Q&A: Why SOAR startup Syncurity is bringing a ‘case-management’ approach to threat detection

There’s a frantic scramble going on among those responsible for network security at organizations across all sectors.

Related: Why we’re in the Golden Age of cyber espionage

Enterprises have dumped small fortunes into stocking their SOCs (security operations centers) with the best firewalls, anti-malware  suites, intrusion detection, data loss prevention and sandbox detonators money can buy. But this hasn’t done the trick.

There is a gaping shortage of analysts talented enough to make sense of the rising tide of data logs inundating their SIEM (security information and event management) systems. In many cases the tedious, first-level correlating of SIEM logs to sift out threats has moved beyond human capability. Some 27 percent of IT professionals who partook in a survey conducted by next-gen firewall supplier Imperva at RSA 2018 reported receiving more than 1 million security alerts daily.


Now toss in the fact that digital transformation is redoubling software development and data handling complexities. This has exponentially expanded the attack surface available to motivated, well-funded threat actors. This, in short, is the multi-headed hydra enterprises must tame in order to mitigate rising cyber risks.

Smart money

Enter SOAR, the acronym for “security operations, analytics and reporting.”  SOAR, if you haven’t heard, is a hot new technology stack that takes well-understood data mining and business intelligence analytics methodologies —  techniques that are deeply utilized in financial services, retailing and other business verticals  – and applies them to cybersecurity.

One of the hottest venture capital bets over the past few years has been on SOAR; and Palo Alto Networks’ recent acquisition of SOAR startup Demisto for $560 million, appears to confirm this is smart money. Demisto launched in May 2016.

Last Watchdog had the chance to visit with Michael Sutton, former longtime CISO of cloud security vendor Zscaler, who recently signed on as advisor to a fresh, new SOAR startup, Syncurity. Based in Bethesda, MD, Syncurity recently announced the close of its $2 million institutional investment round. Its backers include the Maryland Technology Development Corporation (TEDCO,) and Kluz Ventures. Here are excerpts of my interview with Sutton, edited for clarity and length:

LW: What gave rise to SOAR?


Sutton: SOAR was born out of the gap between what SIEMs were supposed to be and the rising sophistication of cyber threats. SEIMs help companies deal with the heterogeneous nature of everyone’s IT and security stacks. But in today’s environment, identifying and assessing risk – and taking corrective action —  requires a more disciplined, case-management approach.

LW: Syncurity is one of several new entrants innovating in this space; what’s behind this surge of SOAR vendors?

Sutton: While there have been several vendors in the space over the last four years, Syncurity is a different breed in my opinion. The early and more well-known entrants, were more like DIY automation tools, where a fair amount of scripting and custom code was required to deploy. Their focus was automating the things you want to do when you know that something bad has happened.

This wasn’t an issue for the early adopters, as they typically are ahead of the curve in vision, maturity and skills. But the mainstream market needs more help identifying the risks and establishing processes for their analysts to follow, whether they’ve been there five weeks or five years. In other words, they need a more complete application, one that excels in the case management aspects of SOAR, not just automation.

LW: How do you expect the SOAR market to evolve over the next couple of years?

 Sutton: SOAR is evolving from automation to case management and it is going to evolve from case management to ‘knowledge management.’ In addition, I see more and more service providers adopting SOAR, as the MSSP and MDR markets grow at 15% and 30% respectively according to Gartner. They’re doing this now out of necessity to keep up with demand, but also to differentiate from competition.

LW: How has ‘digital transformation’ exacerbated the need for  SOAR?

Sutton: Digital transformation is a big driver for SOAR. As more and more business processes and interactions move digital, the attack surface expands for most enterprises, and for the service providers that support them. Combine that with the increased sophistication of the threats, and it’s a perfect storm for security operations teams.

LW: How does ‘compliance’ factor in?

Sutton: Compliance is actually the iceberg under the surface for SOAR. While automation is of interest and value, the real value of the evolved SOAR market will be to have security stand-up as an enterprise process, like finance or sales and marketing . . . The ability to prove you have a process, and demonstrate the audit trail showing you used that process, will become the subject of increased scrutiny by regulators and cyber insurance underwriters.

LW: What key innovations does Syncurity bring to the table?

Sutton: Syncurity has several innovations. The first is a robust case management feature set and user-interface that supports dynamic, analyst-led investigations. They’ve also patented a method for dynamic alert risk-scoring that enables enterprises to capture the tribal knowledge of how a SOC team decides which subset of the alerts they see daily. Lastly, the application-independent integration framework means APIs can be developed and leveraged without any knowledge of the IR-Flow allowing the re-use of anything a customer has already developed, regardless of the scripting language.

LW: Anything else?

Sutton: It’s early. The penetration of SOAR is less then 10 percent, according to Gartner. This suggests that the majority of users are early adopters who are willing to live with a lot of integration work and ‘roll-your-own’ code.  We’re moving to a mainstream market of enterprises and service providers who will need a more robust, mature application that enables the journey that is SOAR.



Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW supplies consulting services to the vendors included in our coverage.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: