1、The SOAR Buyers GuideThe who,what,where,when and why of buying a security orchestration,automation and response solutionTable of ContentsWhat Is SOAR?.3What is security orchestration?.3What is security automation?.4What is security response?.4Top SOAR use cases.5SOAR Essentials.6Evaluation criteria.

2、6 Core capabilities.6 Platformattributes.13 Business considerations.16Enter Splunk.17More ways to integrate.17The SOAR Buyers Guide|Splunk1The SOAR Buyers Guide|Splunk2Theres never been a better time to invest in a security orchestration,automation and response(SOAR)solution.Gone are the days where

3、security teams had to manually respond to incidents;now,security teams can work smarter not harder by automating repetitive tasks,increasing analyst productivity and accuracy,and better protecting the business.Alltoooften,securityteamsfindthemselvesplaguedbyanalystgruntwork.Security operations work

4、is rife with monotonous,routine and repetitive tasks,especially at the Tier-1 analyst level.Theres also a shortage of over one million cybersecurity professionals with the necessary knowledge and expertisetostaffsecurityoperationscenters(SOCs)aroundtheworld.Other common challenges include(but are ce

5、rtainly not limited to):Too many alerts:Analysts are overwhelmed by hundreds(if not thousands)of security alerts.The sheer volume can quickly overwhelm a security team increasing security incident backlogs and leading to the much-dreaded“alert fatigue.”Too many siloed point-products:Teams are expect

6、ed to juggle disconnected security tools,consisting of static,independent controls and zero interoperability.When tools dont work together,security gaps are inevitable,and attackers can(and will)exploit them.The skills gap:StaffingaSOCisnoeasytask.Qualifiedanalystsareinshortsupply,and turnover is ex

7、tremely high because of an increasingly competitive marketplace.Unsurprisingly,time and resources spent on analyst training and establishinginstitutionalknowledgeareoftenlostintheshuffle.Lack of process:Most security teams fail to establish workflows and standardoperatingprocedures(SOPs)fordifferent

8、typesofsecurityevents.Without this operational rigor,analysts are unable to act quickly and decisively when responding to an attack.Lack of speed:Attackers have ample opportunity to breach and exfiltratedatawhenthemeantimetodetect(MTTD)istoolong.Atypical human response time to an alert can take anyw

9、here from minutes(best case scenario)to weeks or months(sometimes even longer).The latter and sometimes even the former is usually too long a dwell time for serious threats.In the face of all this,security teams have an increasingly hard time identifying and responding to threats.Organizations need

10、a solution thats powerful,flexible and fast a solution powered by automation.With the help of SOAR,analysts can respond to any threat that comes their way,no matter how big or small.A robust SOAR solution can execute a series ofactionsfromdetonatingfilestoquarantiningdevicesacrossanorganizations sec

11、urity infrastructure in mere seconds(versus hours or days,if performed manually)by codifying workflows into automated playbooks.Bottom line?You too can reap the rewards of SOAR.“The SOAR Buyers Guide”will help you make sense of key criteria for evaluating your options that way you can make the choic

12、e thats best for you and your organizations security operations freeing up your analysts for more worthy causes(and a longer lunch break).A SOAR solution clears out mundane tasks that would normally tie up a securityteamstimeandresources.ThankstoSOAR,securityteamscanfieldmore incidents,investigate i

13、ssues closely,save time on critical security tasks,and improve an organizations overall security posture.While automation is a standard practice across most industries,cybersecurity isarguablylatetothegame.Butinrecentyearstheresbeenadistinctshift,with practitioner interest only continuing to grow,al

14、ong with the number of vendors entering the SOAR category reimagining their existing security offeringsfromadjacentmarketsegments.However,because of how newer vendors have positioned themselves,marketdefinitionsaroundSOARhavebecomeblurred,makingcomparisonsdifficult.Tolendsomemuch-neededclarity,heres

15、ourbreakdownofthefollowing categories:Security responseSecurity response is the policy-based coordination of human and machine-based activities for event,case and incident workflows.Security orchestrationSecurity orchestration is the machine-based coordination of a series of interdependent security

16、actions across a complex infrastructure.Security automationSecurity automation is the machine-based execution of security actions.What is security orchestration?Security orchestration is the machine-based coordination of a series of security actions across a complex IT ecosystem.This helps everythin

17、g(i.e.,a wide range of independent security tools)work in concert with one another,while automating tasks across products and workflows.Basically,orchestration allows security teams to automate complex processes across disparate point products,maximizingthevaluefromsecuritystaff,processesandtools.Se

18、curity orchestration can:Collectively and automatically coordinate workflows across tools.Provide context around security incidents by aggregating data from differentsources.Allow for deeper,more meaningful investigations.The SOAR Buyers Guide|Splunk3What Is SOAR?What is security automation?Security

19、 automation is the machine-based execution of security actions with the power to programmatically investigate,respond and remediate threats without the need for human intervention.Security automation does most of the work for analysts,so they no longer have to weed through and manually address every

20、 alert as it comes in,or manually process every security action or task.Security automation can:Investigate threats in your environment.Triage potential threats by following the steps,instructions and decision-making workflows taken by security analysts to investigate the event and determine whether

21、 its a legitimate incident.Decidewhethertotakeactionontheincident.Contain and resolve the issue.Automate vulnerability investigation and patching.What is security response?Security response is the policy-based coordination of machine-based automated actions and human-based input for event,case and i

22、ncident workflows.The technical details of a security event or alert should be organized in a way that allows an analyst to quickly digest the information at hand,so they can better understand the entire scope of the security scenario and respond accordingly.In short,a security analyst should be abl

23、e to seamlessly issue investigative,containment or response actions against the data provided.Oncealertsoreventsareconfirmedandescalated,acasemanagementcomponent should take over and drive a broader,cross-functional lifecycle from creation to resolution.Security response can:Confirmmultipleeventsand

24、escalatethemintoasinglecase.Seamlessly map incidents to an organizations existing processes.Issue investigative,containment or response actions against certain technical data.Provide an activity log that displays a record of all actions executed against an event or alert.Driveabroader,cross-function

25、alsecuritylifecyclefromcreationtoresolution.The SOAR Buyers Guide|Splunk4Top SOAR security scenariosThefollowingusecasesaremodeledafterexistingmanualworkflows,andhighlightcommonoperationalpainpoints.Theseworkflowsusuallycontaincountlessmanualtasksthatrequirecoordinationacrossdifferentpointproducts.B

26、eforebeginningyourevaluation,youllneedtomapoutpotentialusecasesspecifictoyourorganization.Ideally,thiswouldincludeinputfromstakeholdersacrossyoursecurity operations,as well as leadership.Identifying these key use cases even if they arent implemented right away is critical to a successful security st

27、rategy.Below is a selection of security use cases spanning investigation,enrichment,containment and remediation:Alert TriageAlert triage validates and prioritizes inbound alerts and contextualizes events.This includes certain methodologies and models to eliminate false-positive alerts from further p

28、rocessing.Incident ResponseIncident response will vary depending on the type of incident involved.For example,responding to a phishing attempt is a completely differenteffortthanrespondingtoasuccessfulransomwareattack.Indicator of Compromise(IOC)HuntingBy automating IOC hunting,teams can tap into th

29、e latest threat intelligence without exhausting their resources.They can also implement intelligence scoring to determine which threat intelligence sources they should be looking at.Vulnerability ManagementAutomating(and subsequently,standardizing)the cycle of identifying,classifying,remediating and

30、 mitigating vulnerabilities will yield greater efficiencyandconsistency.Network Access Control(NAC)SOAR can augment dynamic access control strategies.One example is integrating a detection system that wasnt previously included in NAC decision-making.User ManagementUsermanagementensuresthatspecificac

31、countsareenabledanddisabledquicklyandsystematicallytoeliminateinsiderthreats,accounttakeovers or credential abuse.Penetration TestingActivitieslikeassetdiscovery,classificationandtargetprioritizationareautomated,increasingtheproductivityofthepentestingteam.Intelligence SharingOrganizationswithintell

32、igencesharinginitiativescanbenefitfromanautomation-assistedplaybook.Automationcanalsoincreaseananalysts productivity and provide time-sensitive information much faster than manual processes.AdditionalSOAR-specificusecasescanstemfromahostofotherchallenges,wheresecurityteamscodifycriteriafordetectiona

33、ndautomation.Besuretocheckoutour e-book,Five Automation Use Cases for Splunk SOAR,for additional examples.The SOAR Buyers Guide|Splunk5Evaluation criteriaOur evaluation criteria for a SOAR solution is organized into three essential categories:core capabilities,platform attributes and business consid

34、erations.Core capabilitiesCore capabilities are the fundamentals(or basic parts)of a SOAR solution.Well cover each capability and component,as well as key considerations for evaluating your options.Orchestrator Data ingestion Security data needs to be ingested.An orchestrator can ingest and compile

35、data from any source,in any format,while keeping it logically separated.If the data is unstructured,the user should be able to apply a data handler to interpret the data and make it accessible.Decision-making Users should be able to apply automation playbooks to their data sources.For example,an ema

36、il phishing playbook can be applied to an email-based ingestion source,while a malware investigation playbook can be applied to a security incident and event management(SIEM)-alert source.Task execution Dispatchautomatedtasksattheappropriateandoptimaltime,passingthemonto the automation engine for ex

37、ecution.Human supervision Balance machine-based automation with the necessary human supervision.There are usually three scenarios where an analyst is required 1.)When approval by the assets owner is required to execute a security action on a target;2.)When review by an analyst is required to ensure

38、that security is balanced with business continuity;and 3.)When an analyst needs to augmentcodifieddecision-makinglogic(e.g.,whenanerroroccurs).Data management Ensure that the output of data from one action is properly parsed,normalized and structured so that future actions can make use of it.The orc

39、hestrator should also support caching relevant data to avoid taxing other resources.Fault tolerance SOAR regularly interacts with many discrete products and services;however,availability isnt always guaranteed.Access to external services can be interrupted and broken in which case,an orchestrator sh

40、ould perform predictably,recoveringandresumingoperationseamlesslyasconfigured.Automation engineThe automation engine is the workhorse of most SOAR solutions,receiving actions(or tasks)from the orchestrator,and then responding to them accordingly.Because automation runs independent of human interacti

41、on,criterialikeplatformscalabilityandextensibilityareimportanttoconsider.Scalability Additional use cases are added and automated over time.To account for the growing processing load,the automation engine should be able to scale vertically and horizontally.Extensibility Security evolves quickly and

42、new functions should be supported without major re-engineering.The automation engine should support the flexability to adapt to the unique capabilities of its environment.The SOAR Buyers Guide|Splunk6SOAR EssentialsAlert managementAfteryourdataisingested,inboundalertswillbequeuedupandprioritized.Inv

43、estigations are then performed using manual or automated actions to yield the highest level of productivity and accuracy.To surface the right information at the right time,the interface should arrange and triage alerts in an easily digestible format.That way,analysts can avoid extensive searches or

44、switching between contexts,and can quickly make sense of notable events.Alert details The details of a security alert should be organized in a way that allows an analyst to quickly digest and understand the security event.This includes an organized view of relevant technical data,including IP addres

45、ses,domain names,filehashes,usernames,emailaddressesandotherdatafields.Useof a standard format like“common event format”(CEF)or an equivalent is highlybeneficialfordataexchange.Issuing actions A security analyst should be able to issue manual actions when investigating,containing or correcting an al

46、ert,and the interface should allow a user to execute an action by selecting the data to operate on.An analyst should also be able to issue an automated collection of actions against an alert,which can be referred to as a“playbook.”Action results Action results should be available in a summary format

47、(e.g.,a table view)as well as in a more comprehensive format(e.g.,JavaScript Object Notation or JSON,a common data format),so that theyre readily available and easy to view.Activity log A comprehensive activity log displays a record of all actions executed against an alert whether they were initiate

48、d manually or via an automation playbook.Each action should display its results,including an indicator of success or failure,making it clear whether the action was fully executed.Alert status,severity and sensitivity Alerts should have a status indicator(e.g.,“new,”“open”or“closed”),a severityindica

49、torandasensitivityindicator(e.g.,“trafficlightprotocol”orTLPdesignations).Eachindicatorshouldbemodifiablewithinthealertmanagement interface,as well as from within a playbook.Alert collaboration The interface should provide an area where analysts can collaborate,comment and provide information about

50、an alert,and all its relevant or miscellaneous data.The SOAR Buyers Guide|Splunk7Case managementCase management takes a broader,cross-functional view of an incidents life cycle from creation to resolution.Multiple alerts and/or events canbeconfirmed,aggregatedandescalatedasasinglecase.Whilealertmana

51、gement is usually technical and singular in its focus,case management can also incorporate non-technical steps into the process.Also,overall case volume is usually much lower than alerts,with numbers typically in the single digits.Case data organization Alldatarelatingtoaspecificcaseshouldbeaggregat

52、edbythecasemanagementcomponent.Displayingthisinformationinasinglelocationhelps users digest everything without context switching.Adding data to a case Relevant technical data should be attached to the case in question(e.g.,source data,action results).Relevant non-technical data(e.g.,notes,memos,emai

53、ls,screenshots,recordingsoranyotherarbitraryfilewithrelevance)should also be included.Linking cases to alerts Ideally,the case management interface should link to the alert management interface for each respective alert.This is especially handy if and when an analyst determines a piece of data requi

54、res further investigation or a containment action needs to be taken.Mapping to existing processes Most organizations have standard operating procedures for incident response,emergency,disaster and other critical situations.Case managementshouldlettheuserdefinetheirprocessesandworkflowsmultiple stage

55、s where each stage has one or more tasks,and each task can be assigned an owner and then save them as a template.Activity auditing New or updated information,including status updates,should be logged in an audit trail and easily exportable.Changes to a case might include:Adding files or notesModifyi

56、ng files or notesCompleting a taskAdding dataModifying dataModifying a stage or taskThe SOAR Buyers Guide|Splunk8Playbook managementPlaybook management helps with the implementation and maintenance of standard operating procedures across an organization(and sometimes beyond).Ideally,this component h

57、as revision/version control and syndication management.Playbook organization Analystsshouldbeabletocustomizecategoriesarounddifferentplaybookgroups.Groupings would be based on what works best or what is most applicable to the organization(e.g.,sensitivity,organizational segments,asset types,themes).

58、Custom functions Beyond whats available out-of-the-box(OOTB),users should be able to write custom code and/or functions.These functions should be shareable across multiple playbooks,while providing centralized code management and version control.Revision control and distribution Integration with a v

59、ersion control system(VCS)is highly recommended for successful playbook management.At the deployment level,a VCS helps with the systematic distribution of playbooks.At the development level,a VCS is important for tracking changes and having the option to roll back updates if necessary.Bulk edits to

60、playbooks The inner workings of each playbook are likely to be unique.However,there are commonalities between many playbooks at the administrative level.A playbook management system should allow for the bulk editing of playbooks,including:Ingestion sourcesEnabling/disabling automatic execution enabl

61、ing/disabling safe mode operationEnabling/disabling enhanced loggingSetting playbook category groupingThe SOAR Buyers Guide|Splunk9Automation editorAnalysts can codify processes into a playbook via an automation editor.Basic source code editors make this a difficult task;however,a visual automation

62、editor allows all security experts regardless of their programming experience to write playbooks at the source code level,and to construct comprehensive and sophisticated playbooks.The visual editor should adhere to Business Process Modeling Notation(BPMN)standards a graphical notation for specifyin

63、g business processes.BPMN supports intuitive symbols for business users,while providing technical users with different ways to represent highly complex processes.User interface elements The user interface should start with a canvas where visual playbooks can be constructed.This part of the interface

64、 should provide an area where a desired actioncanbespecified(forexampleblock_ip or file_reputation).Onceanactionisselected,parameterswillberequiredtoconfiguretheaction(which can be manually entered or selected from a list).The interface should also have a place for testing and debugging,with a seaml

65、ess transition between edit and test mode,along with a source code view.Block-based representation of code Usingblockstorepresentmeaningfulstepswithinanautomationplatformallows users to write comprehensive,complex playbooks without touching the underlying source code.Blocks should be connected in a

66、one-to-one,one-to-many or many-to-one fashion to dictate an order of execution.Inserting humans into the decision process Supervised automation is a common requirement.This is where a human can be inserted into an automation sequence to approve,review or augment continued playbook execution.A playbo

67、ok author should have the ability to specifywhoshouldbeloopedin,alongwiththetypeofnotificationorlevelof approval desired,as well as the type of error to be alerted on in the event that one or more services are unavailable.Information exchange of action results The interface for the automation editor

68、 should allow for new information to be available as inputs,parameters,downstream actions,decision blocks,etc.The results of preceding actions should be accessible visually and selectable from a drop-down menu when populating the parameters of an upstream action.Access to playbook source code While

69、constructing the playbook in a visual editor,the playbook source code should be generated in real time and accessible to the author.Some users mayprefertodraftall(orpart)oftheplaybookviaatraditionalsourcecodemethod,which can be viewed in place of a visual editor.Switching between visual and source c

70、ode modes should be seamless.Simultaneous visual and non-visual playbook construction When working with a playbooks source code,the automation editor should allow the author to modify the playbook at the source code level and have the ability to modify the playbook at the visual block level.At times

71、,the author may require individual blocks(like actions and decision blocks)to be modifiedatthesourcecodelevelforcustomizationsbeyondthescopeofthevisualeditor.Whenthesemodificationsaremade,ausershouldstillbeable to modify the playbook visually.Built-in testing and debugging and runtime logging Itsthe

72、industrystandardforintegrateddevelopmentenvironments(IDEs)toprovide execution and debug capabilities.When it comes to an automation editor,a user should be able to execute playbooks against a security alert,and then observe the execution activity and results.The goal is to enable the author to quick

73、ly edit,test and debug playbooks within one interface.Safe mode An automation editor should also provide a safe mode for new playbooks that need pre-production testing.This mode simulates the execution of automation targets without exacting change on them.The SOAR Buyers Guide|Splunk10App frameworkT

74、he app framework offers an extensible interface for new integrations,connecting the platform to any of the thousands of point products available on the market today.Open ecosystem A SOAR solution can lose its value over time if it fails to integrate with new orpopularofferingsonthemarket.Tosupportth

75、esetypesofintegrations,a SOAR solution should adopt an open ecosystem to promote app development.New technologies must also be quickly integrated without requiringanymodificationtothecoresolution.App development App development is a key component to an open ecosystem,since it allows users to integra

76、te with multiple technologies in support of their playbooks.A SOAR solution should be able to streamline app development within the product itself,so that users can view,test,extend and edit existing apps,as well as create entirely new apps,all from the user interface.Metrics and reportingMetrics an

77、d reporting are necessary for understanding and quantifying pretty much anything,and a SOAR solution is no exception.While automation promises increased performance and productivity,metrics are the way to gauge its respective effectiveness,and to also identify where improvements can be made.Flexible

78、 dashboards Themetricsforsuccessvary;theyreusuallyspecifictotheorganizationortheindividual,and can rely on many factors.Thats why users need to be able to organize their key performance indicators(KPIs)in a way that makes the most sense to their organization.A SOAR solution should allow for this dat

79、a to be customized and organized accordingly.Performance reporting Efficiencyisusuallythemaindriverbehindautomation.Understandingthequantitative performance gain and resource savings is key to justifying your investment.Examples of these metrics that should be reported on:Mean time to resolve(MTTR).

