For a Security Operations Centre to continuously maintain and deliver its mission, it is very important to make sure all tools and technologies are continuously optimized and the SOAR platform is no exception. As a minimum, the following exercise should be conducted on a recurring basis, at least once every quarter.

  1. A deployment health review based on business requirements, which includes the following:
    • Review architecture, storage and DR
    • Review administrative options such as users, groups, roles, workspaces, network, organization, threat sources and notifications
    • Review customization options such as layouts, rules, scripts, workflows, functions, and message destinations
    • Review tuning and customizations including dashboards, reports and filters
    • Assess performance in a black box mode through the UI
  2. Review the integration module/server setup, if applicable, and corresponding third-party integration points.
  3. Provide mentoring to ensure maximum value gains from the IRP deployment
  4. Perform optimization services as time permits based on the available budget.

The assessment activity and the follow-on optimization activity could be delivered in separate time frames.

Best Practice

  1. Nominate an owner within your for this exercise.
  2. Engage vendor consultant where required and negotiate this support as part of your annual contract.
  3. Record the outcomes in a formal report to be consulted as required and to form the basis of the follow-on optimization activity.

IBM will deliver one copy of this document in softcopy format.