Similar to platform management, this process aims at conducting a review of the current implemented SOAR processes, at least once every quarter. This should ideally be negotiated with the SOAR platform provider as part of your support package:

Feature Review

This task should be focused on evaluating and aligning your SOAR implementation to take the best advantage of new and updated features.

Review of Implemented Processes / Workflows

This activity should be focused on ensuring that the processes configured within the SOAR platform continue to be aligned with the evolving needs of the SOC, evolving threat landscape and the changes happening within the wider organisation.

  • Identify key roles to participate in the Review including organisational process owners, Security Operations Center (SOC) stakeholders, Incident Response (IR) Lead/Manager, IR/Computer Network Defence (CND) Analysts, Forensic Investigators, Compliance and Privacy representatives, industry liaison and in some cases law enforcement representatives from the designated government CERTs, depending on the nature of your business.
  • Review your incident response process documentation.
  • Review your current configuration including, users, roles, processes. playbooks, data fields and integrations with external systems, etc.

Look to the Future

  • Define priorities and goals for improving your Incident Response posture and refine processes and procedures for all in-scope organisational and regional entities.
  • Uncover the necessary process and layout changes based on the updated information and processes.