What we do
“As we evolve as organisations, as we go into new paths of doing business, then what I'd expect to see immediately from a security point of view, but more from an operations point of view moving forward, is SOAR underpinning all of that and allowing that automation of process to happen.”
Zac Abbott: Hello and welcome to Explain IT brought to you by Softcat, the show for IT professionals, by IT professionals that aims to simplify the complex and often overcomplicated bits of Enterprise IT without compromising on the detail. Welcome back to another episode of Explain IT, I'm your host Zac Abbott and over the next 30ish minutes I'll be challenging our panel of experts to take a different area of the IT ecosystem and of course explain it. In this episode we’re talking about SOAR technology; what it is, why an organisation should care about it and what is its future. Joining me today to discuss this is Adam Louca, Softcat’s chief technologist for cybersecurity and Matt Rhodes, senior channel manager for Demisto at Palo Alto Networks. Matt, Adam, welcome to the show thank you very much for joining us today. Now before we get into the techy bit it is time for the most important question you'll be asked today. I have one free space on my playlist for a song, what song should I add and why? Adam?
Adam Louca: So for me, hopeless romantic, Temper Trap Sweet Disposition cos it was my first dance song at my wedding to my wife.
Zac Abbott: Cute, cute winning some points there as well.
Adam Louca: 100%
Zac Abbott: I hope she’ll be able to listen to that, nice. And Matt?
Matt Rhodes: So for me it's got to be the staple song, Good as Gold by Beautiful South, with the lyrics “got enough money for one more beer, so carry on regardless.”
Zac Abbott: Nice. Ok I'm going to add, purely because I love it as well, Sweet Disposition. One point to Adam. Thanks for playing guys. Now let's take a look at SOAR technology. So Adam, what are SOAR technologies?
Adam Louca: So SOAR itself stands for security, orchestration, automation and response, so it's any group of technologies that allows you to take the vast multitude of IT security solutions that you'll have in your environment, take certain inputs from them and, based upon a script, based upon a set of actions, to perform some sort of outcome. So typically what these tools are used for, is they’re used to automate certain repeatable tasks within your IT security infrastructure.
Zac Abbott: Alright and why does exist?
Adam Louca: So when we think about the vast number of IT security products that we've got out there, the reality of it is that most of them don't integrate together, even the ones by the same vendors typically don't even integrate together, they’re built on different platforms, they have different data architectures, they have different control layers and really what the SOAR platforms attempt to do is bridge the gap between all these different parts of your technology to allow them to work towards a single common goal and I think that's what makes the technology area so interesting and so unique is that unlike a lot of areas that are trying to do one particular part of the ecosystem, what this is really about is about bringing everything together and about gluing it together so that stuff works in harmony rather than works against each other.
Matt Rhodes: I think as well, and one thing we’re absolutely seeing from a customer landscape perspective with SOAR is that we're not talking about the most complicated tasks out there that security operations or operations teams are doing today, we're actually looking at the very basic tasks that are very time consuming and we’re automating that part which is probably 90% of what an operations team’s doing today is the small manual repetitive tasks rather than looking at those complicated tasks in the first instance.
Zac Abbott: Right, so Matt I guess it's all about driving those high value activities versus those run rate stuff that doesn't have a lot of value but needs to be done still, really.
Matt Rhodes: Absolutely, it's moving your humans, your security analysts that you've paid probably very good money for to do the jobs that they're not getting around to doing today, the threat hunting of this world, the really serious and proactive based security and we’re moving them away from the reactive nature of security which is generally what they're having to do today because of the volume.
Zac Abbott: And Matt I guess one of the things we see very regularly is the key challenges to retention and attraction of cybersecurity talent I guess by using these types of technologies it reduces those boring tasks away from them, gives them more time to train, gives them more time to actually work on interesting end of it?
