Ask a group of security analysts about the challenges of working in cyber security, and you’ll likely hear some common themes, like a high volume of security alerts, too many security point-products to manage, and a shortage of skilled cyber security talent. Considering these challenges, it’s no surprise that security teams feel perpetually overwhelmed.

Many teams have turned to security orchestration, automation and response (SOAR) tools as a remedy. But not all SOAR solutions are created equal

Choosing a SOAR platform can be a difficult task with so many out in the market place.

The following outlines 10 essential capabilities that should be top-of-mind when evaluating SOAR technology:

• Orchestration

  The machine-based coordination of complex workflows across disparate security tools should increase the efficiency and speed of your security operations.

• Automation

  The machine-based execution of otherwise manual, interdependent security actions using “playbooks” should allow you to execute in seconds versus hours.

• Event and Alert Management

  An event and alert management capability in a SOAR tool should queue and prioritize inbound security events and alerts to help analysts perform triage more efficiently.

• Case Management

  A case management component should drive a broader, cross-functional lifecycle (from creation to resolution) of a security case.

• Collaboration

  Built-in chat and notes can facilitate communication across the security team, and thereby accelerate the resolution of security events.

• Metrics and Reporting

  Metrics and reporting are critical to understanding the effectiveness of the SOAR tool and identifying where improvements can be made to increase ROI.

• Mobility

  Control of the SOAR tool from the convenience of the analyst’s mobile device will allow for faster response times and easy alert triage — all on-the-go.

• Scalability

  A SOAR tool should grow with you as your organization grows. As an organization adds more use cases over time, there will be additional processing load placed on the platform.

• Open and Extensible

  A SOAR tool should easily support incorporating new security scenarios, new products, new actions and new playbooks.

From our experience in evaluating and using SOAR technology there are also some key areas for consideration, including:

• Case management to drive holistic management of a security incident, from inception to resolution
• Event and alert management capabilities to prioritize inbound security events
• Machine-based execution of security actions using “playbooks” to increase speed and efficiency

There are lost of SOAR platform on the market all claiming to be best-of-breed and offer the capabilities above such as, Cyberbit, Demisto, IBM Resilient, Rapid7, Siemplify, Splunk Phantom, Swimlane and ThreatConnect to name some of the top 10 but in our experince one stands head and shoulders above the rest.

D3 Security's SOAR platform not only offers both case and incident modules covering the complete cyber security lifecycle but it also has an embedded MITRE ATT&CK Matrix which gives analysts the context they need to address advanced threats as they happen.

The intuitive user interface allows you to build codeless playbooks that enable easily adaptable workflows and integrations with minimal maintenance and it doesn’t stop there. If you can’t find a pre-built integration to orchestrate your workflow tasks from the 360+ available then you can simply build your own using the wealth of customisations the platform has to offer, the only limitation being your own imagination.

Establishing the right metrics and demonstrating performance through trend reporting are critical for SOC managers. D3 provides a report library, plus a slice-and-dice report-builder that allows you to track any number of proactive and reactive metrics, which can be easily exported directly to Snowflake or PowerBI datasets for all your data modelling needs.