SprwLabs
Staffing & Operationalizing SOAR
/sprw-labs-attempt-2/pexels-andrea-piacquadio-3760809-n3d49.jpg)
Congratulations! You've just taken a big step forward and are now the proud owner of a SOAR. This blog post will help you evaluate, design, and scope your SOAR project to ensure that you have the right team and resources in place to make it successful. While this post won't cover the specifics of how to design a successful SOAR, it'll provide a better understanding of the elements you should consider when planning your project. If you are looking for more on automation goals and objectives check out this post.
The following phases break down how we operationalize a a SOAR deployment.
- Gathering & Defining of Access
- Defined Building Blocks, Playbooks, and Workflows
- Playbook Development
- Operations & Support
Our initial starting point is a client's technology stack. We list out the technologies in their environment and for each technology we estimate it will take 4 hours to define what access is required, request that access, and test the access.
Every SOAR has a method of creating building blocks for different functions. These are basic security functions which take place in the tool. We define playbooks or smaller pieces of code around these functions. For example, blocking an IP in a firewall, removing an email from an inbox, or searching for a given YARA rule. These may be reused across multiple playbooks. We estimate building blocks to have 2-3 integrations and take approximately 20 hours to develop, configure and test.
Once we've developed the blocks and created any integrations required, we build the playbooks. On a very high level, we estimate about 30 hours to architect, design and build a small to average sized use case. A basic use case is compromised of 4-6 integrations or building blocks. Additional complexity increases this scope. Depending on the use case, we add additional time for validation with SOC teams or QA testing.
Once the use cases are deployed, if there is no additional development, we estimate the day to day operations of a SOAR to be 25-30% of an FTE in a medium sized enterprise. This includes ensuring the platform is stable, integrations are running, and minor tweaks to playbooks.
All of these assumptions vary significantly however these assumptions form the baseline for scoping a level of effort for architecting, deploying, and operationalizing a SOAR technology.