Matt Rhodes: Absolutely, so the turnover within the security analyst world is around two years and bearing in mind that takes around six months to get people up to training, the actual return that you get from those security analysts can be limited at times and then moving on because they start at a job, or they come into the security analyst world because they want to do things like threat hunting, like the cool stuff that comes as part of that job, but actually they’re doing repetitive manual boring work so they're moving onto the big banks or some other organisations that can offer them that. As well as retention, it also means if you're having a SOAR technology or if you’ve invested in a SOAR technology, actually recruitment becomes a lot easier as well because you don't need as many security analysts out there because it is a very small market, it’s a very small pool of people, but if you're automating a lot of your tasks, then your recruitment becomes less, because you've now got probably the right number of people to do what you need to do by just automating a lot of the processes.
Zac Abbott: Does that mean that I should only look at SOAR if I've already got a SOC?
Matt Rhodes: Not necessarily. So if you’ve got a SOC already then obviously the benefits and the processes that you can automate are going to be very clear and ROI is going to be very quick, however all types of organisations, no matter what size, will have problems when it comes to security alerts. So if they have current processes around phishing, or current processes around how they deal with alerts coming out of the SIM, they don't have to be a large organisation, thy don’t have to have a SOC to have those processes in place, but they’ll still be having the same challenges as some of the larger companies, larger organisations, because they are having that alert fatigue because they may have only one or two members of staff rather than 10 or 20 members of staff.
Zac Abbott: Do you want to quickly just explain what a SOC is for people that might not necessarily know?
Adam Louca: So a SOC is a Security Operations Centre and it's where your, typically your security staff would work, they’re are also known as the blue team. So they’re there to defend the organisation. They will typically deliver a number of key functions, so they'll deliver the log management, so looking for threats, they’ll deliver threat hunting, they’ll also deliver incident response, so managing when something goes wrong, making sure that they're triaging and working through security incidents takes place, and they’ll also often be dealing with things like vulnerability management, so both the detection of vulnerabilities in systems but also managing that patching process and keeping holding the operations teams to account. So they're a really key part of delivering your cyber security strategy, or be delivering some of those functions of a SOC. Interestingly, depending on the size of the organisation, you might choose to have that internally. Run it as a hybrid, so that's where you would keep certain tasks in house and others outsourced, or you might choose to go to a fully outsourced model. But for me, it's a real sign of maturity as an organisation grows their cyber security capabilities is when they reach that point where they feel that actually we need a SOC because we need that full-time management of this problem.
Zac Abbott: Sure. And with the SOAR technologies themselves, is this a recent development or is it an amalgamation of technologies that we've had for a while, how has it evolved, that sort of thing?
Adam Louca: I think it's quite interesting, my personal view on this is it's something that's really grown out of the RPA and automation realms. I think RPA - robotic process automation - is something we’ve talked about for a little while now, but essentially it's that idea that automation is for everyone, so everyone, if we’re doing something more than once we should probably automate it. But this is the application of those technologies with the security slant on it. So for me it's an evolution of an existing technology, I'm not sure, Matt, whether you've got an opinion on that?
Matt Rhodes: Yeah absolutely, I think the process element of SOAR automating certain security actions is not new. People have been scripting, people have been doing homebrew stuff for many years now, but obviously that takes time, that takes certain type of people, that takes certain type of expertise. We've got now to a point within cybersecurity that we need a lot of that work to be done for us because the amounts of alerts, the amounts of events, we need to do much more than just single processes when it comes to automation, so the whole SOAR market has exploded over the last couple of years because we've reached a tipping point that we need more of a platform led approach across a number of different use cases rather than just singular ones, but also from a technology perspective, there's now technology partners out there that are delivering this in a very manageable perspective, so before, like I say, it was homebrew, it was down to coding, whereas now you’re getting vendors that will deliver all of that coding as a service, so you can take those technologies and you can deploy that and deliver that how you wish within your own environment.
Adam Louca: For me it feels like that evolution of, do you remember a couple of years back, everyone was like, “Hey it's got an API,” as if like some how that would magically fix all your problems, it's like, “Oh it's got an API, it’ll do whatever you want,” which was basically the answer which was, “Hey you probably need to finish programming this because we couldn't be bothered,” whereas the SOAR kind of bridges that gap because it allows you to not be an expert coder, but build, if-then-that's to say, “If this thing does that thing, then do this other action,” which is something that t you could be an IT generalist to get that result vs the very specialised skills you were talking about, about actually writing your own scripts and really understanding it in a much deeper level.
