The SOAR Adoption Maturity Model

People factors

The human element is usually the greatest source of frustration for security teams, largely due to lack of talent and personnel, as well as human error. Regardless,
security analysts are necessary for implementing, managing, and operating SOAR. Assess whether your analysts have the following:

• Skills to support security investigations
• Ability to evaluate risk to their environment
• Ability to block and remove identified risks

Do you have roles clearly defined across SOC functions, like security analysts, security engineers, threat hunters, forensic/malware analysts, threat intelligence analysts and purple teams? Assess whether these functions have the following:

• Ability to capture and report on SOC metrics
• Requirements for support and help with SOAR implementation
• Ability to find and use content within SOAR
• Awareness and use of existing security technologies
• Collaboration across IT
• High team morale and job satisfaction

Process factors

Automation is really about automating processes. Knowing the processes that your team uses — all the way from mundane tasks to advanced investigation — is a foundational step in successfully adopting SOAR. At a minimum, teams should address their most common processes or tasks, like URL or phishing alert enrichment, as a starting point for SOAR implementation. This sets a solid foundation for maturity in SOAR implementation. Assess whether you have processes for the following:

• Defining SOC workflows and the processes for alert triage
• Defining incident investigation at varying levels of severity
• Capturing critical metrics to measure SOC effectiveness
• Evaluating lessons learned after critical incidents
• Leveraging metrics for operational improvement
• Using standard incident response methodologies
• Integrating standard detection frameworks like MITRE ATT&CK

Technology factors

The processes for threat detection are a critical starting point for SOAR implementation. The capability to ingest data from many different sources and across technologies is what informs a fast and appropriate response. The integration of different SOAR apps is where orchestration comes into play. The orchestration of security incident and event management (SIEM) solutions, endpoint detection and response (EDR), network detection and response (NDR), identity access management (IAM), threat intelligence, vulnerability management, ticketing systems, and more is why SOAR is considered extremely valuable when done right.

Assess whether your organizations have the following technology factors:

• Proper configuration, use and maintenance of a stack of deployed detection technologies
• Ticketing system integrations (for example, Jira)
• SIEM integration (for example, Splunk Enterprise Security)
• Splunk Enterprise Security detections that use Risk-Based Alerting (RBA)
• Deployment of common detection technologies across common control points, including endpoint, network, email, and cloud
• Stream of sources identified for threat intelligence integration
• Identity and access management tool deployment
• API compatibility across existing technologies

Additional resources

After you have assessed the current state of your organization, click through to the rest of this guide to determine where you are on the maturity curve. Then, use the resources provided to take your Splunk SOAR implementation further.

You might find the following additional Splunk resources helpful:

• White Paper: The SOAR Adoption Maturity Model
• Splunk SOAR Slack Community: #soar channel (sign up here)
• Splunk Answers: Discussion area
• Splunk Docs: SOAR On-Prem and SOAR Cloud
• OnDemand Virtual Event: Automation for the Modern SOC
• Tech Talk: Ready, Set, SOAR: How utility apps can uplevel your playbooks!
• Education Courses: SOAR Courses
• GitHub: Splunk SOAR Playbooks
• GitHub: Splunk SOAR Connectors