatigue.”Too many siloed point-products:Teams are expect
6、ed to juggle disconnected security tools,consisting of static,independent controls and zero interoperability.When tools dont work together,security gaps are inevitable,and attackers can(and will)exploit them.The skills gap:StaffingaSOCisnoeasytask.Qualifiedanalystsareinshortsupply,and turnover is ex
7、tremely high because of an increasingly competitive marketplace.Unsurprisingly,time and resources spent on analyst training and establishinginstitutionalknowledgeareoftenlostintheshuffle.Lack of process:Most security teams fail to establish workflows and standardoperatingprocedures(SOPs)fordifferent
8、typesofsecurityevents.Without this operational rigor,analysts are unable to act quickly and decisively when responding to an attack.Lack of speed:Attackers have ample opportunity to breach and exfiltratedatawhenthemeantimetodetect(MTTD)istoolong.Atypical human response time to an alert can take anyw
9、here from minutes(best case scenario)to weeks or months(sometimes even longer).The latter and sometimes even the former is usually too long a dwell time for serious threats.In the face of all this,security teams have an increasingly hard time identifying and responding to threats.Organizations need
10、a solution thats powerful,flexible and fast a solution powered by automation.With the help of SOAR,analysts can respond to any threat that comes their way,no matter how big or small.A robust SOAR solution can execute a series ofactionsfromdetonatingfilestoquarantiningdevicesacrossanorganizations sec
11、urity infrastructure in mere seconds(versus hours or days,if performed manually)by codifying workflows into automated playbooks.Bottom line?You too can reap the rewards of SOAR.“The SOAR Buyers Guide”will help you make sense of key criteria for evaluating your options that way you can make the choic
12、e thats best for you and your organizations security operations freeing up your analysts for more worthy causes(and a longer lunch break).A SOAR solution clears out mundane tasks that would normally tie up a securityteamstimeandresources.ThankstoSOAR,securityteamscanfieldmore incidents,investigate i
13、ssues closely,save time on critical security tasks,and improve an organizations overall security posture.While automation is a standard practice across most industries,cybersecurity isarguablylatetothegame.Butinrecentyearstheresbeenadistinctshift,with practitioner interest only continuing to grow,al
14、ong with the number of vendors entering the SOAR category reimagining their existing security offeringsfromadjacentmarketsegments.However,because of how newer vendors have positioned themselves,marketdefinitionsaroundSOARhavebecomeblurred,makingcomparisonsdifficult.Tolendsomemuch-neededclarity,heres
15、ourbreakdownofthefollowing categories:Security responseSecurity response is the policy-based coordination of human and machine-based activities for event,case and incident workflows.Security orchestrationSecurity orchestration is the machine-based coordination of a series of interdependent security
16、actions across a complex infrastructure.Security automationSecurity automation is the machine-based execution of security actions.What is security orchestration?Security orchestration is the machine-based coordination of a series of security actions across a complex IT ecosystem.This helps everythin
17、g(i.e.,a wide range of independent security tools)work in concert with one another,while automating tasks across products and workflows.Basically,orchestration allows security teams to automate complex processes across disparate point products,maximizingthevaluefromsecuritystaff,processesandtools.Se
18、curity orchestration can:Collectively and automatically coordinate workflows across tools.Provide context around security incidents by aggregating data from differentsources.Allow for deeper,more meaningful investigations.The SOAR Buyers Guide|Splunk3What Is SOAR?What is security automation?Security
19、 automation is the machine-based execution of security actions with the power to programmatically investigate,respond and remediate threats without the need for human intervention.Security automation does most of the work for analysts,so they no longer have to weed through and manually address every
20、 alert as it comes in,or manually process every security action or task.Security automation can:Investigate threats in your environment.Triage potential threats by following the steps,instructions and decision-making workflows taken by security analysts to investigate the event and determine whether
21、 its a legitimate incident.Decidewhethertotakeactionontheincident.Contain and resolve the issue.Automate vulnerability investigation and patching.What is security response?Security response is the policy-based coordination of machine-based automated actions and human-based input for event,case and i
22、ncident workflows.The technical details of a security event or alert should be organized in a way that allows an analyst to quickly digest the information at hand,so they can better understand the entire scope of the security scenario and respond accordingly.In short,a security analyst should be abl
