Taking on SOAR: The Challenges and OpportunitiesExperts Say the Technologies Won't Mean Fewer SOC Analyst Jobs
How are security orchestration, automation and response technologies, or SOAR, affecting the organizations that adopt them?
SOAR is a broad term for technologies that aim to streamline management of the detection of threats and automate responses. Automation is seen as the solution to cope with an ever-increasing number of alerts, which will continue to rise as more IoT devices are deployed.
Can organizations with less mature security programs adopt SOAR? And will the technologies eliminate jobs? An expert panel at the AusCERT security conference in Australia last week addressed these questions and more.
It's absolutely possible for organizations with lower base levels of security maturity to take a dip into SOAR, says Jess Dodson, a customer engineer in Microsoft's Security & Identity Modernization program in Brisbane.
"I think you're better off doing something than nothing," Dodson says. "You're not going to get it perfect to start with SOAR - and any of the automation pieces. They're not going to be 'set and forget.'"
James Young, staff security strategist with Splunk for APAC, says he encounters organizations that believe they're not mature enough to adopt the technologies, but he says that's usually an incorrect assumption. "It [SOAR] could be a tool that can help you build maturity faster," he says.
Young says organizations need to first understand the process behind automating a particular function. That can involve creating a mind map of what the process may look like and then building that into an automation capability with SOAR tools, he says.
SOAR + Humans = Perfect Team
How will SOAR affect the jobs of analysts? Anthony Kitzelmann, CISO at Airservices Australia, says automation addresses the problem of having a high volume of the alerts. But to be effective, the tooling and orchestration need to be delivered in a consolidated system so analysts aren't jumping from one environment to another, he says.
What's left after automation are the difficult problems that require the specialized skills of analysts. Those include sorting out competing adversaries that are, for example, using two distinct sets of tradecraft against an organization. Good analysts are needed to build out a profile of the attackers to prepare for future attacks, he says.
Not using orchestration and automation could also pose staff retention problems. "You run the bigger risk of losing good people because they're having to deal with rubbish [alerts] day in and day out," Kitzelmann says.
Casey Ellis, CEO and founder of Bugcrowd, says the industry has realized it needs to shift to capability-based programs, including the use of automation for classification.
He notes, however: "There's this element of human creativity that you can never fully remove from what we're doing in our work."
Talented SOC operators and analysts are still very much needed, Dodson says. They fill the gap by spotting things that the computers do not, she says.
"Your organizational knowledge, your knowledge of the infrastructure - AI and machine learning can help with that, but it can't replace you," Dodson says. "It can't replace knowledge you have about your users and your systems."