Danil Borodavkin, R-Vision: SOAR is a large constructor in which literally everything is configured

Danil Borodavkin: As the level of maturity of the information security team grows, there is a need for automation and control of SOC performance metrics. At the same time, companies are increasingly moving to 24-hour information security services to continuously monitor infrastructure for suspicious activity and promptly respond to incidents.

As a result, on the one hand, interest in SOAR technologies is growing, and on the other hand, the requirements for the functionality and performance of such systems are becoming higher and higher. However, the main tasks that are solved with SOAR remain the same: enrichment of incidents with Threat Intelligence (TI) data, automatic triage, automation of data collection and response measures, ensuring the teamwork of various SOC lines and metric control.

Danil Borodavkin: In recent years, several large regulatory trends can be distinguished: this is legislative support for the introduction of modern information security systems, import substitution and strengthening control over the state of information security by the state. The functionality of SOAR systems correlates well with the listed legislative vectors: SOAR allows you to piece together the triggers from different SMTs, control the response to them and establish a process of interaction with regulators such as State system of detection, prevention and elimination of consequences of computer attacks and FinCERT.

Danil Borodavkin: Domestic SOAR-class systems already occupied a significant share in the information security market even before the import substitution trend began to actively develop in Russia. This became possible thanks to the developed information security market, which was formed, among other things, under the influence of legislative requirements.

The success of Russian SOAR systems is due to their functional competitiveness in comparison with foreign counterparts simultaneously with the support of specific requirements of the local market, such as integration with domestic SIEM solutions, end device security and interaction with regulators.

Danil Borodavkin: The basic needs of information security specialists using SOAR are quite "international." SOAR is a single window for an SOC analyst and a flexible tool for operational automation. The specifics of the Russian market include interaction with regulators, as well as the demand for low-code tools. Domestic SOC analysts not only use the content supplied by the vendor, but also actively adapt it to their needs.

Danil Borodavkin: It was in the SOAR product class that the departure of foreign developers was not a turning point. Unlike, for example, the SIEM market, where the positions of large foreign vendors were strong in Russia. The SOAR market, according to our estimates, is now almost at its peak. The technology reached the level when it is in demand by the mass consumer in the corporate segment.

Danil Borodavkin: Today, many MSSPs actively use SOAR. In commercial services, SOAR features such as incident management and automation are mandatory. The only question is whether MSSP develops its own solution or chooses the finished one.

From a technical point of view, SOAR is completely ready to work in the cloud. However, there are several points that need to be taken into account.

First, it's content. As we can see, each SOAR installation is overgrown with playbooks that adapt to the unique processes of our clients. Standard lifecycle settings and incident cards are always modified to suit customer needs. This "acquired" content is often preferred to be stored closer to itself, on a local installation, rather than in the cloud.

The second aspect is orchestration. Technical response measures are implemented from SOAR, and the system manages local security in the organization's infrastructure. Not everyone is ready to transfer such control to a cloud solution.

Finally, the cost. The subscription model allows you to save on equipment and quickly manage resources, but in the long term, local installation may be more profitable, especially if the organization already has data center capacity.

At the moment, we are not seeing much interest in the SOAR cloud service, but we will respond to such requests if they appear.

Danil Borodavkin: I would suggest considering both approaches as available options that can and should be combined in order to achieve the best result. The need for SOAR functionality depends on the number of incidents being handled, the size of the infrastructure, the size of the team, and the defined response times.

The use of commercial SOC services allows you to attract external expertise and reduce the cost of your own staff of information security specialists. However, this does not negate the need to manage and respond to incidents. For example, if MSSP detects a breach of the organization's infrastructure, then internal employees will be required to change passwords, install patches and clean up end nodes.

Even the process of receiving and processing alerts from MSSP itself requires attention and support. As our practice shows, working with such notifications only in e-mail or instant messengers is not effective.

Large organizations tend to prefer to create their own SOC. But in our customers, we also see hybrid options, where MSSP services are used in addition to internal SOC, and interaction with MSSP is carried out through the SOAR system.

Danil Borodavkin: SOAR is a large constructor in which literally everything is configured. Organizing support for this class of solutions is not a trivial task. The problems that the user faces often occur at the level of the content he designs - playbooks, incident settings, etc. A professional, technically savvy support team should work on the vendor's side for prompt analysis of such situations. Given that SOAR-based SOCs often work 24/7, the same requirements appear for product maintenance. Our support team works around the clock and is divided into three lines. These are specialists with specialized education in the field of information security, many of whom have extensive experience in system administration. Thanks to this, the team can solve complex client cases independently or transfer them to the next level in a timely manner, where development commands are connected to the solution. In addition, we rely on a partner sales channel and develop the necessary competencies for the partner, conduct mandatory training of engineers.

Danil Borodavkin: In Russia, the SOAR market has already reached a high level of maturity. Today we are seeing a trend towards combining individual information security solutions into large platforms. This means that the mechanisms for detecting incidents, responding to them and automating processes are combined within one solution. Supporting this trend, we have released our own SIEM-class solution, R-Vision SIEM, which integrates closely with R-Vision SOAR.

In addition, artificial intelligence (AI) technologies are developing in SOAR systems, but their potential has not yet been fully disclosed.

Danil Borodavkin: SOAR is in demand in large organizations with a large IT infrastructure, a stream of incidents and a high importance of IT systems. Typical customers are resource and energy companies, large retail chains, banks and others. As for the influence of legislative requirements, the active work of regulators is a catalyst for the development of information security and the implementation of SOAR, in particular, in the banking sector and for organizations that own CII.

Danil Borodavkin: The end user of SOAR is an information security analyst. The development and support of content in the system can be carried out both by the same employees and by separate system maintenance engineers.

In the booming IT/information security market, the need for such specialists at the moment rather exceeds the supply. However, SOAR class systems can compensate for the lack of qualified personnel by providing tools to automate manual tasks, which contributes to workflow optimization.

Danil Borodavkin: The trends that SOAR systems will face in the coming years are increased loads and, as a result, the need to switch to architectures that allow you to scale the system. We can also note the general trend towards the use of AI and large platforms that combine the functions of the entire line of key information security products. In Russia, taking into account the situation on import substitution, the need for content for integration with domestic solutions will increase.