23、e to seamlessly issue investigative,containment or response actions against the data provided.Oncealertsoreventsareconfirmedandescalated,acasemanagementcomponent should take over and drive a broader,cross-functional lifecycle from creation to resolution.Security response can:Confirmmultipleeventsand
24、escalatethemintoasinglecase.Seamlessly map incidents to an organizations existing processes.Issue investigative,containment or response actions against certain technical data.Provide an activity log that displays a record of all actions executed against an event or alert.Driveabroader,cross-function
25、alsecuritylifecyclefromcreationtoresolution.The SOAR Buyers Guide|Splunk4Top SOAR security scenariosThefollowingusecasesaremodeledafterexistingmanualworkflows,andhighlightcommonoperationalpainpoints.Theseworkflowsusuallycontaincountlessmanualtasksthatrequirecoordinationacrossdifferentpointproducts.B
26、eforebeginningyourevaluation,youllneedtomapoutpotentialusecasesspecifictoyourorganization.Ideally,thiswouldincludeinputfromstakeholdersacrossyoursecurity operations,as well as leadership.Identifying these key use cases even if they arent implemented right away is critical to a successful security st
27、rategy.Below is a selection of security use cases spanning investigation,enrichment,containment and remediation:Alert TriageAlert triage validates and prioritizes inbound alerts and contextualizes events.This includes certain methodologies and models to eliminate false-positive alerts from further p
28、rocessing.Incident ResponseIncident response will vary depending on the type of incident involved.For example,responding to a phishing attempt is a completely differenteffortthanrespondingtoasuccessfulransomwareattack.Indicator of Compromise(IOC)HuntingBy automating IOC hunting,teams can tap into th
29、e latest threat intelligence without exhausting their resources.They can also implement intelligence scoring to determine which threat intelligence sources they should be looking at.Vulnerability ManagementAutomating(and subsequently,standardizing)the cycle of identifying,classifying,remediating and
30、 mitigating vulnerabilities will yield greater efficiencyandconsistency.Network Access Control(NAC)SOAR can augment dynamic access control strategies.One example is integrating a detection system that wasnt previously included in NAC decision-making.User ManagementUsermanagementensuresthatspecificac
31、countsareenabledanddisabledquicklyandsystematicallytoeliminateinsiderthreats,accounttakeovers or credential abuse.Penetration TestingActivitieslikeassetdiscovery,classificationandtargetprioritizationareautomated,increasingtheproductivityofthepentestingteam.Intelligence SharingOrganizationswithintell
32、igencesharinginitiativescanbenefitfromanautomation-assistedplaybook.Automationcanalsoincreaseananalysts productivity and provide time-sensitive information much faster than manual processes.AdditionalSOAR-specificusecasescanstemfromahostofotherchallenges,wheresecurityteamscodifycriteriafordetectiona
33、ndautomation.Besuretocheckoutour e-book,Five Automation Use Cases for Splunk SOAR,for additional examples.The SOAR Buyers Guide|Splunk5Evaluation criteriaOur evaluation criteria for a SOAR solution is organized into three essential categories:core capabilities,platform attributes and business consid
34、erations.Core capabilitiesCore capabilities are the fundamentals(or basic parts)of a SOAR solution.Well cover each capability and component,as well as key considerations for evaluating your options.Orchestrator Data ingestion Security data needs to be ingested.An orchestrator can ingest and compile
35、data from any source,in any format,while keeping it logically separated.If the data is unstructured,the user should be able to apply a data handler to interpret the data and make it accessible.Decision-making Users should be able to apply automation playbooks to their data sources.For example,an ema
36、il phishing playbook can be applied to an email-based ingestion source,while a malware investigation playbook can be applied to a security incident and event management(SIEM)-alert source.Task execution Dispatchautomatedtasksattheappropriateandoptimaltime,passingthemonto the automation engine for ex
37、ecution.Human supervision Balance machine-based automation with the necessary human supervision.There are usually three scenarios where an analyst is required 1.)When approval by the assets owner is required to execute a security action on a target;2.)When review by an analyst is required to ensure
38、that security is balanced with business continuity;and 3.)When an analyst needs to augmentcodifieddecision-makinglogic(e.g.,whenanerroroccurs).Data management Ensure that the output of data from one action is properly parsed,normalized and structured so that future actions can make use of it.The orc
39、hestrator should also support caching relevant data to avoid taxing other resources.Fault tolerance SOAR regularly interacts with many discrete products and services;however,availability isnt always guaranteed.Access to external services can be interrupted and broken in which case,an orchestrator sh
40、ould perform predictably,recoveringandresumingoperationseamlesslyasconfigured.Automation engineThe automation engine is the workhorse of most SOAR solutions,receiving actions(or tasks)from the orchestrator,and then responding to them accordingly.Because automation runs independent of human interacti
