Gartner's Security Orchestration Automation and Response (SOAR) market category was announced in November 2017, and since then we've seen numerous acquisitions and rebrands from threat intelligence players catering to this new vision of intelligence management and convergence.
Many CISOs we talk to understand the virtues of SOAR, but when it comes to implementation things get tricky. Gartner's lead Research VP Anton Chauvakin penned a new blog post that identified the crux of this issue: There are only two routes to SOAR success.
To quote Chauvakin:
Automation / Orchestration First
This path leads most to ruin, but did lead some enlightened elite organizations to success.
Workflow / Case Management First
This path is unglamorous, but is the one where we see more success for most mainstream organizations that are seeking to adopt SOAR.
Chauvakin goes on to explain that the Automation and Orchestration path is only right for few organizations, and in fact wrong and painful for most others.
At TruSTAR, we agree that a focus on “Workflow First” leads to success. In TruSTAR’s recent white paper Intelligence and Management and Fusion: The Reformation of Cybersecurity, we focus on the importance of workflow and integrating internal data sources first, before turning to external source integration. Our five principles call out the importance of not disrupting existing workflows.
Enabling SOAR depends on a firm foundation of intelligence management and fusion resting on the seamless integration of internal tools like SIEM and Case Management solutions. TruSTAR is turning enterprises into believers that they must manage cyber intelligence addressing security, fraud, and abuse starting from the inside out. Intelligence management is manageable.
Over the past four years we have been able to identify the essential tactics that work across many different organizations.
Eight Steps For a Successful Intelligence Management Workflow
Define your organization’s priorities.
Identify supporting internal technology systems.
Identify external threat feeds that maximize context used in decision making.
Adopt a notifications framework.
Adopt a tagging system to facilitate search and machine learning functions.
Ensure privacy and security.
Determine opportunities to collaborate with other organizations.
Designate an Enterprise Intelligence Officer.
To learn more about TruSTAR’s approach to intelligence management and fusion, download the full whitepaper here.