- SOAR is an acronym for "Security, Orchestration, Automation, and Response."
- SOAR technologies enable companies to respond more quickly to cybersecurity threats, and reduces the need for repetitive human processes.
- Venture capitalists have poured tens of millions of dollars into multiple startups all aiming to profit from the need for security orchestration and automation.
- Among the exits in the SOAR space is the $560 million acquisition of Demisto by Palo Alto Networks.
- In the not-so-distant future, the same SOAR approach that helps automate cybersecurity could also expand into other fields like managing cloud computing environments, too.
- Click here for more BI Prime stories.
While detecting potential risks is one thing, among the biggest challenges that faces any organization is the ability to respond quickly to cybersecurity threats. That's the domain where an emerging category of technology known by the acronym SOAR fits in.
Security Orchestration, Automation and Response (SOAR) defines a category of technology and vendor solutions that brings together multiple security functions, in an automated approach to accelerate and enable speedy response. Multiple vendors sell SOAR solutions as a way to help organizations reduce risk and improve security operations.
SOAR technologies integrate inputs from different security products a company already has, such as Security Information and Event Manager (SIEM) log data, perimeter and endpoint defenses. The inputs are analyzed by the SOAR system with an automated approach that can prioritize high-impact items and then make a decision for remediation and response.
For businesses there are multiple benefits which have attracted users, vendors, and plenty of investors to the space. Part of the challenge for companies is dealing with the volume of different alerts from various protection technologies, as well executing the multiple steps needed to coordinate different cybersecurity tools.
"SOAR's biggest benefit is reducing repetitive tasks," William Lin, partner at ForgePoint Capital (FPC) told Business Insider. "Asking security engineers to continuously do the same task is draining and doesn't scale with the increasing amount of data and events being generated."
The need for SOAR has led to a number of acquisitions, as larger players acquire startups to supplement their product portfolios. Among the bis SOAR acquisitions in recent years: Splunk acquired Phantom Cyber in 2018 for $350 million, while Palo Alto Networks acquired Demisto in February for $560 million.
Running the playbook
One of the ways that SOAR technologies helps to automate tasks is by using an approach known as a playbook. Much like how a playbook in sports defines the actions that different players on the field should take in different scenarios, a SOAR playbook defines a sets of actions are followed if a certain event occurs, such as a violation of policy, or a specific threat detection.
Incident response — literally the field of responding to a cyberattack — is a foundational component of SOAR, and a place where playbooks are a primary element.
Ted Julian, VP Product Management and Co-Founder, IBM Resilient told Business Insider that Incident Response is one of the most mature and widespread use-cases for SOAR, but it's only one piece of the broader puzzle. IBM acquired Resilient Systems back in April 2016 in a bid to add incident response to its security portfolio. Over the years, IBM Resilient has been building out its SOAR capabilities, looking beyond just incident response.
"While SOAR platforms are great for orchestrating a fast response for incidents that require a response, there are broader functions within security operations that can also be orchestrated – including general security hygiene and activities such as vulnerability management and remediation," Julian said. "Any activity within the security function that has specific processes and workflows can be orchestrated via SOAR platforms, which are all about connecting and streamlining security activities across people, process, and technology."
Automation is key, but not the whole story
Cody Cornell, CEO of venture-backed SOAR startup Swimlane, sees automation as a driving force behind SOAR, though that's not the only thing that most organizations need.
"Every vendor wants to be a part of the automation trend because it will be the biggest change to how we do security in over a decade," Cornell told Business Insider.
In Cornell's view what is often overlooked is that organizations need automation that is not siloed to a handful of products or use cases that are scoped to solve one isolated threat vector or another. Rather in his view, organizations need a system that enables them to apply automation across all facets of not only the security solutions, but at all the levels that interact with security, including IT, HR, legal, and other business technologies.
"SOAR as a named category by the analyst community including Gartner and Forrester was needed to describe an automation solution that organizations could use for security operations, addressing their daily pain points when trying to keep their organizations secure from relentless bad actors," Cornell said. "Now the problem is altering the mindset of security teams from thinking about automation as a specific product unto itself and more of a principle of applied automation across every facet of security."