41、on,criterialikeplatformscalabilityandextensibilityareimportanttoconsider.Scalability Additional use cases are added and automated over time.To account for the growing processing load,the automation engine should be able to scale vertically and horizontally.Extensibility Security evolves quickly and
42、new functions should be supported without major re-engineering.The automation engine should support the flexability to adapt to the unique capabilities of its environment.The SOAR Buyers Guide|Splunk6SOAR EssentialsAlert managementAfteryourdataisingested,inboundalertswillbequeuedupandprioritized.Inv
43、estigations are then performed using manual or automated actions to yield the highest level of productivity and accuracy.To surface the right information at the right time,the interface should arrange and triage alerts in an easily digestible format.That way,analysts can avoid extensive searches or
44、switching between contexts,and can quickly make sense of notable events.Alert details The details of a security alert should be organized in a way that allows an analyst to quickly digest and understand the security event.This includes an organized view of relevant technical data,including IP addres
45、ses,domain names,filehashes,usernames,emailaddressesandotherdatafields.Useof a standard format like“common event format”(CEF)or an equivalent is highlybeneficialfordataexchange.Issuing actions A security analyst should be able to issue manual actions when investigating,containing or correcting an al
46、ert,and the interface should allow a user to execute an action by selecting the data to operate on.An analyst should also be able to issue an automated collection of actions against an alert,which can be referred to as a“playbook.”Action results Action results should be available in a summary format
47、(e.g.,a table view)as well as in a more comprehensive format(e.g.,JavaScript Object Notation or JSON,a common data format),so that theyre readily available and easy to view.Activity log A comprehensive activity log displays a record of all actions executed against an alert whether they were initiate
48、d manually or via an automation playbook.Each action should display its results,including an indicator of success or failure,making it clear whether the action was fully executed.Alert status,severity and sensitivity Alerts should have a status indicator(e.g.,“new,”“open”or“closed”),a severityindica
49、torandasensitivityindicator(e.g.,“trafficlightprotocol”orTLPdesignations).Eachindicatorshouldbemodifiablewithinthealertmanagement interface,as well as from within a playbook.Alert collaboration The interface should provide an area where analysts can collaborate,comment and provide information about
50、an alert,and all its relevant or miscellaneous data.The SOAR Buyers Guide|Splunk7Case managementCase management takes a broader,cross-functional view of an incidents life cycle from creation to resolution.Multiple alerts and/or events canbeconfirmed,aggregatedandescalatedasasinglecase.Whilealertmana
51、gement is usually technical and singular in its focus,case management can also incorporate non-technical steps into the process.Also,overall case volume is usually much lower than alerts,with numbers typically in the single digits.Case data organization Alldatarelatingtoaspecificcaseshouldbeaggregat
52、edbythecasemanagementcomponent.Displayingthisinformationinasinglelocationhelps users digest everything without context switching.Adding data to a case Relevant technical data should be attached to the case in question(e.g.,source data,action results).Relevant non-technical data(e.g.,notes,memos,emai
53、ls,screenshots,recordingsoranyotherarbitraryfilewithrelevance)should also be included.Linking cases to alerts Ideally,the case management interface should link to the alert management interface for each respective alert.This is especially handy if and when an analyst determines a piece of data requi
54、res further investigation or a containment action needs to be taken.Mapping to existing processes Most organizations have standard operating procedures for incident response,emergency,disaster and other critical situations.Case managementshouldlettheuserdefinetheirprocessesandworkflowsmultiple stage
55、s where each stage has one or more tasks,and each task can be assigned an owner and then save them as a template.Activity auditing New or updated information,including status updates,should be logged in an audit trail and easily exportable.Changes to a case might include:Adding files or notesModifyi
56、ng files or notesCompleting a taskAdding dataModifying dataModifying a stage or taskThe SOAR Buyers Guide|Splunk8Playbook managementPlaybook management helps with the implementation and maintenance of standard operating procedures across an organization(and sometimes beyond).Ideally,this component h
57、as revision/version control and syndication management.Playbook organization Analystsshouldbeabletocustomizecategoriesarounddifferentplaybookgroups.Groupings would be based on what works best or what is most applicable to the organization(e.g.,sensitivity,organizational segments,asset types,themes).
