Migrating from legacy SOAR platform to Tines: a step-by-step guide

In this blog post, Martin Moroney, Customer Success Engineering Manager at Tines shares lessons on migrating from a legacy SOAR platform, based on his experience in overseeing dozens of successful migrations.

Enterprise system migrations are complex projects, with intimidating challenges that require meticulous planning and execution. This complexity is amplified in the context of systems that leverage many integrations to support complex workflows. 

SOAR (Security, Orchestration, Automation, and Response) platforms are no different. These tools run workflows that are mission-critical, and play a key role in maintaining a strong security posture. 

Migrating from a legacy SOAR platform to something more sustainable can be daunting, but the benefits more than justify the effort.

Why would a security team want to migrate? 

Let’s start with why a team would want to migrate in the first place. The solution you have today may do the job just fine, but as threats evolve, so must security teams. 

In my experience, the same drivers come up time and time again:

1. Time to value. Initial deployment with legacy platforms can run from weeks to months, delaying the opportunity to demonstrate ROI. 

2. Usability. Organizations demand a solution that’s approachable and usable across their teams. SOAR solutions that require a development team to build even basic workflows are no longer acceptable.

3. Agility. Quick build times and ease of maintenance are key to demonstrating value in hours, not weeks. The inability to work efficiently frustrates everyone from frontline analysts to CISOs. Legacy SOAR solutions also lack impactful AI functionality that impacts operational and business outcomes, further limiting their ease of use.

4. Specialization. Some legacy SOAR solutions are bolted onto a bigger system, such as a SIEM. This all but guarantees that automation and orchestration are not central to the vendor’s philosophy, and won’t be prioritized on the product roadmap.

5. Integrations. The legacy approach to connecting to security tools is to write a Python integration to connect to the API. Not only is this unsustainable, but connecting to internal tools requires a long wait, or a team to develop a bespoke Python integration.

Security teams are becoming increasingly aware of these limitations, and want something more flexible, more focused, and more sustainable. The big hurdle to overcome is the sunk cost fallacy. Time spent trying to make something work does not justify the commitment of even more time.

Avoiding the pitfalls 

Even considering these benefits, the decision to change your SOAR platform should not be taken lightly. It requires careful research, advice from peers, and plenty of planning in order to go smoothly! The most common pitfall I’ve seen is underestimating the time and resources required for a successful transition. This can lead to a rushed migration, and inadequate testing.

To avoid these issues, it’s crucial to start the planning process as early as possible, allowing for ample time for a thorough evaluation of a new SOAR platform, mapping and prioritizing existing workflows, and training users ahead of migration and testing. By anticipating these challenges, and strategically planning the migration, organizations can ensure a smooth transition to a next-gen SOAR platform.

Case study: Beyon Cyber 

Beyon Cyber, a leading provider of advanced end-to-end cyber-security solutions, faced several challenges with their legacy SOAR platform - performance issues, integration limitations, and support constraints. The impact of these challenges was profound - resource drain, implementation delays, and operational burden. They were able to migrate their mission-critical workflows from their legacy SOAR to Tines in just four weeks.

In their own words:

“A significant amount of our resources was diverted towards maintaining the platform, which hindered our ability to focus on expanding our SOAR automation use cases.”

Abubakar Mohd, Chief Technology Officer

“We haven’t experienced any performance issues with Tines, and our automated workflows have been significantly simplified. We were able to build whatever we wanted, and even add more features that we didn't previously cater for.”

Isa Almannaei, Head of Security Operations Center

Read the full case study. 

Case study: Mars 

Mars, a family-owned company comprising many well-known brands, products, and services, only had one engineer on the security team who could use their legacy SOAR solution. They needed a platform that was accessible and intuitive for anyone on the team to adopt. Within six months of switching solution, they had five teams using Tines.

In their own words:

“We have more stories available than we anticipated because when we originally priced it out, we did like-for-like. We knew we had 200 use cases in [our legacy SOAR solution] and because of the flexibility of the Tines platform, we were able to consolidate use cases, which is a happy accident.”

Gregory Poniatowski, Director of Cyber Threat and Vulnerability at Mars

Read the full case study and hear from Cyber Security Director Walter Porto in a webinar on remediating cloud security risks.

Steps to a successful SOAR platform migration 

We can break this process down into the general steps that should be followed:

Assessment and planning 

This is the most important part of the whole process. These migrations succeed in the planning phase, and a strong plan will go a long way to guiding an easy migration.

1. Understanding your environment

• Create a workflow inventory

• Document all playbooks, scripts, and integrations in the current environment

• Prioritize this list - what’s most important to tackle first?

• Workflow analysis

• Understand what each workflow is doing

• What are the inputs and outputs of the process?

• Document this for reference later

• Integration review

• Identify and list all third-party tools used across your workflows

• Use this list to guide creating credentials. This may require setting up an app in o365

• Work with other teams to get these credentials prepared

2. Define Objectives

• Identify goals

• Nail down the objective of the migration. E.g. enhanced automation, improved UX, easier integration

• Requirement mapping

• Map and compare these requirements to the features and capabilities of a modern SOAR platform like Tines

3. Plan the migrations

• Create a roadmap

• Identify your milestones

• Select the key workflows

• Nail down the credentials needed

• Plan to leverage AI to:

  • Interpret incoming data from multiple sources

  • Summarize information

  • Format and convert data

• Resource allocation

• Get the right team in place, and empower them with time and support

Preparation 

4. Set up the new environment

• Infrastructure

• For cloud deployments, this should only take seconds

• If you have a requirement for self-hosted, then identify the technologies needed to deploy. For example, prepare the Fargate environment, or spin up a machine for Docker.

• Access management

• Add the migration team to the tenant, and grant appropriate roles to those accounts

• Configure SSO on the tenant to add additional security controls

5. Knowledge and training

• Leverage training resources

• Review Tines University content

• Attend our free hands-on bootcamp training sessions

• Complete a Tines certification 

• Bookmark Tines docs for guidance on specific topics

Migration execution 

6. Configure credentials

• Create Credentials

• Create a credential for each tool you’ll be connecting to. Doing this up front will speed up the build process massively.

• Some will be text credentials for storing static API keys

• OAuth credentials will likely be needed for a number of tools. These require creating an app in the target system.

• JWT Credentials are most often used with Google Workspaces service accounts

• The AWS Credential type is available for both role-based and key-based access.

7. Convert Playbooks

• Working through your list of prioritized workflows, begin converting them from the old SOAR platform (or old scripts!)

• As you begin connecting to external APIs, you will use the credentials created already

If you want to receive events directly via a Tines Webhook, create the action in your workflow, and copy the unique webhook URL to third party systems like a SIEM. This allows alerts to be sent to Tines in real time for analysis and response.

• Some teams treat this as building an MVP - convert the workflow as is to complete the migration as quickly as possible. 

• Others will start to think about these workflows a bit more, and see how to leverage Tines features like Pages and Records to make the experience better for analysts and end users.

8. Test and validate

• Test each workflow with multiple inputs, events, and validate your expected output.

• Think about what should happen when an API call fails - maybe the URL you’re analyzing doesn’t exist, and VirusTotal returns a 404 error, or you hit your API key rate limit and see 429 Responses.

• Enabling Tines features like Retry On Status, and Monitoring will help handle these edge cases.

• Work through an UAT needed with the wider team and end users.

• Implement their feedback

• Enable Change Control on the workflow to safely iterate into the future

9. Ship it!

• Once you’re satisfied with the workflow, it’s time to make it live. If you have been building in ‘Your Drafts’, then move the workflow to the primary team where it will run from.

• Configure schedules on the initial actions if needed

• Update your SIEM or other tool to point to the Tines Webhook where alerts should be sent

• Document the workflow with Notes on the drag-and-drop canvas. This should give a viewer a quick overview of what the workflow does.

Iterate, extend, maintain 

10. Iterate

• Now that the core workflow is up and running, it’s time to consider how to make it better. What has been missing that makes things easier? Is there an opportunity to allow end users to self serve rather than submit a ticket? 

• Consider using AI to audit and improve your existing workflows.

• This is the ideal opportunity to quickly increase the ROI already demonstrated, and reclaim more time!

11. Extend

• New tools, new threats, and new sources are frequent in the security space.

• As they arise, workflows should be extended to account for these. When onboarding a new Threat Intelligence tool, your Indicator Enrichment workflow would be boosted by including this new source.

12. Maintain

• Feedback from end users should be encouraged. They will have suggestions to improve wording, update the structure of a case, and make minor tweaks to the output. 

• These changes can be quick and easy, but provide a noticeable improvement to the people interacting with them.

• Monitor for any API failures or other unexpected issues and rectify them as a priority.

• AI can be used to help with workflow maintenance, for example to summarize change control requests.

Ensuring a smooth SOAR migration 

A SOAR migration presents a huge opportunity to reclaim time, improve efficiency, and automate processes that your team simply doesn’t have the capacity for. But it presents its own challenges. There are responsibilities on both the customer and the vendor side to ensure that the process goes smoothly. Careful planning sets the tone for the entire migration - be thoughtful and detailed here, and you’ll be automating on a different level in no time.