SOARING

THROUGH THE
NETWORK
From processes to
technology,
SOAR modernizes
network security

Sponsored by
SOAR platforms

SOAR
of security automation such as configuration
management,” says Doug Barbin, principal
put network and cybersecurity and emerging technologies

security on practice leader at Tampa-based Schellman

& Company, LLC, a global independent

steroids security and privacy compliance assessor.

SOAR takes the concept of “If it looks like
a duck and it quacks like a duck” then you
process it as a possible data breach to new
levels. Alan Earls reports.
While incident response can never be
accomplished without human intervention,
most SOAR platforms are not promoted on
that basis, he says. Instead, vendors have
recognized that all the potential evidence
needed to assess cyberthreats has broadened
in type and scope and “all needs to be pulled
immediately when an incident occurs,” he

T
here are few who would claim that explains
cybersecurity is easy. Far from it. Thus, SOAR information targets can include
the impulse to automate and improve logs, network connections, files and drive
cybersecurity operations is being actualized images, all of which need to be preserved in
with the growing adoption of SOAR — a forensically sound manner. “So,” Barbin
security orchestration, automation and says, “in that respect, it is imperative the
response — platforms to help organizations SOAR platforms integrate with as many
ensure good cybersecurity practices and existing security and operating technologies
optimal results. as possible.”
The promise of More
SOAR is that it
OUR EXPERTS: SOAR importantly, says
will help automate Doug Barbin, principal, Schellman & Company Barbin, incident
the tasks or Tim Callahan, CISO, Aflac response is about
functions central Terry Jost, managing director, Protiviti communication
to cybersecurity Lena Licata, director, EisnerAmper and coordination.
threat detection John Oltsik, senior principal analyst, Response teams
with little or Enterprise Strategy Group need a secure and
no human Kimberly Verska, CIO and managing partner, trusted means
intervention, while Culhane Meadows to collaborate
orchestrating the Shanchieh “Jay” Yang, professor, Rochester Institute utilizing channels
disparate products of Technology that are not at risk
and response tasks Umesh Yerram, vice president, chief data protection officer, of compromise
via workflows. AmerisourceBergen during an incident.
And it is catching “I actually hate
on. the term SOAR,” says John Oltsik, senior
In Accenture Security’s recently released
State of Cyber Resilience Report a poll
showed more than 4,600 enterprise security
principal analyst at Enterprise Strategy
Group in Milford, Mass., noting that the
term originally came from competitor
$6T
By 2021 it is estimated
practitioners and found SOAR is currently Gartner. that it could cost up
ranked solidly in the top three cybersecurity “Really, what we are talking about here to $6 trillion to fight
technologies. starts with the process, not the technology. cybercrime
“From my perspective, SOAR represents an The technology is what you can use to
evolution and alignment with the other types modernize your processes,” he explains. – Cybersecurity Ventures

www.scmagazine.com | © 2020 CyberRisk Alliance

2

Oltsik says the goal, however, is worthy
in that it is aiming to achieve results that
are more usable and comprehensive than
could otherwise be obtained.
He says vendors have
experimented with these
tools for a few years and are
now focused more on end-
to-end process automation
and orchestration. “So,
while it is still [the] early
days, I think we will see
a big ROI (return on
investment) on this for
customers,” he adds.
A core problem that SOAR
targets, Oltsik opines, is Lena Licata, director, EisnerAmper
that most cybersecurity
tools have been the domain of people with
considerable expertise, some of whom built
the tools for their own organizations. But the
overarching approach remained manual and
informal and was “driven by a few cowboys
in the organization,” says Oltsik. It is time
“to overcome that process immaturity and
move to a higher level.”
SOAR Versus SIEM
According to Oltsik, the key difference
between SOAR and security information
and event management (SIEM) is that SOAR
is less focused on analytics and more on
operations.
“SIEM [is] about getting data and then
understanding it to a greater degree,” says
Oltsik. That is still important but once you
have data you have to make decisions. If
you detect a threat, do you investigate more
thoroughly or decided it is so threatening
that you need to take immediate action?
“That was always done outside of the scope
of SIEM except occasionally; most of that
decision making was based on manual
processing,” leaving a gap in the market.
Lena Licata, a director specializing in
process, risk, and technology at the New
York City-based accounting and consulting
SOAR
firm EisnerAmper, says SOAR can be
considered as the next generation of SIEM.
“Back in the stone age you would have
logs and that was when you
threw people at problems,”
says Licata. Then SIEM
came along as a way to
relieve “fun, geeky people”
from having to comb
through alerts all day.
“People then started writing
play books to better define
alerts so that ‘if it looks like
a duck and quacks like a
duck,’ then you process it.”
SOAR takes all that to
the next level. If you can
coordinate with many
different security tools with an orchestration
and automation component, “you can reduce
the responses needed and respond more
appropriately,” she adds.
The benefit of SOAR is that it frees up
staff time but it can also be expensive,
What we are talking about here
starts with the process, not the
technology. The technology is what you can
use to modernize your processese.”
– John Oltsik, senior principal analyst,
Enterprise Strategy Group
Licata says. That is why, in her view, “it is
probably a better fit for larger organizations
that are strapped for people and have to deal
with hundreds of alerts each day.”
However, it is not just the raw facts of
the cybersecurity environment that can
drive adoption. Licata points out there is
$3.5B
The estimated profits
a continued expansion of privacy-related from cybercrime in
laws and regulations, such as the European 2019
Union’s General Data Protection Regulation
(GDPR), California Consumer Privacy Act – FBI
www.scmagazine.com | © 2020 CyberRisk Alliance
3