80、Meandwelltime(MDT),whichisdefinedastheperiodoftimebetweenacompromise by a threat actor and taking an appropriate response.Analyst hours saved through automated execution.Number of full time equivalents(FTEs)gained through automated execution.Average time saved per playbook run.Money saved(FTE-cost x

81、 FTEs-gained).The SOAR Buyers Guide|Splunk11 Security effectiveness reporting Automationshouldalsoincreasesecurityeffectivenessandtheoverallsecurity posture of the organization.Understanding the total number of security alerts managed,along with the rate at which theyre being managed,isanotherimport

82、antjustification.Examples of these metrics that should be reported on:MTTRandMDT.Total number of open alerts.Alerts opened daily/hourly/weekly/monthly.Alerts closed daily/hourly/weekly/monthly.Performance against service level agreements(SLAs).App integration and playbook performance Understanding t

83、he most frequently invoked playbooks can help shed light on where further investments can be made.Ideally,playbook design should strivefortheautomatedclosureoffalsepositivesorhigh-confidencetruepositive alerts.Toidentifygapsinautomation,aswellastheeffectivenessoftoolintegrations,the following metric

84、s should be reported on:Alerts closed through automation(per hour,day,week,month or other timeframe).Most active app integrations.Most active actions(manual and automated).Most active automated playbooks.Playbook execution time.Action execution time.Human workload While automation is intended to clo

85、se the human resource gap,there are still plenty of situations where an analyst needs to be involved in the day-to-day operations of a SOAR solution.These cases include manual triage and when other actions are required on an alert,or when human approvals are inserted into the playbook to achieve“sup

86、ervised automation.”The following example metrics should be provided to understand the human workload involved in the automation process:Alerts assigned to an individual.Alerts closed by an individual.Average approval time.Number of outstanding approvals.Approvals required(per hour,day,week,month,or

87、 other time window).The SOAR Buyers Guide|Splunk12Platform attributesPlatformattributesmaybemorequalitativeinnature.Consideringthis,thefollowingcriteriaareevaluatedmoreoftenthroughobservationandinteractionwiththeplatform.Deployment optionsA SOAR solution should support on-premises,cloud or hybrid de

88、ployments.While organizations may prefer on-prem,others will invariably prefer a cloud-based solution.The type of delivery or deployment you decide on will largely depend on the needs of your organization like budget,storage and security requirements,as well as how to best streamline security operat

89、ions,and facilitate digital transformation within the scope of your existing framework.Community-poweredIdeally,a SOAR solution should support a community model by adopting an open ecosystem for app development.This helps promote long-term success by avoiding vendor lock-in,and technologies can easi

90、ly transition without negatively impacting automated playbooks.The ever-evolving nature of security also fuels the need for professionals to work together to share playbooks,best practices and strategies for dealing with the latest threats.A large and active communityMost users prefer to draw on the

91、 experiences of other like-minded users.A large-and-active user community provides the opportunity to share playbooks and apps,or brainstorm ideas for new automation use cases.To facilitate an exchange of ideas,connecting users within the community iscrucial.Messaging/communicationtoolsinparticulara

92、reaneffectivemeans for technical and design support,providing answers to questions and brainstorming on automation use cases.CollaborativeCollaboration improves feature completeness,application integration and automated playbooks that address an evolving range of scenarios.Collaboration across the c

93、ommunity From a content perspective,user and vendor content should be accessible from a centrally located repository.This includes technical contributions,such as playbooks and app integrations,as well as non-technical contributions such as presentations,tech notes,blogs and other documentation meth

94、ods.Collaboration across the platform A SOAR solution should help users collaborate across varying circles of trust.The solution should support collaboration of sensitive information across privileged groups across the organizations security team.The SOAR Buyers Guide|Splunk13CognitiveA cognitive SO

