Enable breadcrumbs token at /includes/pageheader.html.twig

SOAR Can Change the Game on Strengthening DoD Cybersecurity

Credit: Shutterstock/ArtemisDiana

Credit: Shutterstock/ArtemisDiana

The time is right for the Department of Defense (DoD) to leverage automation in elevating its security posture. The maturation and subsequent widespread adoption of Security Orchestration, Automation, and Response (SOAR) technology seen in recent years makes clear SOAR’s applicability for Department of Defense purposes. It is an ideal tool to enable robust capabilities sought by DoD leadership, like common operating picture telemetry, continuous compliance and zero trust.

There are several high-value use cases where SOAR can make a rapid impact and ease many of the challenges DoD security teams are struggling with.

Streamlining Security Data

SOAR starts by integrating into an existing IT environment. At its foundation, SOAR connects disparate tools, teams, and systems, taking inputs from a variety of sources and applying “playbooks” of workflows, prebuilt by the agency, aligned to security processes and procedures. One of its key qualifiers is the great number of integrations available. However, beyond simply having a multitude of random integrations, a SOAR implementation will be most successful when having the right types of integrations relative to the operating environment.

Once the best integrations are in place, SOAR solutions ingest data from all available sources, automatically reducing repetitive alerts while enriching and prioritizing alerts into incidents. Those alerts then provide the basis for triggering playbooks so that no critical security data ever gets missed.

Reducing the Number of Tools While Maintaining Comprehensive Cyber Operations

DoD programs typically take a Defense in Depth approach to security. By definition, that involves multiple layers of different security products focused on specific functions. SOAR sits above that breadth of tools and capabilities, providing analysts a consistent operating platform within which to conduct investigations and responses. That level of integration enables mission owners to focus on mission assurance.

For example, missions can combine individual functions like asset management and discovery, system logs and vulnerability assessments into a common operating picture that offers a complete window into the state of mission systems. Once the environment is fully understood, playbooks can actively monitor incoming alerts and triage incidents in real-time across the entire security eco-system.

These fully automated processes enable answers to multiple questions about the up-to-date state of the enterprise. The data provides leaders with the information necessary to make a valid risk assessment and determine the appropriate course of action.

Ensuring Continuity of Operations Across Deployments and Rotations

With the hundreds of individual network and security products agencies maintain, any given analyst simply can’t become highly proficient in all of them during the customary 1-to-3-year tour of duty. Instead, SOAR provides continuity through consistency. Playbooks are easily created, modified and shared, even into field-deployable packages. They persist across organizational rotations and deployments, becoming a true force multiplier for the long term.


One additional benefit of SOAR is its usefulness as a teaching tool for analysts at all levels of capability. Playbooks are excellent for training, providing a graphic view of incident response activities so new analysts can learn on the job. They are also useful for creating real-world training scenarios which can elevate analysts’ skills at all levels.

Credit: Shutterstock/Panchenko Vladimir
Credit: Shutterstock/Panchenko Vladimir

Practical Steps to Approaching SOAR Deployment

DoD organizations will be best served by starting with a comprehensive SOAR strategy. Security leaders can confront the challenges (i.e., the compartmentalized IT posture) of introducing game-changing technology into the DoD head-on by identifying the major roadblocks and developing a strategic approach to adoption. These steps will guide an effective approach:

1. Reach across silos.

Distinct groups within DoD IT have different areas of responsibility and are often unwilling to give access to their systems. Start by opening communication across organizational silos, establishing the value of the SOAR up front and ensuring key stakeholders of their continued ownership of their platforms. SOAR reaches across the silos to collect and present information to the teams that need it, when they need it, without impacting the mission of the other teams. It will, however, be necessary to identify a SOAR owner who will need access to the other departments’ systems.

2. Automate low-effort, menial tasks first.

Don’t attempt to boil the ocean. There is greater value in focusing on highly repetitive albeit trivial tasks first, such as gathering contextual information and applying it to events. This can be done by security information and event management (SIEM) systems, but by performing this action in the SOAR, analysts and operators are better equipped to develop and refine playbooks which will later be used to automate additional activities.

3. Develop Iteratively.

The previous development of simple playbooks now evolves toward larger, integrated playbooks that provide automation capabilities for more complex scenarios.

While SOAR technology is not new, DoD organizations have been reluctant to adopt it in earnest up until now. At this point, it’s apparent that many persistent DoD challenges stand to be overcome or greatly reduced by embracing this mature and well-proven technology. It’s time for agencies across DoD to tap into these rich benefits to increase their security posture and our national defense.

Get your WWT Security Orchestration and Automation Readiness Assessment at: https://www.wwt.com/assessment/security-orchestration-and-automation-readiness-assessment.


David Vasek is principal solutions architect, Security, at World Wide Technology.