(CCPA), and the New York Stop Hacks
and Improve Electronic Data Security Act,
generally just called the SHIELD Act.
“These regulations require effective
SOAR
programs to detect and report privacy
breaches,” she says.
In fact, Licata notes, the Verizon Data
Breach Report generally shows that breaches

No Ducking Cyberthreats at Aflac

The insurance company Aflac is known for its TV commercials with a loud, quacking duck.
However, while the company’s mascot rarely flies in commercials, the company has been
implementing a SOAR (security orchestration, automation, and response) platform for five years.
“We actually implemented a SOAR technology stack back in 2015,” says Tim Callahan,
CISO at Aflac. The guts of SOAR are all about ingesting massive amounts of information and
doing very good automated analytics and then automating the responses, he explains.
Aflac’s SOAR was built on a security information and event management (SIEM)-like
protocol, initially using a SIEM tool that eventually became primarily a log aggregator,
Callahan explains. Then, Aflac added an analytics engine and gradually started feeding more
information into that engine, including some intelligence acquired from outside sources,
particularly dark web information, feeds from the Department of Homeland Security, and
from the Financial Services Information Sharing and Analysis Center (FS-ISAC).
It is an iterative process that has demonstrated its valued, Callahan says.
“SOAR is highly dependent on what you feed it, supplemented by using machine learning
protocols,” says Callahan. At Aflac, based in Columbus, Ga., a combination of information
from outside and the knowledge of what the organization has inside — including data from its
IT asset management database — helps set the ground rules.
“We may get intel on a threat but knowing whether it applies to us is a product of automation,
which is based on having an accurate knowledge of our environment,” he says. For instance,
if Aflac gets information about a threat related to an operating system it does not use, the
company can shed that immediately because the security team knows that does not apply.
“Not every company has that ability to know what they have, so it makes it harder to
automate,” says Callahan.
But you cannot automate until you have good processes, notes Callahan. Smaller companies
often do not realize what assets they have and are getting badly hit because everything is done
manually.
For Aflac, SOAR implementation took a lot of “socialization” with IT partners, such as
networking partners. “Obviously, when you start talking about blocking things, they get
nervous. Traditionally, you would have to go through a whole change-control process,” says
Callahan.
So, initially, his team had to start slow and gain trust.
“As we went through the process, our IT partners got more confident and at this point we
$100
Victims of the Yahoo
have blocked 50-60 million actions since 2015 and only a very small number — around a class-action lawsuit are
dozen — had to be undone,” says Callahan. expected to receive
“It is easy to get overwhelmed by the enormity of the task so I recommend that companies start $100 each, while
small and focus on sensible things,” he says. Then, automate and grow the process over time. attorneys are expected
However, Callahan warns, “this isn’t the silver bullet. You will still need to tune SOAR to to earn a $30 million
your business risk tolerance and decide how aggressive you want to be in reaching that,” says payday
Callahan. — AE
– IT Governance Ltd.

