SOAR Workshop: Helping Optimize Your Security Tools Using Splunk's Platform

June 14, 2022 | 3 min read

Matthew Gonter

Global Technical Solutions Architect

Security Orchestration, Automation and Response (SOAR) are technologies that enable organizations to do more with their SOC and Splunk. Here’s why BlueVoyant’s is different and can help your organization's cyber defense posture.

My favorite phrase I hear constantly is “We should automate that.” In today’s ever changing threat landscape, automation is now the default answer to all our security operations center (SOC) problems. BlueVoyant helps make this task easy.

BlueVoyant specializes in implementing Security Orchestration, Automation and Response (SOAR) for our customers so you get the most out of your Splunk Cloud subscription. Having a correctly implemented SOAR gives you the tools to customize the technology to help give your organization a strong cyber defense posture.

Having had similar conversations with customers when trying to incorporate SOAR technologies into their technology stack, you can trust we know where to start. Our SOAR Workshop focuses on setting a strong strategy first and playbooks second.

SOAR workshops are in many price lists — why trust ours?

  1. We understand your current processes. When implementing SOAR technologies, there needs to be a clearly defined end state, and that should not be to work faster. We want to integrate the SOAR technology into your process; to do this, we need to understand the process. This starts with the case management system. Integrating SOAR into this allows for all the enrichment, actions, and executions to be documented and acknowledged in a single place.

  2. Action and triggers formulate the response.It is critical to understand what triggers automation. Is it a correlation search firing? A user logging in? A notification from a separate system? These triggers are important in designing the playbook. Actions are just as critical. SOAR apps come with most of the actions our customers desire, but we still see demand for custom development for specific actions. Be prepared to fall into this trap as you build out your SOAR technology.

  3. We stack playbooks. What does stacking playbooks look like for phishing emails? It means we take a more modular approach to playbook designs, where we create smaller, tactical playbooks that can be stacked into an overarching sequence of events. This helps further ingrain the SOAR technology in your processes, and supports larger and more diverse use cases.

  4. We know when to start and stop. Knowing when to start and stop automating can be difficult. We see a lot of clients trying to start automation before they are truly ready. This is evident in not having a clear understanding of their processes and their intent goal. There is often an automate-first approach before understanding the nuances behind everything. Knowing when to stop is just as hard. Automation can lead some down a dark rabbit hole when trying to account for all aspects. At some point someone should be asking “Do we really want no analyst intervention here?” The day the SOAR technology stops a large business transaction will be the day SOAR is removed from the technology stack.

Our SOAR workshops start with an overall strategy discussion and how the SOC works. We need to fully understand processes and procedures to provide the best recommendations possible.

We have an implementation framework where we approach each automation as a tactical module, stacking them on top of each other to further enrich a case or activity until a decision is required.

Once the overall strategy is agreed upon, we work with your team to design and document two use cases based on this strategy. This provides customers with a clear path to success and identifies the inherent risks along the way.

We also provide leadership with the level of effort for implementation so they can plan their resources accordingly to maximize their investment in the technology.

Many of our SOAR advisors also provide guidance on how we built our Managed Detection and Response (MDR) service for Splunk Cloud. While you may not have decided on co-managed SIEM (Security Event and Incident Management), the enterprise level of automation design and implementation required by Managed Security Service Providers (MSSPs) is no small feat. We bring this level of SOAR knowledge and experience to every engagement with us.

If you would like to know more or start working on a SOAR strategy, contact us.

Matthew Gonter is vice president of technology for Concanon, a BlueVoyant company. Concanon is a global professional services and big data solutions consultancy that specializes in Splunk.