SOAR connects disparate systems to orchestrate and automate response. Existing SOAR platforms have taken a process-driven approach to connect products within a workflow; however, for optimal detection and response a data-driven approach is needed to prioritize data and connect systems with that data. Automating and orchestrating noisy data just amplifies the noise.
A DIFFERENT APPROACH
The current approach to security automation and orchestration does not care what data is being processed. This is inefficient for detection and response needs for two key reasons:
1) Playbooks are run on irrelevant and low priority data, wasting time and resources
2) if you put noisy data in, the result will be amplified noise out
When applied to detection and response, process-focused playbooks require complexity which grows exponentially as you increase the number of playbooks being used.
