New here. Looking for a product that provides me the same flexibility as Chef does for infrastructure but for security. Currently looking at SOAR solutions to replace traditional SIEM coupled with EDR. Work for an IT Cybersecurity company.
@pigram86 thanks for dropping by SecOps Hub and I think you are in the right place. While SOAR can help an organization immensely it is not a replacement for SIEM from a log management perspective or EDR from an endpoint perspective. That said, most SOAR platforms integrate with both and can help streamline a lot of the work that teams are responsible for.
Are there particular use cases you are trying to solve?
Should have said Compliment SIEM. Currently we are using LogRhythm and AlienVault (USM & OSSIM) for clients and graylog in our 2 Datacenter. We utilize Solarwinds N-Central which works with Sentinel One for EDR. Currently we are evaluating SOAR products to streamline the efficiency of our analysts.
Hello @pigram86, Swimlane has bundles/integrations for LogRythm, AlienVault, and Sentinel One - and many more products/services. Are there any particular problems you are trying to solve?
Hey Josh, well as with any SOAR, we are looking to automate and remove duplicate alerts that come in that will free up or analysts for more pressing investigations and incident response. The CTO of our SOC is evaluating Swimlane and another SOAR. With a SOAR, we can extend from SIEMaaS to more of SecurityaaS as we can automate the more mundane functions. If this all makes sense. I just want to Automate All Things.
@pigram86 Yeah, that totally makes sense.
The main benefit of SOAR (and Swimlane) is that you can automate triaging of alerts to help bubble up more urgent alerts and drive automation to take care of the routine/repeatable alerts.
For example, enrichment of potential malicious activity is a very repeatable task (for the most part). SOAR can help automate this processes by integrating several vendors/products (VT, Hybrid, etc.). This automation reduce noise and can either be fully automated to the point of isolating, capturing evidence, and kicking off notifications to your CIRT or it can just tell you what is a false positive vs. active/potential threat.
Have you seen this from Gartner (which may help: https://swimlane.com/resources/gartner-soar-market-guide/). I also recommend this: https://swimlane.com/resources/11-questions-ask-when-evaluating-soar/
I hope this helps. If you have any specific questions about SOAR, please let me know!
@joshswimlane Thanks for the links. I will check the out. I will also check out the blog as well. Another benefit is that we host a LR instance, have some on-premise as well as AV in the cloud. A SOAR will give use one place to rule them all. (Insert LOTR reference).