SOAR an essential part for security operations

October 2019 Editor's Choice, Information Security, Security Services & Risk Management

According to Gartner[1] security orchestration, automation and response (SOAR) incident management solutions are gaining visibility and real-world use. Early adoption is said to be driven by the need to improve security operations centres. What security teams need to work out is how these solutions can support and optimise their broader operations.

A 2018[2] study commissioned by Demisto delved deep into the most serious issues including: the rise in alert volumes, a serious skills gap and the use of siloed tools, all combining to make security a tough sector in which to operate.

The corresponding 2019[3] study of 552 respondents focused on disclosing the specific challenges at each stage of the incident response lifecycle, how current product capabilities help overcome these challenges, and what capabilities are missing within security products today. This report served to broaden the perspective of SOAR through to the security incident response lifecycle which is a continuous process of alert ingestion, enrichment, management, investigation, response, and measurement. It is meant to act as a vendor-neutral outlook of how security teams handle incidents today. It also provides an overview of the security incident response lifecycle and the findings from each stage of the lifecycle.

The report found that as more organisations leveraged SOAR for incident response, their use of automatable playbooks also increased. In 2019, approximately 52% of respondents cited using either automated playbooks or a combined manual plus automated for implementing incident response processes. This is a stark contrast to the findings of the 2018 report which showed that 50% of respondents either didn’t have set processes in place or that the processes were rarely updated after initial implementation.

Continued reliance SIEM tools

Apparently 75% of respondents confirmed the use of SIEM (Security Information and Event Management) tools for incident ingestion and enrichment. With 66% leveraging them for investigation, while 66% confessed to using them for tracking metrics and performance.

It is interesting to note that businesses continue to prefer to rely on a bouquet of security products as opposed to any shift towards one-stop-shop offerings, with 48% citing the use of six or more security tools for incident responses. In excess of 68% of respondents stated a preference for ‘best-of-breed’ products across vendors rather than purchasing multiple solutions from the same vendor.

The need for automation

Within incident ingestion and enrichment, 56% of respondents included automated data enrichment as part of their preferred feature list, closely followed by automated prioritisation of alerts and correlation of alerts/indicators across products. It is apparent that security teams clearly require more high-fidelity data at their fingertips so that they have more time and information for decision-making.

In relation to the management of the incident lifecycle, more than 60% of respondents cited the need for tools that automatically capture information for post-incident review. 74% noted that a mobile application for incident management would be highly desirable. Only 25% of respondents reported having mobile support from their current products.

Other capabilities in demand included the ability to add notes and tags to individual artefacts – to be able to reconstruct incident timelines.

Where’s the evidence?

60% of people surveyed highlighted the lack of ‘evidence boards’ and ‘attack reconstruction’ capabilities in their current products. Investigation is a time-consuming and tool-spanning process so it’s hardly surprising that 53.4% of respondents sought a common platform for cross-team investigation and automated remote execution of actions across security tools.

Again, automation and the lack of it raised its head as 60.5% of respondents confessed to manually updating point product policies indicating that current security offerings still have a long way to go to fill that gap. Countering this, however, is the fact that 60,5% of respondents using SOAR confirmed they had no need to update policies manually.

It goes without saying that the roadmap would need to incorporate the request for industry-specific response templates with 54% of respondents saying this was big on their wish lists. Approximately 52% of respondents also wanted live run capabilities of playbooks for each incident. Moreover, the survey revealed that there is also a need for the inclusion of features capable of continued improvement and enhancing efficiencies through machine learning.

Where does SOAR fit into the SOC landscape?

SOAR products have become a critical part of the SOC (Security Operations Centre). This survey is testament to that with approximately 33% of respondents confirming they have used SOAR for incident ingestion and enrichment and roughly 28% used it for case management and incident investigation respectively. 33% said they used SOAR for response and performance measurement respectively.

With SOAR products championing so many of the features that respondents included in their wish lists, the data revealed in this survey confirms that that SOAR solutions will continue to be an essential part of security teams’ ability to perform.

For more information, contact MJ Strydom, DRS, [email protected], www.drs.co.za

[1] https://www.gartner.com/en/documents/3942064

[2] The State of SOAR Report, 2018 – Demisto.

[3] https://blog.demisto.com/state-of-soar-report-2019




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Local-first data security is South Africa's new digital fortress
Infrastructure Information Security
With many global conversations taking place about data security and privacy, a distinct and powerful message is emerging from South Africa: the critical importance of a 'local first' approach to data security.

Read more...
SA’s private security industry receives multi-million USD investment
News & Events Security Services & Risk Management
South Africa's private security sector has attracted significant international attention, with the world’s largest tactical flashlight manufacturer, Nextorch, announcing a major investment in its local operations, Nextorch Africa.

Read more...
Making drone security more accessible
Editor's Choice Integrated Solutions Residential Estate (Industry) AI & Data Analytics IoT & Automation
Michael Lever discusses advances in drone technology, focusing on cost reductions and the implementation of automated services, including beyond line of sight capabilities, for residential estates with SMART Security Solutions.

Read more...
Private fire services becoming the norm?
Technews Publishing SMART Security Solutions Editor's Choice
As the infrastructure and service delivery in many of South Africa’s major cities decline, with a few, limited exceptions, more of the work that should be done by the state has fallen to private companies.

Read more...
View from the trenches
Technews Publishing SMART Security Solutions Editor's Choice Integrated Solutions Security Services & Risk Management Residential Estate (Industry)
There are many great options available to estates for effectively managing their security and operations, but those in the trenches are often limited by body corporate/HOA budget restrictions and misunderstandings.

Read more...
IVA AI Pro Visual Gun Detection
Products & Solutions Surveillance Security Services & Risk Management Residential Estate (Industry)
Bosch has announced the launch of the IVA AI Pro Visual Gun Detection analytics based on deep learning. It is designed for automatic detection and classification of people and brandished firearms.

Read more...
IP-based horn loudspeakers
Products & Solutions Surveillance Security Services & Risk Management Residential Estate (Industry)
Bosch has announced the launch of its new IP-based horn loudspeakers and amplifier module: the high-output LHN-UC15L-SIP horn (for long-throw applications), the compact LHN-UC15W-SIP horn (for wide-angle coverage) and the AMN-P15-SIP amplifier module.

Read more...
SMART Estate Security Conference KZN 2025
Arteco Global Africa OneSpace Technologies SMART Security Solutions Technews Publishing Editor's Choice Integrated Solutions Security Services & Risk Management Residential Estate (Industry)
May 2025 saw the SMART Security Solutions team heading off to Durban for our annual Estate Security Conference, once again hosted at the Mount Edgecombe Country Club.

Read more...
SSG Holdings acquired by Fidelity Services Group
News & Events Security Services & Risk Management
Fidelity Services Group has successfully acquired a majority shareholding in SSG Holdings. The acquisition builds on Fidelity’s track record of strategic expansion, including previous high-profile acquisitions.

Read more...
Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.