Zac Abbott: Would you say SOAR tech eliminates the need for solutions like SIEM Solutions and things like that, or does it work alongside?
Adam Louca: So 100-percent works alongside SIEM, SOAR doesn't work on its own, it is only the gluey bit, so without any good inputs from a SIEM, from a firewall, from anti-virus, from whatever, and without anywhere to send the output to, it’s pretty useless. It doesn't have a lot of intrinsic value on its own, it's value is really to bring your products together.
Matt Rhodes: Yeah and probably to add to that is,we come across that question a lot as Demisto, is, will this replace my SIEM is SOAR, long term, going to replace SIEM and the answer is no. And it very much also depends on the customer, because a lot of people will buy a SIEM technology as that big data log dump for compliance reasons, however you then need to add a hell of a lot of context to that type of data in order to get out of it what you need to get out of it, so that's exactly where SOAR comes in, as Adam says, it's it sits over the top, it takes that information, it takes that dat,a it takes the events coming out of that technology and it starts actioning that it starts responding to those events because at the minute that is being left to security analysts that first of all won't understand what's going on, and then second of all, hopefully have the time and the ability to be able to respond to it.
Zac Abbott: Ok so we've talked a little bit about what SOAR is, but for an organisation, why would they consider it, or why should they consider SOAR?
Adam Louca: Probably two key reasons - one, you're looking to increase the number of actions that your SOC or your analysts can perform, so that’s increasing the rate of flow, so every day there's only so many hours in the day, let's make sure the analysts are working on the high value activities, so that's the obvious one, or the first bit. The second bit for me is actually, I think the more powerful end of this is the standardisation of approach that you can perform. So one of the great things about robots is they do the same thing again and again and again. One of the great things about humans is that they are creative and they do things differently and it allows us to grow and do all this interesting stuff. We’re really bad at following process. Even the most process-oriented of us will, at some point, not follow it to the letter. So by having a SOAR technology, it allows us to define exactly how we want the machine to act every time so we capture the same information, we gather the same details, react in the same way, so as an IT professional, it means that I can come back at the end of the year knowing that every single incident that I've had of that single type has been managed in exactly the same way, that the data has been captured in the same way, so that when I do my analysis, I know that no mistakes have been made, that the process has been followed every time and it also means that if I want to change how I respond to something, I make one change centrally knowing that that new approach, that new technique, that new pathway or that new procedure will be instantly performed and it will be performed that way every time. Whereas you think about trying to train a team to change the way they work, you're not going to just do one training session and everyone's going to suddenly change how they do it. So it's that instantaneous response to the way you approach a problem.
Matt Rhodes: I think as well as that, as well as the structure, as well as the process that Adam spoke about then, the actual speed of the response as well is very key. What we're saying is more and more alerts are hitting security operations on a daily, weekly basis up thousands a week of alerts that the security analysts are having to deal with. Now first of all you need to automate a lot of that out because probably 99% of those alerts don't really need too much investigation, but there may be a false positive, there may be a duplicate, it may be phishing, it may be something similar to that, that can be completely automated out, so first of all you're getting your security analyst working on the alerts that are probably the most important or potentially the ones that could lead to a breach, so first of all it's kind of narrowing down the focus and second of all, if we're able to remove the manual processes out of those investigations then suddenly response of 4 to 5 hours may turn into a response of 4 to 5 minutes, which suddenly means that if there is a breach active within your environment and you’re responding to it and removing that threat within 4 to 5 minutes rather than 4 to 5 hours than the risk of the business is considerably reduced.
Zac Abbott: You have your security solutions in place, how easy is it to integrate SOAR technology into that?
Adam Louca: The standard consultant answer is it depends. But the truth of it is, relatively easy in most scenarios. So if your solution is common, if it's widely deployed, if it has an API already it's likely that integration will already exist and one of the key things at Softcat we would tell customers to look at when they assessing this market, is look at the integrations that exist from the technology you're looking at. One of the things that makes this technology a lot easier is if you buy a solution that's already got all your solutions integrated into it, you've not got to write any of your own code, you've not got to do any of that integration yourself, so when you are assessing this market, make sure you bring a list of all the tech you've got and say, “Hey Mr SOAR vendor, do you do all of these different pieces of tech?”. If they say yes, then brilliant that's going to make your integration a lot easier, that being said though, if you're not on the list it doesn't mean you’re out of the party, it just means there is going to be some additional work required to integrate that technology.