58、Custom functions Beyond whats available out-of-the-box(OOTB),users should be able to write custom code and/or functions.These functions should be shareable across multiple playbooks,while providing centralized code management and version control.Revision control and distribution Integration with a v
59、ersion control system(VCS)is highly recommended for successful playbook management.At the deployment level,a VCS helps with the systematic distribution of playbooks.At the development level,a VCS is important for tracking changes and having the option to roll back updates if necessary.Bulk edits to
60、playbooks The inner workings of each playbook are likely to be unique.However,there are commonalities between many playbooks at the administrative level.A playbook management system should allow for the bulk editing of playbooks,including:Ingestion sourcesEnabling/disabling automatic execution enabl
61、ing/disabling safe mode operationEnabling/disabling enhanced loggingSetting playbook category groupingThe SOAR Buyers Guide|Splunk9Automation editorAnalysts can codify processes into a playbook via an automation editor.Basic source code editors make this a difficult task;however,a visual automation
62、editor allows all security experts regardless of their programming experience to write playbooks at the source code level,and to construct comprehensive and sophisticated playbooks.The visual editor should adhere to Business Process Modeling Notation(BPMN)standards a graphical notation for specifyin
63、g business processes.BPMN supports intuitive symbols for business users,while providing technical users with different ways to represent highly complex processes.User interface elements The user interface should start with a canvas where visual playbooks can be constructed.This part of the interface
64、 should provide an area where a desired actioncanbespecified(forexampleblock_ip or file_reputation).Onceanactionisselected,parameterswillberequiredtoconfiguretheaction(which can be manually entered or selected from a list).The interface should also have a place for testing and debugging,with a seaml
65、ess transition between edit and test mode,along with a source code view.Block-based representation of code Usingblockstorepresentmeaningfulstepswithinanautomationplatformallows users to write comprehensive,complex playbooks without touching the underlying source code.Blocks should be connected in a
66、one-to-one,one-to-many or many-to-one fashion to dictate an order of execution.Inserting humans into the decision process Supervised automation is a common requirement.This is where a human can be inserted into an automation sequence to approve,review or augment continued playbook execution.A playbo
67、ok author should have the ability to specifywhoshouldbeloopedin,alongwiththetypeofnotificationorlevelof approval desired,as well as the type of error to be alerted on in the event that one or more services are unavailable.Information exchange of action results The interface for the automation editor
68、 should allow for new information to be available as inputs,parameters,downstream actions,decision blocks,etc.The results of preceding actions should be accessible visually and selectable from a drop-down menu when populating the parameters of an upstream action.Access to playbook source code While
69、constructing the playbook in a visual editor,the playbook source code should be generated in real time and accessible to the author.Some users mayprefertodraftall(orpart)oftheplaybookviaatraditionalsourcecodemethod,which can be viewed in place of a visual editor.Switching between visual and source c
70、ode modes should be seamless.Simultaneous visual and non-visual playbook construction When working with a playbooks source code,the automation editor should allow the author to modify the playbook at the source code level and have the ability to modify the playbook at the visual block level.At times
71、,the author may require individual blocks(like actions and decision blocks)to be modifiedatthesourcecodelevelforcustomizationsbeyondthescopeofthevisualeditor.Whenthesemodificationsaremade,ausershouldstillbeable to modify the playbook visually.Built-in testing and debugging and runtime logging Itsthe
72、industrystandardforintegrateddevelopmentenvironments(IDEs)toprovide execution and debug capabilities.When it comes to an automation editor,a user should be able to execute playbooks against a security alert,and then observe the execution activity and results.The goal is to enable the author to quick
73、ly edit,test and debug playbooks within one interface.Safe mode An automation editor should also provide a safe mode for new playbooks that need pre-production testing.This mode simulates the execution of automation targets without exacting change on them.The SOAR Buyers Guide|Splunk10App frameworkT
74、he app framework offers an extensible interface for new integrations,connecting the platform to any of the thousands of point products available on the market today.Open ecosystem A SOAR solution can lose its value over time if it fails to integrate with new orpopularofferingsonthemarket.Tosupportth
75、esetypesofintegrations,a SOAR solution should adopt an open ecosystem to promote app development.New technologies must also be quickly integrated without requiringanymodificationtothecoresolution.App development App development is a key component to an open ecosystem,since it allows users to integra
76、te with multiple technologies in support of their playbooks.A SOAR solution should be able to streamline app development within the product itself,so that users can view,test,extend and edit existing apps,as well as create entirely new apps,all from the user interface.Metrics and reportingMetrics an
77、d reporting are necessary for understanding and quantifying pretty much anything,and a SOAR solution is no exception.While automation promises increased performance and productivity,metrics are the way to gauge its respective effectiveness,and to also identify where improvements can be made.Flexible
78、 dashboards Themetricsforsuccessvary;theyreusuallyspecifictotheorganizationortheindividual,and can rely on many factors.Thats why users need to be able to organize their key performance indicators(KPIs)in a way that makes the most sense to their organization.A SOAR solution should allow for this dat
79、a to be customized and organized accordingly.Performance reporting Efficiencyisusuallythemaindriverbehindautomation.Understandingthequantitative performance gain and resource savings is key to justifying your investment.Examples of these metrics that should be reported on:Mean time to resolve(MTTR).
