SOAR vs. Orchestration and Automation: What’s the Difference?

Back to all articles

SOAR vs. automation and orchestration

If you’re playing buzzword bingo in 2018, Orchestration and Automation (O&A) are two words you want to see on your card. Unlike some buzzwords, O&A are not just fluff; when implemented properly, Orchestration & Automation are real solutions that can provide tremendous benefits to overworked security teams.

However, as the industry starts to see real benefits emerge in new classes of solutions, more and more products start to incorporate aspects of that solution into their existing products. This tends to muddy the waters in the product space and leaves potential customers confused (talk to a SIEM vendor if you want to hear someone else’s perspective on this problem).

Before we go any further, let me clarify something; this blog is not intended to be a shot at anyone’s marketing or any vendor incorporating Security Orchestration and Automation into their existing product. To the contrary, when implemented properly, Automation and Orchestration can benefit customers at many levels. If you’re in a product space where O&A can provide value to your customers, you should absolutely be looking into it. Instead, this blog is intended to answer the question we are getting asked more and more recently; “I see vendor X is doing orchestration and automation now, are they your competitor? How are you different?”

Orchestration and Automation

In terms of O&A, there are two main categories of solutions (of course, there are always some that fall somewhere in the middle:

When you begin to compare these two categories, there are two significant differentiators. Non-SOAR solutions tend to focus on O&A within their own product, or within a similar product space (let’s use vulnerability management as an example). Their focus on one particular product space tends to make them very capable of addressing advanced use cases in that product space, however, they typically do not support use cases outside of that space. A SOAR solution, on the other hand, should be capable of performing O&A across many different product spaces in one cohesive solution.

The other significant differentiator between SOAR and non-SOAR solutions is their ability to perform other Response (the R in SOAR) and incident management functions. Whereas a SOAR solution should be able to perform these other Response functions, a non-SOAR solution is typically limited in this regard.

Which is the right solution?

As always, it depends on the problem you are trying to solve. If you are trying to increase your efficiency in vulnerability management, threat intelligence, endpoint detection or network management, a non-SOAR solution in one of these spaces with O&A capabilities may be the right solution for you. If you are trying to solve inefficiencies across all of these spaces, you may want to invest in a SOAR solution. Of course, there is also nothing wrong with layering these technologies either; perhaps a focused solution which includes O&A is required in one space, which can then be orchestrated with other security products through a SOAR solution.

So, getting back to answering the original questions, “I see vendor X is doing orchestration and automation now, are they your competitor? How are you different?” If vendor X is not a SOAR solution provider, there is probably some overlap, however, they are usually focused on solving a different or more specific problem to DFLabs, so they are most likely not a competitor. In fact, in some cases, they may be a technology partner. In these cases, our core differentiators are usually those listed above. If vendor X is a SOAR solution provider, they may very well be a competitor and our core differentiators will depend on the specific vendor.

In either case, DFLabs would be happy to discuss its differentiators from other SOAR solutions in a more personalized way, so if you have any questions or would like a one to one demo of our IncMan SOAR platform, please do get in touch. However, I wanted to take a few minutes out of the day to address this common question you may have as you start your journey down the O&A road.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo