Word Notes 7.20.21
Ep 59 | 7.20.21

security orchestration, automation, and response (SOAR) (noun)


Rick Howard: The word is: SOAR.

Rick Howard: Spelled: S for security, O for orchestration, A for automation, and R for response.

Rick Howard: Definition: SOAR platforms, or security orchestration, automation and response platforms, allow organizations to automatically process telemetry from various IT and security tools. 

Rick Howard: Example sentence: SOAR ingests and analyzes data, connects and integrates it, automates the low level stuff, and then offers a single view into all of the terabytes of data that SOC analysts pour over every day.

Rick Howard: Origin and context: Around 2010, the IT community started thinking about DevOps, or infrastructure as code. By the 2013 publication of Gene Kim's Cybersecurity Canon Hall of Fame book about DevOps called "The Phoenix Project", most IT groups had some sort of DevOps project on the books. 

Rick Howard: Big internet giants, like Google, Netflix, and LinkedIn, to name three, had completely embraced the model, but the security community lagged behind. In the early days, circa late 1990s, security operation center analysts, SOC analysts for short, manually managed monitoring of a small number of security devices like firewalls, intrusion detection systems, and antivirus systems. Fast forward to today though, when the number of tools SOC analysts have to monitor can range anywhere from 15 to 300, depending on how big the organization is, SOC analysts have become overwhelmed.

Rick Howard: In order to consume the telemetry of that many devices, the SOC requires automation and practitioners started talking in terms of DevSecOps. Security pundits like John Oltsik, the principal analyst at Enterprise Security Group, started talking about the concept of security orchestration as early as 2015. In other words, automating the process and handling of security tool telemetry. Tools started to appear on the market designed specifically to automate SOC tasks and Gartner coined the term SOAR in 2017. 

Rick Howard: Nerd reference: At the 2015 Dynatrace Perform user conference, the author of "The Phoenix Project", Gene Kim, explained why DevOps is so important.

Gene Kim: I've had the privilege of studying high performing technology organizations since 1999. These were the organizations that had the best project due date, performance, and development. They had the best operational stability, reliability, and performance and operations. These were the organizations that had the best security and the best posture compliance.

Gene Kim: And so our mission was to study these organizations to figure out how did they make their good to great transformation so that the rest of us could replicate their journey. Uh, you know, there were many surprises on that journey and perhaps the biggest one is that led me straight into the heart of the DevOps movement, which I think is urgent and important because it is a solution to what I believe is the largest business problem of our generation, the likes of which we have not seen in 30 years when manufacturing was transformed by the lean principles.

Gene Kim: So in the next 44 minutes, what I would like to do as your self appointed ambassador from the DevOps community is share with you two things. Why I think DevOps is so important. And two is more importantly, maybe the how of DevOps. How are organizations  doing tens, hundreds, or maybe even thousands of deployments per day while preserving world-class reliability, stability, security, and performance? Something that we didn't even think possible five years ago. 

Rick Howard: Credits: Word Notes is written by Nyla Gennaoui.  Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.