Security orchestration, automation, and response (SOAR) is a tool category intended to maximize cybersecurity analyst efficiency by establishing workflows. Ironically, however, installing a tool authorized to take action often meets substantial resistance in the cybersecurity space by those who may not fully understand it. For the SOAR tool to excel, it needs to be flexible enough to synthesize data from many already installed systems. The SOAR tool must flexibly adapt its workflow to scenarios with subtle differences. It must also reflect the all-too-common reality that the ultimate conclusion in an investigation may differ from the initial conclusion.

Each organization has distinct deployments and many variations on specific organizational responses. Therefore, an excellent SOAR tool must help minimize the work needed to facilitate deployment and maintain extensive flexibility in its interactions with a multitude of systems. In this paper, we look at how the Siemplify SOAR platform performs in light of this criteria.

How We Tested

We performed this tool review on a Siemplify-provided Enterprise (version 5.6.1.89) portal instance via a Docker image (see Figure 1). We imported the image to Docker and had an operational instance immediately available to log in. We prepopulated this instance with accounts, an environment, cases, and playbooks. Siemplify generated the data and provided it to SANS. No further data ingestion or system configuration was performed.

The SANS version had all the listed system modules enabled. This paper covers only some of the modules listed here.

Unless otherwise noted in this report, SANS was logged in as the administrator user.

To read full download the whitepaper:

End-to-End Security Operations Management in a SOAR Platform

Leave a Reply

Your email address will not be published. Required fields are marked *