The well-documented shortage of experienced cybersecurity practitioners is hindering organizations’ ability to achieve an acceptable risk level. To control expenses and employee turnover due to the shortage, many organizations look to augment security teams with security orchestration automation and response (SOAR) platforms and managed detection and response (MDR) services. (Full disclosure: My company offers the latter.)
While differences in delivery and capability exist between SOAR and MDR, the value proposition between the two is similar: increase the efficiency of alert analytics and response. Selecting the proper solution requires understanding the difference in their provided value and the requirements of the business.
SOAR platforms allow organizations to develop playbooks to automate common actions taken by analysts. By acting as an API interpreter between numerous applications, playbooks operate with if-then logic statements based on a trigger. SOAR platforms provide additional features that promote analyst collaboration and centralized access to incidents.
For organizations with the resources to establish security operations centers (SOCs), a properly implemented SOAR can act as a force multiplier. Much like security information and event management (SIEM) software, a SOAR requires resources to implement, operationalize and maintain its value. While a SOAR product can automatically close alerts, it excels at enriching alerts that allow analysts to make faster triage decisions. This means an organization will still require analysts if the goal is to detect attacks in order to stop a breach.
Although the approach to service delivery varies, the core value of MDR is that it supplies the necessary headcount to investigate and respond to alerts 24/7. MDR provides a turnkey solution where the service provider takes ownership of the delivery platform, alert investigation, and response. This provides true security as a service, although it usually comes with a limited menu of product integrations.
For organizations that lack resources to build and maintain a SOC, MDR represents an opportunity to transfer the risk of both headcount churn and alert investigation. However, many MDR providers leverage their own platforms and analytics, and they may lack transparency or force organizations to default accept the providers’ risk investigation level rather than determine their own as they would do with an in-house SOC.
Why Not Both?
The value of SOAR and MDR may be similar, but it’s not the same. For those with the budget for products and services but not headcount, there are ways to utilize both.
While SOAR has “security” in the definition, organizations can use it to add value in other areas. As the senior director of product management at one of my company’s partners discussed in a recent presentation, nonsecurity use cases include certificate management and new employee onboarding.
They can also leverage SOAR to act on alerts escalated from the MDR service. By parsing alert escalation emails, many SOAR platforms have the flexibility to integrate with several systems outside the scope of MDR providers, including ticketing, Active Directory, HR and payroll, which can allow analysts to respond faster to alerts that have already been reduced by an MDR provider.
Qualifying SOAR Or MDR
Once you understand the benefits and fit of each technology, the following questions can guide your discovery of the correct solution, though additional criteria will be necessary to qualify the correct SOAR or MDR provider:
- Does the organization have the resources to implement and maintain a SOAR? If not, it may be better to leverage an MDR that doesn’t require the implementation of a separate product (outside of those necessary to monitor).
- Can the organization maintain the resources necessary to upkeep the SOAR platform? After the implementation, the platform will still require care and feeding, or it risks becoming unused shelfware. MDR providers are responsible for maintaining trained personnel necessary to deliver the MDR service.
- Does the organization have the resources to provide 24/7 monitoring if needed? An MDR typically provides 24/7 coverage to investigate and respond to security alerts.
- Is there a potential for automation outside of security to get additional use from a SOAR? A SOAR can provide value to parts of the organization by acting as an API interpreter between platforms.
- Will the organization be able to act on the alerts generated from the SOAR? Some organizations have the staff necessary to respond to alerts already reduced by the SOAR.
- Does the organization have products supported by the preferred MDR provider? MDR providers rely on technical and procedural integrations to deliver service and may only support a limited number of technologies that provide the necessary capabilities.
With the expanded capabilities of SOAR and the headcount provided by MDR, there is a play for both to be used in some organizations without realizing substantial overlap. MDR mitigates the risk of shelfware and unused products by providing a turnkey service. SOAR automates tasks beyond security that aren’t handled by MDR services. The current headcount shortage is more acute for security personnel but may soon encompass networking and infrastructure. Identifying creative ways to leverage multiple orchestration and automation solutions can enable businesses to provide IT services at scale.
By Randy Watkins | CTO, CRITICALSTART
Featured in Forbes | January 28, 2020