Enrich Your Solutions Portfolio with SOAR
… these up as singular incidents. These alerts are likely to be mixed in with other unrelated notifications. Each analyst would need to disregard the noise and later find the crucial connections between all these alerts. Then multiple responders would learn they are losing valuable cycles chasing the same root incident.
However, SOAR receives alerts through SIEM and can correlate multiple alerts related to the same incident through techniques such as matching file hashes. Many solutions also automatically query external resources, which aggregate antivirus products and scan engines to check for viruses that the user’s own antivirus may have missed, as well as security vendor websites to gather pertinent information about identified threats. Finally, the compiled intelligence is presented to analysts in a dashboard that first correlates the disparate system alerts into a single case, then summarizes and showcases what is known about the incident and provides a clear plan for response.
The SOAR response process is built around a playbook, or collections of workflows and best practices that give responders specific, actionable steps to follow when faced with different kinds of security incidents. Most SOAR platforms ship with a set of sample playbooks that customers can adapt and develop to create action plans that are tailored to the needs and resources of the organization. Rather than having to develop a plan on the spot, responders can easily and quickly act based on the accumulated experience and wisdom of everyone on the team. A workflow tracker enables responders to keep tabs on their progress and make appropriate choices given the specifics of the incident. Playbooks are usually constructed using a scripting language, although some vendors offer drag-and-drop functionality to facilitate playbook building without requiring scripting knowledge.
What’s In It for You
“This is all very nice,” you might say, “but how does this translate to sales?” In fact, there are several compelling arguments for channel partners to sell SOAR and for customers to buy it:
- Hot market: Partners that adopt SOAR now are getting in on the ground floor. Gartner estimates 30% of enterprise organizations with a dedicated SOC will include SOAR by 2021, up from 5% in 2018.
- High margins: SOAR isn’t a commodity product, nor is it plug and play. We generally find that each sale of our SOAR solutions brings with it between 30 and 90 days of professional services for training, configuration and related functions. Overall, partners can expect to see healthy margins of 20 to 25% on SOAR software.
- Desirable ROI: The expected return on investment (ROI) makes SOAR a tempting purchase for just about any customer. Many are likely to see immediate improvements in the area of labor, considering good security analysts are hard to find, and SOAR acts as a force multiplier. And, by eliminating tedious drudge work, SOAR makes the jobs of customers’ existing analysts easier and thereby reduces turnover and the associated expense of hiring and training new staff. As a result, customers often see large ROI gains within four to 10 months of adopting SOAR.
Whether you’re convinced or still need convincing, there are more than a dozen SOAR vendors happy to answer any questions.
Roger Egan is executive vice president of sales at Siemplify with more than 20 years of experience managing hardware, software and services sales across North America and Latin America. Follow him on LinkedIn or @Siemplify on Twitter.
- Page 1
- Page 2