95、AR solution applies knowledge from humans along with previousobservationstoguidefuturedecisions.Thisiscodifiedintoasystemin the form of playbooks.This methodology is based on execution statistics,characteristics of ingested data and action results.This information can be used to recommend individual

96、 actions,playbooks or a set of actions in a sequence that would form a playbook.Its important to understand the current cognitive abilities of a SOAR solution,as well as the cognitive strategy and roadmap for future iterations.Dialable automationTeams usually adopt automation use cases one at a time

97、,slowly building up trust in the system.To help this along,a SOAR solution should support a set of features that allow selective human interaction with the automated playbook.Inserting humans into a workflow should be possible on a per-asset(point security tool or technology)or per-action basis.The

98、former(per-asset)should notify the asset administrator each time an action is executed on that asset.The latter(per-action)should insert a prompt at any point in an automated playbook.The prompt gives gives the user an option to continue,pause or abort the request.This level of supervision allows us

99、erstogainconfidencewiththeprogrammedsteps.SecureUnsurprisingly,one of the most important aspects of a security automation and orchestration solution is security.A SOAR solution holds authentication credentials and other highly-sensitive information encrypting sensitive information and supporting a r

100、obust role-based access control facility.Security best practices of a SOAR solution include:Support for authentication management systemsSupport multi-factor authenticationEncrypted security credentialsMake sure credentials are not stored in memoryThe SOAR Buyers Guide|Splunk14ScalableA SOAR solutio

101、n needs to be able to scale vertically and horizontally.As an organization adds use cases over time,there will be an even greater processing load to consider.The solution should be designed in a way that allows for vertical scaling by increasing hardware resources(for example CPU and RAM)as well as

102、horizontal scaling by increasing the number of server instances supporting the deployment.Open and extensibleSecurity is always evolving,evidenced by the multitude of point products available today.A SOAR solution should be designed for openness and extensibility.It should easily support new securit

103、y scenarios,new products,new actions and new playbooks.Open integration frameworkTheneteffectofanopenintegrationframeworkisthattechnologiesshouldbeabletotransitioninandoutoftheplatformwithoutnegativelyimpactingautomated operations.Users should also have the option to develop additional integrations

104、without relying on the SOAR vendor.Good examples of where this applies is homegrown applications,a custom or early access API from a vendor,or if they choose to extend the functionality oftheautomationplatform.Thisopenframeworkshouldfollowacommonstandard and programming model.There should also be an

105、 abundance of documentation and examples available.No interface restrictionsSome technologies expose interfaces using REST APIs,SSH,syslog,custom API,or some other protocols or methods.An extensible integration framework should not enforce restrictions on interface types.If there is connectivity to

106、thepointproductorapplicationfromtheautomationplatform,themethodof interface should not impact the app integration allowing any interface method to be used.MobileA SOAR solution is designed to accelerate response times in other words,reduce dwell time and mean time to resolve.Rapid response means sec

107、urity analysts need to be reachable when a case or security prompt requires human intervention.But analysts are not always sitting at their desk with their laptop open,ready to answer prompts at a moments notice.ThatswhyitsimportantforaSOARsolutiontoofferaccess,interactivityandcontroloftheplatformfr

108、omtheconvenienceoftheanalystsmobiledevice.Thisway,analysts can run playbooks on the go,review security artifacts and triage events without opening a laptop,respond to prompts from the palm of their hand,and always be reachable whether theyre sitting at their desk or on the go.Ease-of-useThoughenterp

109、risesoftwareisveryrarelysimple,itspossibletoreducethefriction in deploying and using a SOAR solution.Installation and setup Virtual appliance form factor makes deployment simple,as most organizations already leverage virtualization with other infrastructure.Onboarding A SOAR solution can greatly hel

110、p overcome an initial learning curve by using anonboardingprocesstohelpauserconfiguresystemsettings,connecttoadatasourceandactivatetheirfirstfewplaybooks.Accelerate the time-to-automate A SOAR solution should help users to get started with automation quickly.This is achieved by supplying a robust se

