The hype around SOAR (security orchestration, automation, and response) seems to be at its peak. It's unfortunate, then, that the current market players can't seem to get past some significant shortcomings. SOAR solutions of today require lengthy and costly implementations, silo security deliverables, don't fit well with cloud environments, and don't easily extend to use cases beyond incident response.
Here are some of the fundamental principles the SOAR vendors have failed to embrace so far.
1. Information Security is no longer a silo.
I remember when IT organizations just began to wake up to the idea of taking information security seriously. In those days, most of us had to fight through the stigma of being a "non-revenue generating department," and having to convince the business to improve its core practices was a daily struggle. Back then, most of my colleagues would kill for a centralized security workflow and alert management.
That was then. Today, the realities and the consequences of cyber and information warfare have a direct impact on our daily lives, both personal and business. Cybersecurity is a top priority for business organizations, and the majority of IT functions, including Operations, Engineering, GRC, and HR, are responsible for their own aspects of security. Many organizations are embracing the concept of a BOC ("business operations center"), as they have NOCs and SOCs in the past.
This shared responsibility is why managing security workflow and consolidating its findings within a dedicated application no longer makes sense. Unnecessary friction and communication bottlenecks impede the effectiveness of teams who silo security roles. Their findings, deliverables, and statistics are too vital not to be directly integrated into the operations of the rest of the business. Extracting and disseminating security data requires yet another initiative, while not doing so robs the rest of the organization from an opportunity to learn the hard lessons and to strengthen its systems and processes.
2. Flexible security automation shouldn't be limited to Incident Response.
The opportunity for automation is vast across all information security verticals. Provisioning, compliance, securing CI/CD pipelines, detection, automated analysis, monitoring, and maintaining secure cloud baselines -- security automation needs are now too immense to ignore. And today, the majority of this capability resides either within off-the-shelf (COTS) security software or in a bundle of custom scripts built by the organization.
So how is it, then, that the ability to build codeless automation flows is just a side-feature in an IR product? You shouldn't have to be a member of a SOC team to benefit from the automation of routine security tasks. Orchestration of tools you already use and love with an intuitive builder is a great start, but its use cases must extend way beyond incident response.
3. Automation solutions shouldn't add to resource constraints.
Recent trends have shown a steady increase in cybersecurity spend. However, even organizations with sizable budgets often struggle with the velocity of their initiatives. They must navigate plenty of challenges:
- Mounting technical project debt and shelfware;
- Establishing practices and operationalizing them;
- Integrating disparate tools into a single 'security ecosystem';
- Managing expectations with security vendors and dealing with 3rd party risk.
It's deeply ironic, then, that implementations of SOAR contribute even further to technical debt, and demand a certain level of operational maturity, not to mention additional hires. The security organizations are essentially forced to trade security analysts for software developers.
Considering the extensive level of customization expected to make these tools operational, it is not surprising that large, engineering-heavy organizations often prefer to build (and sometimes open-source) rather than to buy security automation.
In the meantime, the midsize companies with smaller security teams feel an even greater burden. Besides being priced out of existing SOAR solutions, they lack both time and resources to tailor the technology to their environment. They rarely build custom security solutions in-house, yet their daily priorities are just as numerous as in large organizations.
Hard to believe it still needs to be said: a technical solution should reduce a resource burden, not increase it.
4. Critical assets are moving to the cloud.
A few years ago, there might have been doubts regarding the future of the cloud in enterprise IT. Today, the trend is undeniable (our interview with Alex Dow). In 5 years, "cloud security" and "security" will mean the same thing. Embracing cloud brings digital transformation to security management, skill sets, and tooling. Such a profound change in priorities and perspectives represents a true paradigm shift.
Meanwhile, current SOAR solutions have been tailored to legacy networks and applications. As such, these tools have been slow to adapt to the realities and challenges unique to cloud environments. Can we expect to see "integrations" with AWS or GCP services from today's SOAR vendors? Certainly, and as a customer, you will undoubtedly hear about it on the vendor's next webcast boasting their support for "cloud use cases."
But the truth is, the capabilities of current SOAR tools don't reflect the fundamental security principles upon which the cloud providers built their services and infrastructure. Where most IR automation tools stop short of tracking IP address, usernames, and IoCs, modern cloud environments are ephemeral, software-defined, and follow entirely new principles of interoperability and trust relationships. Exposure is highly contextual and configuration dependent. "Authorization is the new Network Layer." If your solution is not designed around these new fundamentals, it will have a remarkably short lifespan.
5. Orchestration is not just a product feature. It's an enterprise capability.
Similar to SIEM applications of 15 years ago, and UEBA solutions soon after, evaluating a SOAR solution is on the to-do list of most CISO's.
The technology is so hot that many security vendors are seriously considering expanding their products' capabilities to include orchestration or even pivoting entirely into SOAR space. Even Gartner expects SIEMs and SOAR markets to consolidate eventually.
And while many of the industry vendors and investors see orchestration capabilities as a product feature, here's why this perspective is misguided.
For one, building a robust, scalable workflow engine takes a significant effort (trust us, we know). And speaking from personal experience, security vendors tend to overestimate their teams' capacity for the velocity of delivery and innovation. Perhaps this is why the deployments of SIEM, UEBA, and SOAR solutions require considerable engineering efforts.
But what's critically important is that customers need a dedicated, generalized, and intuitive workflow automation layer, supporting a wide range of use cases, not just half-baked "response" functionality in various security tools. The ability to quickly combine mission-critical applications and services into an interoperable ecosystem, with flexible logic and a human analyst in the loop, represents a real competitive business advantage. It empowers the whole organization to be unburdened from repetitive manual tasks without the complexity of custom-coded solutions and enables teams to spend more time on planning rather than reacting.
Such universal capability is precisely the direction in which we believe this space must evolve, and we'd love to hear your thoughts.