www.scmagazine.com | © 2020 CyberRisk Alliance

4

often take from six to nine months to
identify. “You can no longer afford that
with these breach notification rules,” says
Licata. In fact, you want
to be able to process and
find possible breaches
and at least do the breach
notification as soon as
possible.
SOAR in Practice
In terms of implementation,
Licata notes, it is important
to follow a good systems
development life cycle and
have a solid plan employing Kimberly Verska, CIO and managing partner,
Culhane Meadows
professional services to
make sure you are installing it properly.
“One of the biggest pitfalls of SOAR
is that people assume they can automate
everything, but you should start small with
the proof of concept and then iterate,” says
Licata. “You must clearly know what you
want to achieve; don’t try to boil the ocean,”
she adds.
“If you don’t know what you want, you
will get something you don’t want,” she
says. For example, she adds, organizations
You must clearly know what
you want to achieve; don’t try to
boil the ocean.”
– Lena Licata, director, EisnerAmper
think they must decide whether to implement
SOAR without thinking through whether
they have people skilled at writing the
Python scripts that can help SOAR deliver its
best results.
But, those specifics aside, SOAR can
help with headcount shortage. “One of my
clients recently started a new company in
the consumer payments space, and they
were able to take advantage of a SOAR
SOAR
product to decrease their security personnel
needs, which was fortunate, as the market
for security talent in Atlanta is extremely
tight,” says Kimberly Verska,
CIO and the Atlanta office
managing partner at the law
firm Culhane Meadows.
Advice on SOAR
“If I were undertaking this,
I would identify the top risks
in terms of security for my
organization, and then solicit
bids from the SOAR vendors
whose offerings addressed
those specific needs and
matched my company’s size,”
says Verska. “The industry leader or best-in-
class vendor may not be a good match for a
new company without the financial resources
to afford a comprehensive implementation,”
Verska adds.
Considering whether to adopt SOAR
or selecting among options starts with
clarifying what you hope to accomplish,
says ESG’s Oltsik. Some organizations
just want to boost automation and reduce
staff burdens, but it is important to look at
security operations goals at the same time.
Very possibly, the ability to automate and get
information more quickly will have concrete
benefits.
Others might want “everything,” including
case management, life cycle management,
collaboration tools, notes, and run books.
“What we are seeing in the market is that
all those areas are coming together and
products are starting to really reflect all that
functionality,” Oltsik says.
“SOAR is a good value addition for
organizations that have achieved a
certain level of maturity — at least CMM
$3.5B
Biometrics-as-a-Service
(Capability Maturity Model) Level 3 — for is expected to reach
cyber incident response capabilities,” says $3.5 billion in U.S.
Umesh Yerram, vice president, chief data revenues by 2025
protection officer at AmerisourceBergen,
ranked Number 10 on the Fortune 500. – ABI Research
www.scmagazine.com | © 2020 CyberRisk Alliance
5

“Our experience [with SOAR]
has been good so far,” says Yerram.
AmerisourceBergen is automating its mature
incident response processes where the
impact of business disruption is low and is
continuously evaluating incident response
playbooks that can be automated. The goal,
he explains, is to “continue to make our
cyber command center (CCC) analysts more
productive and provide them with more
challenging career opportunities.”
The SOAR Horizon
Who really needs SOAR? According to
SOAR
Oltsik, virtually any enterprise should strive
to have these capabilities, but smaller ones
might not yet be able to afford SOAR. That
is where managed service providers offering
SOAR capabilities may come into the
picture.
“Our research backs up the contention that
there is too much work for any one security
team to do,” says Oltsik. It can be very risky
if a company cherry picks what it chooses
to focus on and what to ignore, however.
“That’s what happened with the big Target
breach. They got all their alerts, but they
were too short-staffed to follow up,” Oltsik

The SOAR Primer

Terry Jost, managing director in the Security and Privacy Practice of global consulting firm
Protiviti, says in choosing a SOAR approach, companies should begin with the following:
• Consider the existing tools and technologies that currently exist in your security
operations center
• Flexibility and easy access user interfaces are critically important
• Out-of-the-box integration and APIs save time and effort while increasing sustainability
• Threat intelligence ingestions and capabilities will be required within the SOAR tool
• Knowledge-based storage and retrieval is helpful so that you can reference
similar threat experiences from the past quickly
• Out-of-the-box playbooks can support quicker implementation
• Cloud-based architectures can increase security, disaster recovery and cyber-resiliency
while reducing complexity because these days it is easier to keep tools updated and
secure in the cloud
• Share streaming and information during incident and case management

In addition, Jost suggests five aspects of implementation that should be considered with
SOAR:
1. Consider focusing on the most critical cyberthreats and protection of the most
critical assets.
2. Creating top-down governance structures assures consistent operations.
3. In order to avoid over-investing and over-developing integration scenarios, it is important
to reach an agreement on the target maturity levels of your operations. In general,
the more mature your organization, the greater the benefit you will receive from SOAR.
4. Do not forget to construct governance layers, as most tools will require administrator
$2.5M
Maximum estimated
privileges, and plan for changing approval levels. In other words, don’t simply provide costs of unplanned
unlimited access to everyone. Adjust as roles change. application downtime
5. It is important to create a comprehensive set of use cases to test the resulting function per year
of the overall SOAR. —AE
– IDC

