Blog Intelligence Management and Gartner's SOAR: Thinking About Workflow First

Intelligence Management and Gartner's SOAR: Thinking About Workflow First

Gartner's Security Orchestration Automation and Response (SOAR) market category was announced in November 2017, and since then we've seen numerous acquisitions and rebrands from threat intelligence players catering to this new vision of intelligence management and convergence.

Many CISOs we talk to understand the virtues of SOAR, but when it comes to implementation things get tricky. Gartner's lead Research VP Anton Chauvakin penned a new blog post that identified the crux of this issue: There are only two routes to SOAR success.

To quote Chauvakin:

Automation / Orchestration First

This path leads most to ruin, but did lead some enlightened elite organizations to success.

Workflow / Case Management First

This path is unglamorous, but is the one where we see more success for most mainstream organizations that are seeking to adopt SOAR.

Chauvakin goes on to explain that the Automation and Orchestration path is only right for few organizations, and in fact wrong and painful for most others.

At TruSTAR, we agree that a focus on “Workflow First” leads to success. In TruSTAR’s recent white paper Intelligence and Management and Fusion: The Reformation of Cybersecurity, we focus on the importance of workflow and integrating internal data sources first, before turning to external source integration. Our five principles call out the importance of not disrupting existing workflows.

Enabling SOAR depends on a firm foundation of intelligence management and fusion resting on the seamless integration of internal tools like SIEM and Case Management solutions. TruSTAR is turning enterprises into believers that they must manage cyber intelligence addressing security, fraud, and abuse starting from the inside out. Intelligence management is manageable.

Over the past four years we have been able to identify the essential tactics that work across many different organizations.

Eight Steps For a Successful Intelligence Management Workflow

  1. Define your organization’s priorities.

  2. Identify supporting internal technology systems.

  3. Identify external threat feeds that maximize context used in decision making.

  4. Adopt a notifications framework.

  5. Adopt a tagging system to facilitate search and machine learning functions.

  6. Ensure privacy and security.

  7. Determine opportunities to collaborate with other organizations.

  8. Designate an Enterprise Intelligence Officer.


To learn more about TruSTAR’s approach to intelligence management and fusion, download the full whitepaper here.

CISO Panel on Intelligence Fusion: A New Era of Cybersecurity TruSTAR recently sat down with two seasoned CISOs from the financial sector to talk about the converge of security data and the emergence of Fusion ... Read More
The Rise of the Enterprise Intelligence Officer - Panel Discussion With Former CIA and AT&T Read More
TruSTAR Industry Talks: Scoping Out the Security Space with Darktrace, Trustwave, Bugcrowd and Avast At RSA 2018, TruSTAR co-founder Patrick Coughlin had the opportunity to moderate a series of panels in partnership with The Wall Street Journal and ... Read More