80、Meandwelltime(MDT),whichisdefinedastheperiodoftimebetweenacompromise by a threat actor and taking an appropriate response.Analyst hours saved through automated execution.Number of full time equivalents(FTEs)gained through automated execution.Average time saved per playbook run.Money saved(FTE-cost x
81、 FTEs-gained).The SOAR Buyers Guide|Splunk11 Security effectiveness reporting Automationshouldalsoincreasesecurityeffectivenessandtheoverallsecurity posture of the organization.Understanding the total number of security alerts managed,along with the rate at which theyre being managed,isanotherimport
82、antjustification.Examples of these metrics that should be reported on:MTTRandMDT.Total number of open alerts.Alerts opened daily/hourly/weekly/monthly.Alerts closed daily/hourly/weekly/monthly.Performance against service level agreements(SLAs).App integration and playbook performance Understanding t
83、he most frequently invoked playbooks can help shed light on where further investments can be made.Ideally,playbook design should strivefortheautomatedclosureoffalsepositivesorhigh-confidencetruepositive alerts.Toidentifygapsinautomation,aswellastheeffectivenessoftoolintegrations,the following metric
84、s should be reported on:Alerts closed through automation(per hour,day,week,month or other timeframe).Most active app integrations.Most active actions(manual and automated).Most active automated playbooks.Playbook execution time.Action execution time.Human workload While automation is intended to clo
85、se the human resource gap,there are still plenty of situations where an analyst needs to be involved in the day-to-day operations of a SOAR solution.These cases include manual triage and when other actions are required on an alert,or when human approvals are inserted into the playbook to achieve“sup
86、ervised automation.”The following example metrics should be provided to understand the human workload involved in the automation process:Alerts assigned to an individual.Alerts closed by an individual.Average approval time.Number of outstanding approvals.Approvals required(per hour,day,week,month,or
87、 other time window).The SOAR Buyers Guide|Splunk12Platform attributesPlatformattributesmaybemorequalitativeinnature.Consideringthis,thefollowingcriteriaareevaluatedmoreoftenthroughobservationandinteractionwiththeplatform.Deployment optionsA SOAR solution should support on-premises,cloud or hybrid de
88、ployments.While organizations may prefer on-prem,others will invariably prefer a cloud-based solution.The type of delivery or deployment you decide on will largely depend on the needs of your organization like budget,storage and security requirements,as well as how to best streamline security operat
89、ions,and facilitate digital transformation within the scope of your existing framework.Community-poweredIdeally,a SOAR solution should support a community model by adopting an open ecosystem for app development.This helps promote long-term success by avoiding vendor lock-in,and technologies can easi
90、ly transition without negatively impacting automated playbooks.The ever-evolving nature of security also fuels the need for professionals to work together to share playbooks,best practices and strategies for dealing with the latest threats.A large and active communityMost users prefer to draw on the
91、 experiences of other like-minded users.A large-and-active user community provides the opportunity to share playbooks and apps,or brainstorm ideas for new automation use cases.To facilitate an exchange of ideas,connecting users within the community iscrucial.Messaging/communicationtoolsinparticulara
92、reaneffectivemeans for technical and design support,providing answers to questions and brainstorming on automation use cases.CollaborativeCollaboration improves feature completeness,application integration and automated playbooks that address an evolving range of scenarios.Collaboration across the c
93、ommunity From a content perspective,user and vendor content should be accessible from a centrally located repository.This includes technical contributions,such as playbooks and app integrations,as well as non-technical contributions such as presentations,tech notes,blogs and other documentation meth
94、ods.Collaboration across the platform A SOAR solution should help users collaborate across varying circles of trust.The solution should support collaboration of sensitive information across privileged groups across the organizations security team.The SOAR Buyers Guide|Splunk13CognitiveA cognitive SO
