The Evolution of SOAR Platforms

Automation and Orchestration Have Evolved to Become Indispensable Security Tools

In 2017, Gartner coined the term security orchestration, automation, and response (SOAR) to describe the emerging category of platforms born of incident response, security automation, case management, and other security tools.

Two recent articles, The Evolution of Security Operations, Automation and Orchestration, and The Rise of Analyst-Centric Security Operations Technologies by Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG), highlight how SOAR platforms are maturing in significant ways. SOAR tools are increasingly effective for some of today’s most pressing security problems, which has led to growing demand across enterprise organizations. As Oltsik points out, the ultimate validation of the category can be seen in the series of acquisitions of SOAR vendors by tech giants in recent years.

This explosion in the prominence of SOAR is driven by a few key benefits that the current generation of solutions provides. These improvements are reducing barriers to implementation and making the platforms more accessible to more security teams, even in sectors that are slow to adopt new technology, such as retail, healthcare, and government.

Expansion of Native Features

At first, many SOAR platforms on the market were very limited in their functionality, with automation and orchestration features that were only appropriate for handling minor incidents. While these products offered some time-saving potential for security teams, their effectiveness was limited by their narrow scope and lack of depth.

Part of the current evolution of SOAR that we are seeing is in the maturity of the features being offered. Automation and orchestration capabilities have grown, through increasingly sophisticated automated playbooks and a surge of integrations across other security tools. This has scaled the ability of analysts to use SOAR to filter out massive amounts of noise and identify genuine threats.

SOAR platforms are also now offering deeper feature sets that make them suitable for handling larger investigations and more serious incidents. These include case management modules, with tools that facilitate communication, collaboration, and task management within the SOC and beyond. Today’s incidents are so complex that response teams cannot afford to manually coordinate across workflow and reporting silos, especially in organizations that have strict compliance obligations. The increased depth in features allows SOAR to be a tool for long-term systematic improvements, rather than merely short-term alert triage.

Less Experience Required

As SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization. 

Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated. SOAR platforms will still keep analysts involved by requiring approvals for major actions, but analysts are no longer expected to be experts in automation and orchestration.

Additionally, SOAR platforms’ ability to gather and contextualize threat intelligence makes it easier for less-experienced analysts to make the right decisions during incident response. Because technical advancements are happening so rapidly, companies are quick to buy tools, but not as committed to investing in the training and hiring necessary to integrate and execute the technology in their unique environment. SOAR advancements are helping to close this gap.

The “Single Pane of Glass”

The “single pane of glass”—the term for a single unified console that has all the information an analyst needs—is something of a holy grail in the security operations world. Unfortunately, vendors often exaggerate their ability to deliver this type of interface. However, the evolution of SOAR platforms is bringing them very close to realizing the vision of a centralized dashboard. 

The key advantage SOAR platforms have in pursuing the single pane of glass is the concept of orchestration, which has the potential to integrate the entire security stack via integrations. SOAR platforms can leverage partnerships with other products to exchange detailed information on the fly, analyze data from threat intelligence sources, and even empower analysts to take action directly from the SOAR interface. The complexity of today’s security incidents necessitates this level of seamless coordination across people, technology, and processes, because every second wasted switching between interfaces increases risk.

Where SOAR is Headed

The exciting thing is that SOAR is still a relatively new category, and there is still lots of innovation to come. Automation and orchestration have evolved to become indispensable tools, and soon they will be complemented in many platforms by machine learning, artificial intelligence, and other emerging technology.

It is easy to feel anxious about the near future of cybersecurity, with sophisticated methods of attack, state-sponsored hacking, and a lack of qualified people to defend against these threats. However, SOAR should be the source of some optimism for security teams, with its growing ability to be a force multiplier in the SOC.