Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

The Evolution of SOAR Platforms

Automation and Orchestration Have Evolved to Become Indispensable Security Tools

Automation and Orchestration Have Evolved to Become Indispensable Security Tools

In 2017, Gartner coined the term security orchestration, automation, and response (SOAR) to describe the emerging category of platforms born of incident response, security automation, case management, and other security tools.

Two recent articles, The Evolution of Security Operations, Automation and Orchestration, and The Rise of Analyst-Centric Security Operations Technologies by Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG), highlight how SOAR platforms are maturing in significant ways. SOAR tools are increasingly effective for some of today’s most pressing security problems, which has led to growing demand across enterprise organizations. As Oltsik points out, the ultimate validation of the category can be seen in the series of acquisitions of SOAR vendors by tech giants in recent years.

This explosion in the prominence of SOAR is driven by a few key benefits that the current generation of solutions provides. These improvements are reducing barriers to implementation and making the platforms more accessible to more security teams, even in sectors that are slow to adopt new technology, such as retail, healthcare, and government.

Expansion of Native Features

At first, many SOAR platforms on the market were very limited in their functionality, with automation and orchestration features that were only appropriate for handling minor incidents. While these products offered some time-saving potential for security teams, their effectiveness was limited by their narrow scope and lack of depth.

Part of the current evolution of SOAR that we are seeing is in the maturity of the features being offered. Automation and orchestration capabilities have grown, through increasingly sophisticated automated playbooks and a surge of integrations across other security tools. This has scaled the ability of analysts to use SOAR to filter out massive amounts of noise and identify genuine threats.

SOAR platforms are also now offering deeper feature sets that make them suitable for handling larger investigations and more serious incidents. These include case management modules, with tools that facilitate communication, collaboration, and task management within the SOC and beyond. Today’s incidents are so complex that response teams cannot afford to manually coordinate across workflow and reporting silos, especially in organizations that have strict compliance obligations. The increased depth in features allows SOAR to be a tool for long-term systematic improvements, rather than merely short-term alert triage.

Advertisement. Scroll to continue reading.

Less Experience Required

As SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization. 

Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated. SOAR platforms will still keep analysts involved by requiring approvals for major actions, but analysts are no longer expected to be experts in automation and orchestration.

Additionally, SOAR platforms’ ability to gather and contextualize threat intelligence makes it easier for less-experienced analysts to make the right decisions during incident response. Because technical advancements are happening so rapidly, companies are quick to buy tools, but not as committed to investing in the training and hiring necessary to integrate and execute the technology in their unique environment. SOAR advancements are helping to close this gap.

The “Single Pane of Glass”

The “single pane of glass”—the term for a single unified console that has all the information an analyst needs—is something of a holy grail in the security operations world. Unfortunately, vendors often exaggerate their ability to deliver this type of interface. However, the evolution of SOAR platforms is bringing them very close to realizing the vision of a centralized dashboard. 

The key advantage SOAR platforms have in pursuing the single pane of glass is the concept of orchestration, which has the potential to integrate the entire security stack via integrations. SOAR platforms can leverage partnerships with other products to exchange detailed information on the fly, analyze data from threat intelligence sources, and even empower analysts to take action directly from the SOAR interface. The complexity of today’s security incidents necessitates this level of seamless coordination across people, technology, and processes, because every second wasted switching between interfaces increases risk.

Where SOAR is Headed

The exciting thing is that SOAR is still a relatively new category, and there is still lots of innovation to come. Automation and orchestration have evolved to become indispensable tools, and soon they will be complemented in many platforms by machine learning, artificial intelligence, and other emerging technology.

It is easy to feel anxious about the near future of cybersecurity, with sophisticated methods of attack, state-sponsored hacking, and a lack of qualified people to defend against these threats. However, SOAR should be the source of some optimism for security teams, with its growing ability to be a force multiplier in the SOC.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.