The Case Management Dilemma of SOC: Making the Choice Between SOAR and Ticketing Tools
Avkash Kathiriya
Cyber Security Leader, Research and Innovation at Cyware, Ex- HDFC Bank, Ex- Symantec, Startup Advisor
Are you finding it hard to choose between SOAR and ticketing tools for case management in your Security Operations Center? You're not alone - it's a question many folks in cybersecurity are asking today.
SOAR, which stands for Security Orchestration and Automated Response, is an integrated system that blends orchestration and automation functions with the processes involved in incident response. In other words, it's the fusion of SOA (Orchestration and Automation) with R (Response) capabilities.
While most of the time, SOA is the focus for most of organisations. R piece of this always pushes people to take hard decisions for their Incident Response Process.
But when it comes to using SOAR for case management [Incident Response], there are three approaches you can consider:
So, which approach is right for your organization? The answer depends on a number of factors, including the size and complexity of your organization, your budget, and your specific IR needs.?
Some organizations start with an orchestration-only approach to avoid disturbing their existing case management flow. Others prefer to replace traditional ticketing tools with complete SOAR, while some take a hybrid approach.
Here's a closer look at each of these approaches:
1. Approach I: Leveraging SOAR only for Orchestration and Traditional Ticketing Tools for Case Management
In this approach, the SOC team uses SOAR to automate and streamline incident response workflows without changing their existing case management process. They continue to use traditional ticketing tools like ServiceNow or Jira to manage cases and track response action items. This approach can be a good starting point for organizations that are new to SOAR or have an existing case management flow that they don't want to disrupt.
领英推荐
2. Approach II: Leveraging SOAR for Orchestration and Case Management, with No Use of Traditional Ticketing Tools
In this approach, the SOC team uses SOAR for both incident response orchestration and case management. They do not use traditional ticketing tools at all. This approach can be beneficial for organizations that want to fully leverage the capabilities of SOAR and streamline their incident response process. However, it may require more upfront investment and effort to implement.
3. Approach III: Leveraging SOAR for Orchestration and Case Management, Along with Traditional Ticketing Tools
In this approach, the SOC team uses SOAR for both incident response orchestration and case management, but also continues to use traditional ticketing tools to track and manage response action items. This hybrid approach combines the benefits of both SOAR and ticketing tools, providing flexibility and customization for incident response workflows. It can be a good fit for organizations that want to modernize their incident response process while still using their existing ticketing tools.
Summary:
Regardless of the approach you choose, your SOAR tool should be flexible enough to allow your security team to curate their own automation and incident response journey and scale as per requirements. SOAR can be an effective solution for automating and streamlining incident response workflows and case management, but it's important to evaluate your requirements first and then select the approach that best aligns with your goals.
What approach have you used for SOAR in your organization? Share your thoughts and experiences in the comments below.
Informative and insightful article Avkash, thanks for sharing. As you rightly mentioned one-size may not fit for all, however putting SOAR to optimal use would help enterprises to have a matured incident response program, they will have better measure outcomes of these security metrics - Mean time to detect (MTTD) and mean time to respond (MTTR).