The State of Security Orchestration, Automation and Response (SOAR) in 2019
Across industry verticals and security models, security teams are facing a common set of challenges; overwhelming workload, an increasing number of security tools, and growing competition for skilled analysts. Security Orchestration, Automation and Response (SOAR) has emerged as the solution to allow organizations to use their technology and human resources more effectively and efficiently and reduce overall risk. Gartner predicts that by 2021, 70% of enterprise organizations with a dedicated SOC will include SOAR capabilities (Ahlm, 2018).
Although the SOAR market has solidified its place in the market over the last several years, one question seems to linger: is SOAR a solution, or a function which will be consumed by Security Information and Event Management (SIEM) and other vendors? Although there are many different problems a SOAR solution can solve, Gartner has defined three logical groups for the different values of a SOAR solution (Ahlm, 2018):
- Create a better investigative platform
- Enhance SIEM management
- Optimize security team and program management
Although Gartner’s most recent analysis of the SOAR market was focused heavily on SOAR’s value with regard to SIEMs, vendors in other product spaces have also seen the value that Orchestration and Automation (O&A) can provide to their customer bases and have begun to implement some features adjacent to SOAR as well. Threat intelligence and vulnerability management are common examples of this trend. “Enhance SIEM management” could also be termed “Enhance event management” to include events from these other product spaces as well.
While there is little question that, when implemented properly, O&A can enhance the effectiveness and efficiency of just about any process, most vendors outside of the SOAR space tend to implement O&A within their own product, or within a similar product space (vertically), while full SOAR solutions integrate with products across many spaces (horizontally). O&A within a SIEM platform tends to have an impact across a much wider range of processes, whereas O&A within other product spaces, such as Threat Intelligence, tend to have a much narrower impact.
Regardless of the degree to which O&A is implemented in adjacent products, SOAR solutions which focus on enhancing other aspects of incident management in addition to O&A are uniquely suited to both create a better investigative platform and optimize security team and project management. For this reason, it seems unlikely that SOAR will ever be completely consumed by SIEM and other vendors. Those SOAR solutions which provide value outside of the core problems a SIEM was designed to solve will likely remain a separate solution.
It is also important to consider that O&A implemented in adjacent products will never be a replacement or competitor to a full SOAR solution. Although there can be value to an organization implementing a vertical O&A solution, the greatest value is achieved when an organization automates and orchestrates horizontally across their entire cybersecurity ecosystem. For this reason, SOAR solutions continue to integrate with products which implement vertical O&A, and most organizations choose to implement a SOAR solution even with these other products in their environment due to the vastly superior capabilities they provide.
It could be said that SOAR was initially envisioned with a Security Operations Center (SOC) use case in mind, and many early adopters were indeed SOCs. However, groups outside of the SOC often encounter similar problems, and are increasingly turning to SOAR to overcome these challenges. Managed Security Service Providers (MSSPs) and Computer Security Incident Response Teams (CSIRTs) are among the most common groups outside the SOC turning to SOAR. In addition to these more common use cases, there has also been increased interest in SOAR from teams handling aspects such as financial fraud and physical security.
Due to the ever increasing variety of use cases SOAR solutions are being adapted to and the constant emergence of new products in the security space, it has become critically important for SOAR solutions to implement an open approach to integrations. DFLabs has committed to being the most open SOAR solution in the industry through its Open Integration Framework, REST API, Community Portal and Community Development Incentive Program. Initiatives such as these will be crucial as the use and use cases of SOAR solutions continue to explode over the next several years.
One thing seems clear though, organizations across a range of industry verticals have seen the value that a SOAR solution can bring to a security program, and SOAR appears to be here to stay. As both the market and the industry evolve, it is likely we will see increased innovation in the SOAR market, including new ways to apply machine learning to make more intelligent automated decisions, and better use and generation of threat intelligence, to inform both tactical and strategic decisions within the security program.
If you would like to see how DFLab’s SOAR solution, IncMan SOAR, meets Gartner’s 3 core value groups and can help you to overcome common security operations pain points while reducing risk, get in touch to request your personalized one-to-one demo today.
Ahlm, E. (2018). Emerging Technology Analysis: SOAR Solutions (Rep. No. G00372967). Gartner.