SOAR Myths: Why Security Operations Teams are Struggling to Utilize SOAR and What Can Be Done to Help

Back to all articles


The recent 2019 SANS SOC survey highlighted some of the most common barriers still being experienced by today’s security operations centers (SOCs). Of those reported, lack of qualified staff and the inability to operationalize security automation and orchestration technologies were rated the highest. Since the security industry began to adopt automation and orchestration concepts into security programs, there have been some common misconceptions that have plagued the technology. Let’s take a look at these myths and decide whether they are fact or just folklore:

SOAR Myth #1: Automation Will Remove the Need for Security Professionals

Since the dawn of automation, this technology has been perceived by some as a positive change for the future, whereas others view it as the end of the line for humankind. These opposing viewpoints stretch across every industry and is not unique to information technology or cybersecurity sectors. There is no denying that automation has and will change the way we do our jobs, but that does not mean that it must be a negative shift.

Currently, analysts are bogged down with a seemingly never-ending stream of security alerts. Each one of these alerts must be reviewed and triaged to ensure that a potential threat does not bypass an organization’s defenses. However, despite their best attempts, security professionals continue to struggle to stay ahead of these threats which overwhelm their security operations centers. This is one area where automation can help.

Instead of taking jobs out of the hands of analysts, automation can be used to supplement the mundane repetitive actions analysts must take when reviewing and triaging alerts. These tasks, which are necessary to determine an alert’s validity, can be automatically executed without the need to involve an analyst. This will allow the analyst to concentrate on higher-level tasks which require actual human interaction, and in turn, will reduce the alert fatigue phenomena that continues to plague modern SecOps teams.

SOAR Myth #2: Security Automation and Orchestration Are Too Complex to Deploy

Another common misbelief around security automation and orchestration is that it is too complex to correctly implement into a security program. As with any new technology, there will always be an initial hesitation towards adoption and an upfront investment that an organization must prepare for. The same goes for security automation and orchestration.

A lot of what the industry is seeing now is the gradual adoption of these technologies into choice areas of an organization’s security program. However, if the adoption of this technology or any technology is not methodically planned, the outcome is usually less desirable. To prevent running into this automation roadblock, organizations need to explore its deployment in small, manageable pieces.

Survey areas in which automation and orchestration technologies would be best suited. Create a plan for deployment and identify benchmarks which will determine the implementation’s success. Evaluate each roll out as they are executed and adjust any expectations or end results as each plan is executed. The only way to ensure a successful implementation is to break the big picture down into manageable pieces and ensure that the team has a realistic vision and plan on how to get there. A failure to plan means a failure to succeed.

SOAR Myth #3: Every Security Process Should Be Automated

This common misconception goes hand in hand with the belief that security orchestration and automation are too complex to implement. One of the reasons these misbeliefs are related is due to a failure of planning. Security automation is not meant to be a replacement for a well-developed security plan. It is however meant to supplement areas within that plan to ensure that all aspects are running as smoothly and efficiently as possible.

One way of ensuring this is to understand that you can not and should not automate everything. By attempting to automate everything you run the risk of creating blind spots which may cause important details to go unnoticed for long periods of time allowing a threat to establish persistence within the environment. Instead, only focus on automating the things that do not require human intervention. These would be the predictable, repeatable processes, such as gathering enrichment data on an IP or domain to be presented to an analyst for final inspection and mitigation.

SOAR Myth #4: Full Automation Is Dangerous

As with our previously mentioned Security Orchestration, Automation and Response SOAR myths, the belief that full automation is dangerous is caused by an attempt to automate everything, and to automate everything without a plan. When setting up full automation you must have a thoroughly evaluated workflow developed that the automation plan will follow. Without this completely developed workflow, an organization runs a high chance of either blinding themselves to ongoing activity, or burying themselves in a mountain of false positive alerts that their team will never recover from.

In order to prevent this common mistake, interview your analysts to understand the workflows that they follow for common events. Once you have a better understanding of how these events are handled, the predictable and repeatable processes will become highlighted. Automate these areas first. Evaluate their outcomes on a consistent basis until you are sure that all conditions have been documented and handled correctly. When comfortable, automated actions such as taking containment steps on behalf of an analyst may be incorporated. Only incorporate these types of actions when the team is confident in the developed workflow and its success.

SOAR Myth #5: Automation and Orchestration Is the Same as SOAR

Last but not least, this misconception is not surprising due to the influx of automation and orchestration products which have hit the market over the last few years. It seems every vendor has some sort of automation and orchestration solution to offer and each one is great for what is was developed to do, but these are typically designed to only be used within the vendors own suite of security products. However, there is a large distinguishing factor between automation and orchestration products and a SOAR solution.

SOAR stands for Security Orchestration Automation and Response. The response component of a SOAR platform is what really causes it to stand out above all other automation and orchestration product lines. With a full SOAR solution, organizations have the added benefit of having a case management platform wrapped around their security automation and orchestration tools to provide them with one streamlined product to work from. This removes the need for multiple dashboards, numerous logons, and the roadblocks experienced when trying to track actions and changes across multiple toolsets. By deploying a SOAR solution, organizations can have all of their networking components, security products, and automation and orchestration tools housed under one roof in one streamlined platform.

It’s not hard to see why some of these myths are becoming more commonplace when talking about security automation and orchestration, but it is important to realize the difference between what is fact and fiction. Also ensure to distinguish the difference between SAO and SOAR, and how the true benefits of SOAR technology can have a positive impact on your existing SecOps team, security tools, technologies, processes and overall security program.

If you are struggling with some of these issues or have pain points unique to your organization, and would like to explore how SOAR can help you to overcome these obstacles, contact us today and we can tailor a personalized demo to meet your security orchestration, automation and response needs, regardless of the maturity and infrastructure of your SecOps.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo