Blog Intelligence Management and Gartner's SOAR: Thinking About Workflow First

Intelligence Management and Gartner's SOAR: Thinking About Workflow First

Gartner's Security Orchestration Automation and Response (SOAR) market category was announced in November 2017, and since then we've seen numerous acquisitions and rebrands from threat intelligence players catering to this new vision of intelligence management and convergence.

Many CISOs we talk to understand the virtues of SOAR, but when it comes to implementation things get tricky. Gartner's lead Research VP Anton Chauvakin penned a new blog post that identified the crux of this issue: There are only two routes to SOAR success.

To quote Chauvakin:

Automation / Orchestration First

This path leads most to ruin, but did lead some enlightened elite organizations to success.

Workflow / Case Management First

This path is unglamorous, but is the one where we see more success for most mainstream organizations that are seeking to adopt SOAR.

Chauvakin goes on to explain that the Automation and Orchestration path is only right for few organizations, and in fact wrong and painful for most others.

At TruSTAR, we agree that a focus on “Workflow First” leads to success. In TruSTAR’s recent white paper Intelligence and Management and Fusion: The Reformation of Cybersecurity, we focus on the importance of workflow and integrating internal data sources first, before turning to external source integration. Our five principles call out the importance of not disrupting existing workflows.

Enabling SOAR depends on a firm foundation of intelligence management and fusion resting on the seamless integration of internal tools like SIEM and Case Management solutions. TruSTAR is turning enterprises into believers that they must manage cyber intelligence addressing security, fraud, and abuse starting from the inside out. Intelligence management is manageable.

Over the past four years we have been able to identify the essential tactics that work across many different organizations.

Eight Steps For a Successful Intelligence Management Workflow

  1. Define your organization’s priorities.

  2. Identify supporting internal technology systems.

  3. Identify external threat feeds that maximize context used in decision making.

  4. Adopt a notifications framework.

  5. Adopt a tagging system to facilitate search and machine learning functions.

  6. Ensure privacy and security.

  7. Determine opportunities to collaborate with other organizations.

  8. Designate an Enterprise Intelligence Officer.


To learn more about TruSTAR’s approach to intelligence management and fusion, download the full whitepaper here.

Black Hat 2019 Recap: Strategies for Understanding Your Attacker   Read More
CSA Security Update Podcast: TruSTAR CEO Paul Kurtz on the Value of Information Sharing on Threat Intelligence   TruSTAR’s CEO and co-founder Paul Kurtz recently appeared on Cloud Security Alliance’s podcast, CSA Security Update, and sat down with podcast host ... Read More
TruSTAR Sits Down With the Shape Security's Director of Engineering to Discuss Fraud & Account Takeover Trends The TruSTAR team recently had the opportunity to sit down with Jarrod Overson, the Director of Engineering at Shape Security. Jarrod, an expert in ... Read More