OPS-06: Security Orchestration, Automation, and Response (SOAR)

OPS 5 — Medium Protect

Mechanisms exist to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

Control Question: Does the organization utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents?

General (3)

Framework	Mapping Values
NIST 800-172	3.11.3e
SCF CORE ESP Level 2 Critical Infrastructure	OPS-06
SCF CORE ESP Level 3 Advanced Threats	OPS-06

US (4)

Framework	Mapping Values
US CMMC 2.0 Level 3 (source)	RA.L3-3.11.3E
US DoD Zero Trust Execution Roadmap	6.5 6.5.2 6.7.4
US DHS CISA TIC 3.0	3.PEP.EN.SOARE
US DHS ZTCF	SEC-04 SEC-05

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

Level 3 — Well Defined

Security Operations (OPS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

A Security Operations Center (SOC), or similar function, manages cybersecurity operations that covers preparation, detection and analysis, containment, eradication and recovery.
Procedures are standardized across the enterprise to ensure uniformity and consistent execution. These Standardized Operating Procedures (SOP) identify and document day-to-day procedures to enable the proper execution of assigned tasks.
Line of Business (LOB) stakeholders are identified and tasked with documenting business-critical functions in “run books,” or SOPs, to capture the knowledge in documentation form from both a business and technology perspective.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.

Assessment Objectives

OPS-06_A01 Security Orchestration, Automation and Response (SOAR) tools are used to define, prioritize and automate responses to security incidents.

Technology Recommendations

Micro/Small

Centralized event logging
Managed Security Services Provider (MSSP)

Small

Centralized event logging
Security Incident Event Manager (SIEM)
Managed Security Services Provider (MSSP)

Medium

Centralized event logging
Security Incident Event Management (SIEM)
Managed Security Services Provider (MSSP)
Security Orchestration, Automation & Response (SOAR)
Extended Detection and Response (XDR)

Large

Centralized event logging
Security Incident Event Management (SIEM)
Managed Security Services Provider (MSSP)
Security Orchestration, Automation & Response (SOAR)
Extended Detection and Response (XDR)

Enterprise

Centralized event logging
Security Incident Event Management (SIEM)
Managed Security Services Provider (MSSP)
Security Orchestration, Automation & Response (SOAR)
Extended Detection and Response (XDR)