Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Automation. Where do We Go from Here?

What’s next in the evolution of security automation and orchestration?

What’s next in the evolution of security automation and orchestration?

Over the past 20 years we’ve seen significant improvements in cybersecurity technology and tools. For example, new versions of intrusion prevention systems and firewalls were introduced using terminology like “next-generation”, which I’m not a fan of because it borders on hype. (What is after next-generation? Next-next? But I digress…) Regardless, ultimately, important revisions and upgrades were made that helped security teams improve threat detection and prevention. 

Unique capabilities also emerged like automation and orchestration that became the focus of new categories like security orchestration, automation and response (SOAR) platforms which quickly proved their value by improving the throughput of analyst work. As SOAR platforms grew in popularity, vendors of related cybersecurity product categories began to envision how automation and orchestration could also be applied to their area of focus. Soon, a technology that began as a unique capability of SOAR, evolved to become a core feature in many other categories. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) and extended detection and response (XDR) solutions broadened to include automation and orchestration capabilities. What’s next in the evolution of automation and orchestration?

U.S. Supreme Court Judge Louis D. Brandeis once said, “There are no shortcuts to evolution.” We see that his pioneering ideas and principles on free speech, privacy, government intrusion and democracy changed American society and law at the time and continue to shape legal decisions and regulations decades later. And we see parallels with the evolution of automation and orchestration. SOAR was an important step forward in the adoption of automation and orchestration. Now, as these capabilities fragment and find their way into other cybersecurity tools, their applications and usage will evolve for even greater, ongoing impact. Let’s take a closer look at how this plays out with automation, and we’ll look at orchestration in a future article. 

From process-driven…

SOAR was off to a great start, touting the ability to increase security operations efficiency and consistency by automatically running a playbook in reaction to an incident or issue without the need for human intervention. However, as organizations began using SOAR, they encountered three main challenges:

1. In order for playbooks to run, processes need to be defined, created and maintained. Engineering work is also required to customize playbooks and standardize implementation. Many companies found SOAR was not an immediate fix to streamline security operations. Humans needs to be involved as these efforts to put automation in place can be onerous. 

2. The current approach to security automation has focused on automating processes, with no regard to the data being processed. This approach works fine if you’re in a static environment doing the same thing over and over again. But in detection and response, which is dynamic and variable, that’s not the case. Playbooks are run regardless of the relevance or priority of data. If you put noisy data in, the result will be amplified noise out.

3. Process-focused playbooks are inherently inefficient and complex because the decision-making criteria and logic are built into the playbooks and updates need to be made in each playbook. This complexity grows exponentially as you increase the number of playbooks.

…evolving to data-driven

As automation continues to evolve, a new approach to accelerate detection and response is emerging based on data and business logic to automatically trigger simple actions that can be standalone or be chained together. Instead of an entire process driving automation, a data-driven approach defines the criteria for the automation and how it is executed for greater focus, accuracy and agility. Security teams can determine what action to take based on data priority and relevance to their organization. Actions can be fine-tuned in response to what matters to the organization and what is effective against the latest threat. And because automation is based on data, you can also apply the outputs from detection and response as inputs for learning and improvement. If data changes and certain thresholds are hit, additional actions can be set to run automatically.

Indeed, “there are no shortcuts to evolution” – and that’s a good thing. Because it is the process of evolution itself that provides opportunity for dramatic improvements. Approaching automation from a process standpoint was understandable and helped many organizations overcome a long-standing reluctance to automate, but it has limitations. In a highly dynamic and fluid environment, a data-driven approach to accelerate detection and response will unlock more value from automation so that security operations teams can take the right actions faster.

Learn More at SecurityWeek’s Security Operations Summit

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...