Matt Rhodes: Yeah Adam’s absolutely correct. The good SOAR vendors out there have hundreds of vendor integrations with all the popular ones down to probably some of the bespoke ones that organisations have as well. However outside of how easy the integration is, is how easy actually is the operationalisation of it and that comes down to understanding the use cases. So we get a lot of customers come to us and ask what they should integrate into their SOAR technologies and the simple answer is, well you can integrate a lot of things into it, it depends what you want out of the back of it. Are you trying to automate your phishing process? Are you trying to automate what's coming out of your EDR solution? It very much depends on the use case that we're trying to automate will depend on what it is that we need to integrate with it because not every system needs to be integrated with a SOAR if that's not part of the use cases that you're trying to automate.
Adam Louca: Yeah and I think that's the thing isn't it, getting people take it back up a level, get it out the tech into, “What are you trying to actually do?”. And it's amazing how quickly that question becomes very difficult to answer, so I think we've spent a lot of time often investing in new tech without actually looking at the threat models, without actually looking at your incidents. One of the things you could try doing is looking back over the last 12-months and doing a bit of a meta-analysis on all your incidents to say, “Well what am I actually seeing happen? What's happening repeatedly?” and that might start to lead you towards some good use cases out of the box.
Matt Rhodes: And that's absolutely the way we should be speaking with customers and the way customers should be looking at it, so they can understand the benefits that they're going to get out of it, because if we can go there and understand their processes and we can understand what's taking their security analysts’ time and we can remove that, or at least reduce that, then suddenly you're saving them cold hard security analyst hours, which is very easy to justify then as how that's going to be a benefit to the business.
Adam Louca: Which is a nice change for security.
Matt Rhodes: Exactly - ROI, who would have thought it?!
Adam Louca: ROI and security, you heard it here first! Rather than, it's just better.
Zac Abbott: Ok so we've talked a lot about the advantages of SOAR technologies, are there any disadvantages we should be aware of?
Adam Louca: One of the things you do have to be careful with, as with all automation technologies, is that if the automation is either incorrectly set up or for some reason receives a parameter that nobody anticipated, actually you could have your SOAR technology go rogue. So actually it could start to take actions that maybe you hadn't anticipated, that could have a large impact on the environment, so making sure that you manage the boundaries in which your SOAR can act, so that could be the number of machines that can impact in a single action without some human interaction, it might be keeping some activities locked out without having some human approval, so you might be happy for it to maybe lock a machine off the network but you're not happy for it to wipe a machine without having a human interact with that. You might be happy for it to take an action on one machine but not 1000 machines, or it might be allowed to do it on all these low-level systems, but not this gold tier application that needs to be run 24/7.
Zac Abbott: Ok so would you say there are specific markets or organisations that SOAR is extremely applicable to, or is it something that is something that is generally a good idea for everyone?
Matt Rhodes: So if we’re going to look at this from a security landscape, then obviously the biggest security teams will see a quicker and a bigger ROI from a SOAR technology, so if they have SOC types of environments or if they have security operations teams then absolutely they’re going to see an ROI of that because they have those processes, they have those people, they are dealing with the challenges day in, day out, so I wouldn't say there’s a specific market in terms of verticals because if you are at a size that you are having an alert problem, you are having a people problem, you are having an efficiency problem, it doesn't matter what sector you're working in, this will go across the board. Like I say, moving forward, I think there’ll absolutely be a play for that smaller and some of our managed service providers like Softcat can help us explore how we can target that smaller end of the market, the 100, 200 seats but right now the focus is mid Enterprise onwards.
Adam Louca: I think interestingly the market segment really depends on how you get your money signed off. So as Matt said, the obvious choice for these technologies is people who are going to save people cost. Now I think what might be interesting as this market develops is that we will see organisations that actually struggle to hire people choose to spend that money investing in technology like a SOAR platform because I see a lot of organisations who seemingly can spend relatively large amounts of money on licences, hardware, software, but the idea of putting a 40 thousand, 50 thousand-pound person on the payroll is much more difficult to get signed off. So actually I can see an environment whereby we see people starting to invest in technology where they potentially can't invest in people and they use that to start to scale out and build out their security automation security processes.
Zac Abbott: Ok so do you have any real-world examples of a SOAR solution benefiting and organisation in any way?
Matt Rhodes: So we have a number of use cases that we consistently use across all of our customers. Probably the top one for Demisto and most SOAR solutions out there is phishing. In the very early days we built an automated phishing playbook that is out the box that a lot of our customers use quite extensively. And if you think about what happens when a phishing attack is investigated, it’s generally sent through to a help desk inbox, that inbox is being managed by some security analyst. They have to then, first of all, enrich that, they have to add context to that, they have to understand who it's come from, is it high priority, is it low priority, they will need to check whether that phishing email is a singular attack or whether it's elsewhere across the estate, they’ll probably check threat fees, they’ll probably use EDR type technologies or sandboxing type technologies in order to be able to investigate that thoroughly and that takes time, that's a number of different technology sets that the security analyst has to go to and has to use in order to be able to enrich and understand exactly what's happening within that investigation and then finally respond to it and close it out in the appropriate way. A SOAR technology like Demisto can absolutely automate that entire process and we have one organisation, because phishing is still probably the most widely used attack when it comes to trying to penetrate an organisation because of how simple it is, we had one organisation that was getting hundreds, if not thousands of phishing emails every week and if it takes on average 2 hours to investigate a phishing email then you can do some very quick simple maths to see how much time was been wasted by a security team on a simple task like phishing. You put a Demisto type or a SOAR type solution in there and suddenly you can automate that entire process, so you’re taking away that 2 hours per phishing email for the organisation, for those security analysts to be able to go and do some other work. So the ROI, the time saving is very simple to understand and to grasp, and as I mentioned, the response time to that, rather than having to do all those manual processes that take time, you can automate that entire thing and do it within 4 to 5 minutes so you’re actually responding to the attack in a lot more structured, and lot more quicker way as well as making your team a lot more efficient.
Zac Abbott: So we've had a look at what SOAR technology is, and we have a better understanding of that now and also why organisations should consider SOAR, so if SOAR solutions are available now, what does the future hold and how do you see that technology evolving?
Adam Louca: As this is a relatively new and emerging area of technology, I think we've probably got a few years before it becomes embedded and a standard part of most organisations’ toolkits. So I would say in the short to medium-term that's really going to be the key development for SOAR. I expect to see it drop out of the Enterprise market into the mid-market and become a generally applied technology. I wouldn't be surprised if we can see most security vendors coming out with their own flavours of SOARs and people starting to use SOAR as a way to lock people, or potentially encourage people to buy into a platform ecosystem. So lots of different vendors integrating their products together with SOAR-like technologies. I think when we’re looking out to the far future I would expect to see things like AI and machine learning being used to detect anomalies and to classify different data that is input into the system and allow the technology to be more clever when taking certain pathways, so the technology will become even more automated so it can run on its own without human interaction.
Matt Rhodes: Yeah I think what SOAR’s given us today is very much the platform to build from. So as we mentioned, it is very widely used across security operation centres and within security teams and it has all the use cases, the playbooks built in there. I think that gives us the platform to now start understanding how else it can be used. I mentioned that it could be used in a non security instance, so there'll be non security use cases and non security operations teams that will start embedding this type of technology into their working lives, but as we evolve as organisations, as we go into new paths of doing business then what I'd expect to see immediately, from a security point of view, but more from operations point of view moving forward is SOAR underpinning all of that and allowing that automation of process to happen.
Adam Louca: It's interesting Matt, do you see that... obviously that's great from a SOAR perspective developing into other use cases, do you think there is a risk for the SOAR industry that actually it may be consumed by robotic process automation or other areas that may be ops tools today coming into the security ecosystem, so almost in reverse?