95、AR solution applies knowledge from humans along with previousobservationstoguidefuturedecisions.Thisiscodifiedintoasystemin the form of playbooks.This methodology is based on execution statistics,characteristics of ingested data and action results.This information can be used to recommend individual
96、 actions,playbooks or a set of actions in a sequence that would form a playbook.Its important to understand the current cognitive abilities of a SOAR solution,as well as the cognitive strategy and roadmap for future iterations.Dialable automationTeams usually adopt automation use cases one at a time
97、,slowly building up trust in the system.To help this along,a SOAR solution should support a set of features that allow selective human interaction with the automated playbook.Inserting humans into a workflow should be possible on a per-asset(point security tool or technology)or per-action basis.The
98、former(per-asset)should notify the asset administrator each time an action is executed on that asset.The latter(per-action)should insert a prompt at any point in an automated playbook.The prompt gives gives the user an option to continue,pause or abort the request.This level of supervision allows us
99、erstogainconfidencewiththeprogrammedsteps.SecureUnsurprisingly,one of the most important aspects of a security automation and orchestration solution is security.A SOAR solution holds authentication credentials and other highly-sensitive information encrypting sensitive information and supporting a r
100、obust role-based access control facility.Security best practices of a SOAR solution include:Support for authentication management systemsSupport multi-factor authenticationEncrypted security credentialsMake sure credentials are not stored in memoryThe SOAR Buyers Guide|Splunk14ScalableA SOAR solutio
101、n needs to be able to scale vertically and horizontally.As an organization adds use cases over time,there will be an even greater processing load to consider.The solution should be designed in a way that allows for vertical scaling by increasing hardware resources(for example CPU and RAM)as well as
102、horizontal scaling by increasing the number of server instances supporting the deployment.Open and extensibleSecurity is always evolving,evidenced by the multitude of point products available today.A SOAR solution should be designed for openness and extensibility.It should easily support new securit
103、y scenarios,new products,new actions and new playbooks.Open integration frameworkTheneteffectofanopenintegrationframeworkisthattechnologiesshouldbeabletotransitioninandoutoftheplatformwithoutnegativelyimpactingautomated operations.Users should also have the option to develop additional integrations
104、without relying on the SOAR vendor.Good examples of where this applies is homegrown applications,a custom or early access API from a vendor,or if they choose to extend the functionality oftheautomationplatform.Thisopenframeworkshouldfollowacommonstandard and programming model.There should also be an
105、 abundance of documentation and examples available.No interface restrictionsSome technologies expose interfaces using REST APIs,SSH,syslog,custom API,or some other protocols or methods.An extensible integration framework should not enforce restrictions on interface types.If there is connectivity to
106、thepointproductorapplicationfromtheautomationplatform,themethodof interface should not impact the app integration allowing any interface method to be used.MobileA SOAR solution is designed to accelerate response times in other words,reduce dwell time and mean time to resolve.Rapid response means sec
107、urity analysts need to be reachable when a case or security prompt requires human intervention.But analysts are not always sitting at their desk with their laptop open,ready to answer prompts at a moments notice.ThatswhyitsimportantforaSOARsolutiontoofferaccess,interactivityandcontroloftheplatformfr
108、omtheconvenienceoftheanalystsmobiledevice.Thisway,analysts can run playbooks on the go,review security artifacts and triage events without opening a laptop,respond to prompts from the palm of their hand,and always be reachable whether theyre sitting at their desk or on the go.Ease-of-useThoughenterp
109、risesoftwareisveryrarelysimple,itspossibletoreducethefriction in deploying and using a SOAR solution.Installation and setup Virtual appliance form factor makes deployment simple,as most organizations already leverage virtualization with other infrastructure.Onboarding A SOAR solution can greatly hel
110、p overcome an initial learning curve by using anonboardingprocesstohelpauserconfiguresystemsettings,connecttoadatasourceandactivatetheirfirstfewplaybooks.Accelerate the time-to-automate A SOAR solution should help users to get started with automation quickly.This is achieved by supplying a robust se
