Blog Intelligence Management and Gartner's SOAR: Thinking About Workflow First

Intelligence Management and Gartner's SOAR: Thinking About Workflow First

Gartner's Security Orchestration Automation and Response (SOAR) market category was announced in November 2017, and since then we've seen numerous acquisitions and rebrands from threat intelligence players catering to this new vision of intelligence management and convergence.

Many CISOs we talk to understand the virtues of SOAR, but when it comes to implementation things get tricky. Gartner's lead Research VP Anton Chauvakin penned a new blog post that identified the crux of this issue: There are only two routes to SOAR success.

To quote Chauvakin:

Automation / Orchestration First

This path leads most to ruin, but did lead some enlightened elite organizations to success.

Workflow / Case Management First

This path is unglamorous, but is the one where we see more success for most mainstream organizations that are seeking to adopt SOAR.

Chauvakin goes on to explain that the Automation and Orchestration path is only right for few organizations, and in fact wrong and painful for most others.

At TruSTAR, we agree that a focus on “Workflow First” leads to success. In TruSTAR’s recent white paper Intelligence and Management and Fusion: The Reformation of Cybersecurity, we focus on the importance of workflow and integrating internal data sources first, before turning to external source integration. Our five principles call out the importance of not disrupting existing workflows.

Enabling SOAR depends on a firm foundation of intelligence management and fusion resting on the seamless integration of internal tools like SIEM and Case Management solutions. TruSTAR is turning enterprises into believers that they must manage cyber intelligence addressing security, fraud, and abuse starting from the inside out. Intelligence management is manageable.

Over the past four years we have been able to identify the essential tactics that work across many different organizations.

Eight Steps For a Successful Intelligence Management Workflow

  1. Define your organization’s priorities.

  2. Identify supporting internal technology systems.

  3. Identify external threat feeds that maximize context used in decision making.

  4. Adopt a notifications framework.

  5. Adopt a tagging system to facilitate search and machine learning functions.

  6. Ensure privacy and security.

  7. Determine opportunities to collaborate with other organizations.

  8. Designate an Enterprise Intelligence Officer.


To learn more about TruSTAR’s approach to intelligence management and fusion, download the full whitepaper here.

Customer Spotlight Webinar: PVH Corp. TruSTAR has a new webinar series, Customer Spotlight, where we invite security leaders and operators from across the TruSTAR community to share ... Read More
COVID-19: Early Lessons for Cybersecurity Operators News broke the other day that there were at least two cases of COVID-19 in Santa Clara County, California as early as February 6, well before the ... Read More
COVID-19 Impact & Community Response The following blog post details the security impact COVID-19 has on enterprise security teams. To learn more about TruSTAR and IBM’s Community effort ... Read More
Why Automated Data Workflows are a Foundational Capability for Enterprise SOCs SOAR technologies and the adoption of orchestration have fundamentally changed the way we think about cybersecurity, and we’re all better for it. ... Read More