111、t of automated playbooks out of the box.Empoweringuserstoquicklydraft,testanddeployautomatedplaybooksisanothersignificantaccelerator.The SOAR Buyers Guide|Splunk15Business considerationsNo matter how great a companys core technology is,there are considerations outside of what is traditionally though

112、t of as the product which can heavily influence a buyers decision-making.One major consideration is the attributes ofthecompanymarketingtheoffer.Anotherconsiderationisthesetofservicesofferedbythecompanythataugmentsthecoretechnologytoformthe whole product that the buyer ultimately experiences.Company

113、 attributesWhen making a decision about procurement,its important to consider the profile,qualityandfuturepotentialofthecompanyyouchoose.Therealityis that many new vendors with new solutions will fail.You should choose a company that has the strength to deliver on the promises they make.Company hist

114、oryThe vendor you select should have plenty of experience in developing security solutions.While security orchestration,automation and response is a relatively new segment of the market,its origins can be traced back many years.Its important to understand how the company was formed and how they deci

115、ded to pursue the SOAR segment.Ability to executeYou should look for a company that is supported by a seasoned team of experiencedprofessionals.Predictingacompanysabilitytoexecuteisoftendirectly linked to the track record of team members.Customer baseThequalityandprofileofacompanyscustomerbaseisaref

116、lectiononthecompany itself.Sophisticated enterprise customers perform rigorous diligence on a potential vendor in several areas prior to making a purchase.Awards and recognitionLook at the companys awards and other types of recognition theyve received.These are endorsements that prove the vendor and

117、 its products live up to their claims.Like the companies themselves,the quality of the awards vary as well.Ancillary servicesTheauxiliaryservicesthatacompanyoffersfortheirtechnologycangreatlyinfluence an organizations deployment and the success of a project.Professional servicesMaturity levels acros

118、s security operations can vary greatly from one organization to the next.Its important to consider whether the company provides professional services that increase the chances of a successful deployment.Its also important for subject matter experts to be available for service engagement to help buil

119、d processes(if lacking)and help convert manual workflows into automation playbooks.Post-sales supportMany startups provide excellent technology and presales support,only to stumble when it comes to post-sales support.Examine the range of support options and determine whether the company provides the

120、 type of support youll need.The SOAR Buyers Guide|Splunk16Splunk can take your team from overwhelmed,to in control.Spunk SOAR lets your team work smarter,respond faster and strengthen your organizations security defenses.Youll be able to automate repetitive tasks;triage security incidents faster wit

121、h automated detection,investigation and response;increase productivity,efficiency and accuracy;and strengthen your defenses by connecting and coordinating complex workflows across your team and tools.Splunk SOAR also supports a broad range of security functions including event and case management,in

122、tegrated threat intelligence,collaboration tools and reporting,as well as integrating your existing security infrastructure so that each part actively participates in the defense strategy,while all working in concert.More ways to integrateFor more ways to integrate,Splunkbase offers thousands of thi

123、rd-party security apps to connect and integrate with Splunk SOAR.Thanks to these integrations,Splunk SOAR can direct your security tools to perform a wide array of actions whether its asking VirusTotal to check file reputation or Cisco Firewall to block an IP.Splunk SOARs app model supports integrat

124、ion with over 350 tools and over 2,100 different actions,all available on Splunkbase.These ready-to-use apps,utilities and add-ons can help your team with security monitoring,next-generation firewall,advanced threat management and a whole lot more.The SOAR Buyers Guide|Splunk17Enter SplunkSplunk,Spl

125、unkandTurnDataIntoDoingaretrademarksandregisteredtrademarksofSplunkInc.intheUnitedStatesandothercountries.All other brand names,product names or trademarks belong to their respective owners.2022 Splunk Inc.All rights reserved.22-23828-Splunk-SOAR Buyers Guide-EB-101The SIEM Buyers Guide|Splunk 18To learn more about the Splunk SOAR,download the free Splunk SOAR Community Edition or ask sales for more information.Get Started.