Slavik Markovich, senior VP of product of Demisto at Palo Alto Networks, told Business Insider that his company sees SOAR as both a standalone solution and as a critical part of a larger platform strategy. He noted that the key drivers for SOAR demand are ever-present, with security alerts rising and multiple security products that are overlapping data and throwing up alarms, often without cross-product correlation.
"SOAR is designed to play well with others by nature," Markovich said. "Open and extensible product integrations, workflows that coordinate and automate actions across teams and use cases, and the ability to implement user-created content such as incident flows, playbooks, and integrations ensures that SOAR can be as specific or generic as an organization wants it to be."
Barriers to flight
While SOAR offers the promise of automating security, it's not always an easy sell for companies to actually entirely adopt. Jason Mical, Cyber Security Evangelist at Devo Technology explained that in his experience, the "O" and the "A" of SOAR are heavily embraced. It's the "R" — response — that is the biggest barrier for two reasons: Technical and Cultural.
"Organizations are reluctant to adopt automated response because of the potential risks to the organization based on a false positive that is triggered from a source technology," he said.
For example, a service disruption could happen because the playbook automated response says to immediately remove the entity from the network — but the entity could have been a company's critical web server hosting their technology. Mical commented that the way that security teams are overcoming this challenge is by adapting SOAR in phases and not immediately relying on automated responses, until the system is trained and trusted.
For ForgePoint Capital's Lin, there is a different barrier to adoption that he sees for SOAR and that's actually getting it into production."SOAR is built on top of other solutions," Lin said. "Building the maturity across those other solutions and SOAR itself is time and expertise intensive."
VCs following the money
Though there are challenges, there is also a robust opportunity for SOAR. Saurabh Sharma, a partner at Jump Capital commented that the market for SOAR is still in its infancy and set for explosive growth, with Gartner predicting 30% adoption by 2022 up from just 5% today.
Sharma isn't just talking about the growth: he's putting money on the table too, with Jump Capital investing in SOAR startup Siemplify. Among the reasons why he invested is because of the market opportunity that is growing fast for a universal paint point — namely the need to automate and improve security operations.
SOAR is an additive piece of technology for security teams, but its value proposition is very different than other cybersecurity technologies, in Sharma's view. He noted that most additive security tools are essentially an additional "lock on the door," which is a tough sell today as companies have already invested in dozens of security tools that they struggle to operationalize.
"At its core, SOAR helps orchestrate the tools you already have and automate repetitive tasks so you can maximize the investments you have already made and enable your overstretched security team to get more done," Sharma said.
SOAR is still a nascent category, with a few acquisitions in the space already and possibly more to come in the years ahead. For Sharma, it's the independent SOAR providers that are innovating more quickly. Overall he also sees SOAR expanding to address more use-cases than it does today.
"We see SOAR getting smarter by leveraging the fact that analyst interactions are now captured in a single platform to drive actionable insights," Sharma said. "Additionally, we see SOAR extending to address the breadth of security use cases to become a true platform that runs security operations for both end-user and managed services security teams."
The future of SOAR
A big part of what makes SOAR work for companies is that it automates tasks. Swimlane's Cornell emphasized that automation as a concept is of course not new.
"We use automation every day in manufacturing, shipping, and other sectors, and we have for decades," Cornell said. "Rather than thinking about automation as a single product category, we should be taking automation and applying everywhere we need security."
IBM Resilient's Julian also expects that in the near future, the SOAR market will actually expand outside the realm of traditional security operations to bring orchestration to the broader IT and technology landscape. In other words, the technologies at play with SOAR could also be put to work helping manage applications running in and across the cloud.
"We see SOAR providing a foundational technology backbone for next generation, unified, security platforms that will connect the full security stack and do so across hybrid, multi-cloud environments," Julian said. "The SOAR platform will do the hard work of managing complexity across this dynamic and diverse infrastructure, thereby freeing the customer to focus on what they need from security to enable their business."