As security orchestration, automation and response (SOAR) adoption continues at a rapid pace, security operations teams have a greater need for a structured planning approach.
My favorite approach has been a maturity model, vaguely modeled on the CMM approach. For example, in my analyst days, I built a maturity model for a SOC (2018), a SIEM deployment (2018) and vulnerability management (2017).
Guess which one is missing? The one for SOAR! Now, why was it missing? In my estimation, there are too many doors to SOAR to plot a coherent yet universally applicable SOAR maturity model.
But with many SecOps teams deploying and running SOAR for several years, I sense that a reasonably applicable adoption maturity model can be created. So here is a first attempt at it.
There are a few assumptions to keep in mind:
- The maturity climb starts with having a SOAR. Admittedly many organizations don’t have a SOAR or comparable technology, so they fall outside of this visual.
The starting point for SOAR may still differ dramatically (as the tweet below references), so this is at best an illustration rather than universal guidance. For example, some organizations start with case management and no playbooks, yet still find value in SOAR.
Teams that use SOAR -- how many playbooks do you use *regularly*? 🤖— hackerxbella | Allie Mellen (@hackerxbella) May 24, 2022
- Dimensions may be mixed up at many organizations, but they do follow an increasing maturity individually.
How do you use this in your environment?
Take care of the assumptions and check for where you are starting up. (Are you dealing with phishing? Too many SIEM alerts? Using SOAR as case management?)
Use as a very rough guide to judge where you are in your SOAR journey and where to go next.
Don’t despair if your journey to SOAR does not fit. SOAR is a very flexible and programmable technology, so being atypical is typical.
Thanks to Google SOAR Solution Architecture Manager Oleg Siminel, and others from the Siemplify field team, for their support here.