ARTICLES

SOAR-ing into the US Market

Security information and event management (SIEM) systems first emerged in the early 2000s as a way for security operations teams to aggregate and correlate data from disparate deployed security solutions. The idea behind early-day SIEMs was to simplify log collection and analysis and reduce the noise of network security. However, SIEM 1.0’s capabilities, while limited, were complex and organizations needed better ways to streamline the flood of alerts and reduce the amount of time SOC operators spent tuning systems for greater accuracy.

As organizations' needs evolved, SIEM functionality improved and moved beyond its reliance on relational databases to become a true analysis and analytics platform. At the same time, the number of security tools deployed in organizations’ environments grew exponentially, some which integrated into the SIEM easily, others which didn’t. Though usability improved, more integration and better visibility—not just across technologies, but also across hybrid network environments—became the key focus. In addition, the dizzying pace and amount of data meant that more automation was necessary, and SOC teams needed the ability to respond rapidly, preferably from one centralized location.

As such, the concept of security orchestration, automation, and response (SOAR) came to be. SOAR can be thought of as a next-gen, or maybe even a next- next-gen SIEM. Perhaps a SIEM on steroids. SOAR platforms must be able collect, aggregate, and analyze data from an organizations’ ecosystem of network and security tools. Further, the process must be highly automated and include prioritization so that SOC operators don’t have to sort through the noise of false positives and low-impact security events. Lastly, SOAR must inform decision making and facilitate remediation, without requiring analysts to switch between disparate systems. Otherwise, what’s the point?

Purpose-built SOAR

This is precisely what Faiz Shuja and Omar Khan were thinking when they decided to start SIRP, a UK-based cyber security company offering a purpose-built SOAR platform. Having served as the CEO of the Honeynet Project since 2016, and a founding member of the Pakistan chapter since 2003, Shuja fully understood the importance of developing a technology that can cope with today’s threats and vast technology landscape. During a recent TAG Cyber briefing, Shuja said, “Companies are regularly dealing with 25 or more network and security tools with data feeds. The amount of data created is huge and security teams can’t handle it; they can’t properly leverage the information they’re getting and assess the external threat situation and determine risk. They’re asking, ‘How can we respond?’ What they need is context around that data, and the ability to respond in the best way possible. Right now, it’s exhausting to navigate through multiple security tools to identify, investigate, and respond to security incidents.”

SIRP’s SOAR platform, like all good technologies on the market, aggregates various data, such as security alerts, vulnerability information, and threat intelligence from an organizations’ technology deployments. Once the data is aggregated, SIRP sorts the data into three buckets: incidents, vulnerabilities, and threat intelligence. From there, the platform has two engines working in parallel: the first of which determines a risk score based on 25 contextualized factors, and a second that is the automation engine. The risk score, which they’ve dubbed “S3,” for ‘SIRP Security Score,” is determined based on organization-specific context, such as assets and risks, external threat/vulnerability information, and machine learning algorithms. The automation engine uses pre-loaded playbooks and workflows. Companies can configure their own playbooks and workflows, as well.

Next, the information is pushed to audience-based dashboards built for the CISO, SOC operators, security analysts, and the GRC team. The customization of the dashboards allows users to focus on their individual workflows and processes, without duplication of effort but with full visibility into case management.

Deployment options

SIRP can be deployed in any environment—on-premises, in the cloud, or in a hybrid environment—via a virtual appliance or as SaaS. Currently, SIRP integrates with 70+ technologies including some of the leading SIEMs, EDRs, firewalls, threat intelligence feeds, and third-party ticketing systems. Faiz says that customers, who are mostly located in Europe and the Middle East at present, appreciate the platform’s risk-based approach, ease of use, and comprehensive case management.

As SIRP enters the US market, the company has solid technology that should give better-known vendors a run for their money. That said, the challenge for SIRP will be breaking into an already crowded market, one dominated by companies that have grown from SIEM 1.0. Faiz and Khan certainly have the technical chops, though, and the product combines a lot of great features and functionality into one unified platform.