111、t of automated playbooks out of the box.Empoweringuserstoquicklydraft,testanddeployautomatedplaybooksisanothersignificantaccelerator.The SOAR Buyers Guide|Splunk15Business considerationsNo matter how great a companys core technology is,there are considerations outside of what is traditionally though
112、t of as the product which can heavily influence a buyers decision-making.One major consideration is the attributes ofthecompanymarketingtheoffer.Anotherconsiderationisthesetofservicesofferedbythecompanythataugmentsthecoretechnologytoformthe whole product that the buyer ultimately experiences.Company
113、 attributesWhen making a decision about procurement,its important to consider the profile,qualityandfuturepotentialofthecompanyyouchoose.Therealityis that many new vendors with new solutions will fail.You should choose a company that has the strength to deliver on the promises they make.Company hist
114、oryThe vendor you select should have plenty of experience in developing security solutions.While security orchestration,automation and response is a relatively new segment of the market,its origins can be traced back many years.Its important to understand how the company was formed and how they deci
115、ded to pursue the SOAR segment.Ability to executeYou should look for a company that is supported by a seasoned team of experiencedprofessionals.Predictingacompanysabilitytoexecuteisoftendirectly linked to the track record of team members.Customer baseThequalityandprofileofacompanyscustomerbaseisaref
116、lectiononthecompany itself.Sophisticated enterprise customers perform rigorous diligence on a potential vendor in several areas prior to making a purchase.Awards and recognitionLook at the companys awards and other types of recognition theyve received.These are endorsements that prove the vendor and
117、 its products live up to their claims.Like the companies themselves,the quality of the awards vary as well.Ancillary servicesTheauxiliaryservicesthatacompanyoffersfortheirtechnologycangreatlyinfluence an organizations deployment and the success of a project.Professional servicesMaturity levels acros
118、s security operations can vary greatly from one organization to the next.Its important to consider whether the company provides professional services that increase the chances of a successful deployment.Its also important for subject matter experts to be available for service engagement to help buil
119、d processes(if lacking)and help convert manual workflows into automation playbooks.Post-sales supportMany startups provide excellent technology and presales support,only to stumble when it comes to post-sales support.Examine the range of support options and determine whether the company provides the
120、 type of support youll need.The SOAR Buyers Guide|Splunk16Splunk can take your team from overwhelmed,to in control.Spunk SOAR lets your team work smarter,respond faster and strengthen your organizations security defenses.Youll be able to automate repetitive tasks;triage security incidents faster wit
121、h automated detection,investigation and response;increase productivity,efficiency and accuracy;and strengthen your defenses by connecting and coordinating complex workflows across your team and tools.Splunk SOAR also supports a broad range of security functions including event and case management,in
122、tegrated threat intelligence,collaboration tools and reporting,as well as integrating your existing security infrastructure so that each part actively participates in the defense strategy,while all working in concert.More ways to integrateFor more ways to integrate,Splunkbase offers thousands of thi
123、rd-party security apps to connect and integrate with Splunk SOAR.Thanks to these integrations,Splunk SOAR can direct your security tools to perform a wide array of actions whether its asking VirusTotal to check file reputation or Cisco Firewall to block an IP.Splunk SOARs app model supports integrat
124、ion with over 350 tools and over 2,100 different actions,all available on Splunkbase.These ready-to-use apps,utilities and add-ons can help your team with security monitoring,next-generation firewall,advanced threat management and a whole lot more.The SOAR Buyers Guide|Splunk17Enter SplunkSplunk,Spl
125、unkandTurnDataIntoDoingaretrademarksandregisteredtrademarksofSplunkInc.intheUnitedStatesandothercountries.All other brand names,product names or trademarks belong to their respective owners.2022 Splunk Inc.All rights reserved.22-23828-Splunk-SOAR Buyers Guide-EB-101The SIEM Buyers Guide|Splunk 18To learn more about the Splunk SOAR,download the free Splunk SOAR Community Edition or ask sales for more information.Get Started.