Matt Rhodes: Absolutely and as we see that industry grow and develop then we'll need to understand on how it cross barriers, if you like, but there's always going to have to be some sort of human decision, some sort of human element that has to go into this and those humans are going to have to work off some sort of platform that they trust, that they understand that can give him the capability that they need. Whether it be robotics, whether it be other types of automation or AI that comes into the workplace, I still believe that you’re going to have to have that platform that sits behind everything that integrates things together in order for human beings to actually understand and see what's going off. Whether it still be fully automated, you’ll still need visibility of that process and what's happening.
Zac Abbott: Follow up question; do you think there are, or are there any alternative technologies available that provide similar solutions to SOAR?
Adam Louca: Fundamentally SOAR technologies is part of a group of automation technology, so as Matt was saying before, there are lots of different parts of your infrastructure that you could choose to deliver this automation from. I think what makes SOAR different and what makes it stand out as a technology area is that it comes out of the box ready programmed with security use cases, whereas I think if you took another non security focus automation platform you’re going to have to put a lot more work into it to get it to look right, to get it to function in the same way your SOAR technology does, which means you’ve got a longer time before you start to realise the value of your investment, which means that you’ve potentially not got a tool that is designed and specifically built for security use cases. But the honest truth is if you've got nothing today and you've got a bit of automation sitting in your service now or you’ve got a bit of automation sitting in your Microsoft stack, I would say to you go and work out how you can use that because actually ignoring these technologies that you've got because they're not for security isn't worth it actually start getting some that value, start getting some of those processes automated and see the value of that and that's really going to help you write the business case to buy a specific tool like a SOAR tool that’s going to increase the number of use cases that you can deliver.
Zac Abbott: Ok, fast forward five to ten years, is this just the start of something much bigger or will SOAR be the standard?
Adam Louca: I think SOAR will be in everything. I think everything will have an element of SOAR and it will be expected that the technology will integrate together. I think we're going through a market consolidation period and I think if vendors of single solutions, so single function solutions want to survive, they're going to have to integrate with the rest of the ecosystem to stay alive. I think platform vendors, vendors who provide the whole gamut of solutions are going to have to get their technologies to integrate to stay relevant and get customers to want to spend with just that single vendor. So I really think a SOAR is the glue that brings that all together, so I can't see it going away, but I do see it dropping out of the specialist and becoming more general.
Matt Rhodes: I think to add that as well, automation is obviously going to be increasing year-over-year - over the next five to 10 years who knows where it's going to go with automation. SOAR specifically we're seeing a huge adoption rate within the security teams of end users. Once they are trialling and testing and understanding the technology much more we’re seeing that people are investing and wanting this platform within their infrastructure as quickly as possible and I think organisations like Gartner absolutely back this up by stating that in two to three years time north of 20% of organisations could have a SOAR that is generally still a new type of technology, so that gives you an idea of the adoption rate that we’re seeing in the short-term but from a long-term perspective automation’s going to be everywhere, we’re seeing it in all walks of life.
Zac Abbott: Cool well that is about it for the episode actually. So Adam before we go - 10 second summary - what's SOAR, why is it important and what's the future?
Adam Louca: So SOAR is security orchestration automation and response, it's the technology that allows you to take lots of disparate security tools, plug them all together to deliver a single security outcome. It allows your analyst to work on high value activities rather than low value repetitive tasks and it’s what's going to enable you to focus on the stuff that really matters and retain your staff doing interesting pieces. And the future for this technology is it's only going to get more integrated, we’re going to see more products being brought into the SOAR ecosystem and we're going to see the playbooks and the different functions that the SOAR technology provides get more intelligent and make better decisions without humans.
Zac Abbott: Perfect. Well that is it for this episode of Explain IT, Adam, Matt, it's been great talking with you, thank you very much for your time. If anything in the show has piqued your interest and you’d like to talk about it more with someone at Softcat, do get in touch [email protected], and please do check out the rest of our shows, you can subscribe to our podcast at Apple podcasts or wherever you get your podcast from. Thank you very much for listening to Explain IT from Softcat.