www.scmagazine.com | © 2020 CyberRisk Alliance

6
 SOAR
says. In reality, “everyone – the Fortune 500 – adapt
needs to be involved, and SOAR in greater numbers,
capabilities like SOAR the platforms will probably
need to get easier and more begin to get a little less
turnkey,” he adds. expensive. “You will
“My understanding on probably see the next
a high level is that one of generations of SOAR getting
the bigger challenges for a little easier to implement
security and operations and new competitors will
analysts is to go through a come, perhaps with more
lot of information and data, plug and play or cloud-based
whether they are observing Shanchieh “Jay” Yang, professor, Rochester approaches,” she adds.
Institute of Technology
for threat intelligence or There should be clear
to deal with a customer vision for how to use SOAR
complaint,” says Shanchieh “Jay” Yang, within the enterprise, she says. “SOAR
a professor at the Rochester Institute of should not be used to automate bad incident
Technology’s Department of Computer response playbooks or create and automate
Engineering. playbooks for certain incidents without
That is why the future of SOAR needs testing them thoroughly as it has potential to
to be with machine learning and artificial cause significant business disruption,” Licata
intelligence, so that people can be relieved of adds. n
tedious and redundant tasks, he notes.
For now, though, the challenges involved
with SOAR add up to uncertainty in the For more information about ebooks from
middle market, as far as Licata is concerned. SC Media, please contact Stephen Lawton,
“I think that group will tend to move toward special projects editorial director, at stephen.
automation more with bots targeted at lawton@cyberriskalliance.com.
specific tasks,” she says. “That can go a long If your company is interested in sponsoring
way toward addressing their needs without a an ebook, please contact David Steifman, VP,
six-figure investment in SOAR,” she adds. publisher, at (347) 480-1749, or via email at
On the other hand, as larger enterprises david.steifman@cyberriskalliance.com.

80%
Percentage of data
breaches caused
by compromised
privileged credentials

– Forrester

www.scmagazine.com | © 2020 CyberRisk Alliance

7
 Sponsor
Swimlane is at the forefront of the security orchestration, automation and response
(SOAR) solution market and was founded to deliver scalable security solutions
to organizations struggling with alert fatigue, vendor proliferation and chronic
staffing shortages.

More information is available at swimlane.com

Masthead

EDITORIAL DESIGN AND PRODUCTION

VP, EDITORIAL Illena Armstrong
illena.armstrong@cyberriskalliance.com
SPECIAL PROJECTS EDITORIAL DIRECTOR
Stephen Lawton
stephen.lawton@cyberriskalliance.com
SPECIAL PROJECTS COORDINATOR
Victor Thomas
victor.thomas@cyberriskalliance.com
ART DIRECTOR Michael Strong
michael.strong@cyberriskalliance.com
SALES
VP, PUBLISHER David Steifman
(347) 480-1749 david.steifman@cyberriskalliance.com
VP, SALES Matthew Allington
(707) 651-9367 matthew.allington@cyberriskalliance.com

www.scmagazine.com | © 2020 CyberRisk Alliance

8
 ADVERTORIAL
SOARing
in the Cloud
When security teams first deploy security orchestration,
automation and response (SOAR), they typically focus on
common use cases, such as phishing attacks or security
information and event management (SIEM) alert triage.
By automating these critical but time-consuming tasks, security
operations centers (SOCs) are enabled to focus on higher-value
investigations and analyses while reducing the organization’s
overall mean time to detect and respond (MTTD/MTTR).
But it is not enough to orchestrate and automate critical
processes. The SOC must be able to adapt to an evolving
threat landscape and security marketplace.
Every day, organizations are moving their on-premises
applications and services to *aaS and cloud-based service
providers, requiring their SOC teams to adapt accordingly.
This means the SOAR platform your team has or plans to
deploy must also be able to change and scale with your
organization’s evolving needs—a SOAR solution that
doesn’t care where it’s implemented.
As you consider your organization’s current needs and
attempt to anticipate what’s to come, you should ensure the
SOAR solutions you are evaluating offer:
1. Customizable case management capabilities that can fit
your organization’s operational and business processes
and procedures, both now and in the future.
2. A robust catalog of integrations that work with your
on-premises and cloud-based services while helping you
avoid a vendor lock.
3. The ability to be deployed in a high availability
environment—including a microservices architecture.
A container-based deployment, including Kubernetes,
means it can be deployed to fit your current and
growing needs.
4. Built-in automation and security, including two-factor
authentication, encryption in transit and at rest, and
robust role-based access controls (RBAC).
5. A predictable, straightforward licensing and cost
structure to avoid undue overhead and stress.
The cyber threat landscape isn’t static, so your SOC shouldn’t
be either. Your organization will evolve, and your business
processes will change, as will the tools you currently have
and plan to deploy in your security stack. To deploy a SOAR
platform successfully, it is crucial you choose a solution
that is primed to scale with your organization, whether it is
on-premises, in the cloud or a combination of both.
1-844-SWIMLANE | swimlane.com