I recently had an article published in Security Magazine titled “The future of SOAR (Is there one?),” in which I talk about the recent Gartner report, “Market Guide for Security Orchestration, Automation and Response Solutions.” This report basically warns of the impending demise of SOAR as an independent category.
What SOAR is for
While SOAR promised to automate triage AND response, the reality is that response functionalities are lagging and its main use case, according to Gartner, remains “automating the triage of suspected phishing emails reported by end users.” Basically, the objective is to lower the volume of false alerts that are flooding SOC teams.
Who is using SOAR?
The paradox is that SOAR is really only implemented in large companies with sizeable SOC teams. This is because SOAR is complex and requires advanced capabilities to use. According to Gartner, “SOAR technologies offer utility-like functionality that needs to be programmed by the operators. Thus, they are not ready, and may be too complicated to be consumed by less mature organizations looking to take advantage of automation.”
The picture that emerges from this whole SOAR scenario is that small and medium-sized organizations with a security team of one to a handful of analysts are left out in the cold. While big organizations with big budgets and large SOC teams have the capability to run a SOAR, those who need triage automation the most because they don’t have the capacity to deal with a deluge of alerts, are the ones not using SOAR tools.
The way to bring automation capabilities to smaller teams, is through an automated SIEM solution, or the new security market darling – Extended Detection and Response (XDR).
SIEM isn’t going anywhere - the Gartner report states that the demand for SIEM technology remains strong, with threat management as the main driver, stating that “Almost all SIEM vendors are enhancing their investigation capabilities and introducing integrations for response actions via native capabilities or acquired/third-party SOAR solutions.”
And regarding XDR – Gartner put it at the top of its list of trends in a recent article “Top 9 Security and Risk Trends for 2020” stating that “Extended detection and response (XDR) solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability”.
Choosing a SIEM with automation in its DNA
Pretty much all SIEM vendors today claim to use automation and artificial intelligence to lower the volume of false positives. And while most SIEM vendors have indeed advanced beyond their “paper pushing” early days of transferring data from point A to point B, savvy customers need to look beyond the marketing catch-phrases and under the hood of these products.
Find a SIEM vendor which is not only talking the AI talk, but walking the walk:
- Who has a core technology that uses Natural Language Processing (NLP), behavioral analytics and reasoning algorithms to effectively automate the mass of data and logs and filter out only the attacks and entities at real risk to the organization.
- Whose data integration process is agile, quickly and automatically adapting to changes in log types and content , saving many hours of work every month for analysts.
- Who can back up their technology with patents.
- Who integrates with the MITRE ATT&CKTM language to ensure the technology is agnostic and will be effective across a wide variety of security tools.
When looking for SOAR capabilities, look for the right SIEM. Rather than choosing one which built its automation on a shaky basis of evolution and acquisition, choose the one with automation in its DNA.