Since the adoption of robotic process automation, there is this subtle expectation that automation is the future for many things that involve human processes. After all, if we can automate how we process payments or troubleshoot a problem, we should be able to save time, allowing us to do other things.
Abhishek Narula, chief technology officer at Fortinet’s SOAR business unit describes how cybersecurity works:
In the detection phase, big data and analytics are used to understand what could be going wrong. Alerts are sent to analysts who follow a step-by-step process (workflow or playbook) to try and understand what is happening and to eventually decide if an incident is benign or threat.
According to Narula, SOAR or security orchestration, automation and response follow this recipe and convert the event into a flow chart, or an automation playbook. He clarifies that for SOAR to work there must be a process. So, no process in place, forget SOAR.
He opines that for SOAR to be applicable, there needs to be some level of maturity in how an organisation processes cybersecurity events. “A threat is never a single alert,” asserts Narula. “The ability to put events together as a threat chain forming an adversarial action is the capability that SOAR brings.”
In cyber warfare, AI is fair game
Narula concedes that artificial intelligence (AI) is not exclusive to any party – defenders and adversaries. Both sides have access to the same services and resources. He acknowledges that adversaries are already using AI to widen the attack vector by identifying new opportunities.
Defenders, in his view, should use the same technology.
Automation is not the end-all
Narula commented that when SOAR first came to market, attention was paid to the automation piece of the solution negatively. “People saw the word automation and assumed it would take away their jobs. People resisted failing to see the overall value of the solution,” he added.
He pointed out that many SOAR products in the market are threat and vulnerability management, incident response, and security operations automation. As a technology, SOAR pulls data from different sources, processes these and provides incident response.
Its starts to deliver value as the number of Security Operations Centres (SOCs) from which it pulls data increases. It is this pulling of data, expertise and experiences is what gives SOAR its value to CISOs and the SOC team.
SOAR adoption
Narula acknowledged that SOAR is widely used by managed security service providers (MSSPs). He pins the use of MSSPs at 100% and over 90% among enterprises in the region. He posits that even among MSSPs some will likely have realised that whichever SOAR solution they picked up initially is no longer helping them today, and that they are heading towards more platform-play advanced customisable SOAR approaches.
“I have seen some competition being replaced recently in Asia, even in cases where they have been using one of our competitors for three years. There is even a case of a premium platinum partner of a competitor using their SOAR, selecting FortiSOAR because of its platform-play,” revealed Narula.
A better way approach to SOAR
Narula argues that while some SOAR tools do attempt to provide modules for incident response, that’s still just one aspect of SOC. He proposed a better definition for SOAR – streamlined operations, and accelerated response.
To achieve this streamlined operations objective, he opined that it is essential to have one console to see and analyse everything, and from there have a consistent response.
How SOAR connects with SIEM
SOAR products consume alerts (threat detection) from SIEM, EDR, NDR and many other sources. It must be compulsory to sit above these products.
However, small organisations, who are only using for example EDR (or SIEM), may choose the integrated automation capabilities, but still remember, automation is just a third of SOAR.
Partnership
For some time now governments and regulators have been prompting industry players and the consumers of their solutions to form partnerships. This is to counter the seemingly organised way by which criminal elements have banded together to not only take advantage of economies of scale but more importantly the community expertise – cybercrime-as-a-service.
Narula opined that there is a clear recognition that if you do not partner, and you only play an exclusive game, the runway is limited. “I am a firm believer in partnership. From my perspective, go ahead and go far. And that is reflected in the product as well.”
One last thing
Asked to offer one piece of advice for those looking at securing the enterprise, he opined that SaaS and convergence are the themes that are happening right now.
“C-suite’s main responsibility is security, not the infrastructure. They shouldn’t be getting into the problem of here I need to upgrade my software or add more RAM. SaaS providers are the way forward.”
Abhishek Narula
He sees convergence as a second theme and elaborates with a query: “Why should I have 8 or 9 different technologies from 10 different people? Who should I go to if something goes wrong?”
“These are the trends that are going to happen. Look out for those things,” he concluded.