Skip to main content
 
 
Splunk Lantern

Stage 2 of the SOAR Adoption Maturity Model

 

clipboard_e9c3a0c72ac24e48189048b7157f4d4f6.png

Characteristics of an organization in the Reactive / Proactive stage

At stage 2, the organization realizes they need additional people and processes. Likely have started to create SOC procedures and structures. Just now starting deep investigations and needs to quickly evaluate risk to the environment, and to block and remove the risk. At various levels of team formation for security engineering, threat hunting, and threat intel team. May have outsourced forensic/malware analysis or full in-house purple teaming. Team starting to capture metrics like mean time to detection (MTTD) and mean time to response (MTTR).

The SOC at this stage might be described as distributed SOC, centralized SOC, or managed SOC. The CISO has separated security operations and security engineering. They might have a small intelligence or compliance team and are likely to have L1- L2 MSSP. A security architect or SOC manager has started to source a few tier-2 SOC analysts and hired a tier-3 SOC analyst to manage incidents and build security operations procedures. Analysts manage critical alerts on a daily basis but can’t keep up with medium and high alerts.

How to advance past this stage

The end goal of stage two is to reduce tribal knowledge and automate non-analysis tasks. The value of this stage is standardizing and introducing consistency to your operations, and conducting more accurate root cause analysis. The focus is on improving the following:

  • Triage/enrichment
  • Basic investigations
  • Basic response tasks
  • Email search and manual purge

Common use cases

  • Phased custom investigations
  • Advanced response tasks
  • Phishing response
  • Threat intelligence management
  • Vulnerability management
  • Zero Trust policy enforcement
  • Reverse malware analysis

For more Splunk SOAR use cases, see the Security Use Case Library.

Common SOAR applications

For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.

Common SOAR playbooks

For more Splunk SOAR playbooks, see the GitHub repository.