Is SOAR Obsolete?
You may have heard that SOAR is dead. Vendors have become afraid of the term, repositioning their security automation products with different labels. But are the people claiming SOAR’s demise making substantial arguments, or are they simply trying to promote their own products by putting SOAR down?
Let’s look at the factors behind the push to declare the end of SOAR, consider their merits, and determine whether or not SOAR is obsolete.
A Brief History of SOAR
To understand the current state of SOAR, we first need to quickly review its history. The acronym SOAR (security orchestration, automation, and response) was introduced by the analyst firm Gartner in 2016 to refer to technologies that combined the existing fields of incident response, threat intelligence management, and security orchestration and automation. As automation became undeniably central to the future of incident response, many existing players in the incident response space would soon embrace the SOAR label, such as Resilient Systems, which was acquired by IBM in 2017 and ultimately rebranded as IBM QRadar SOAR.
Resilient’s acquisition marked the start of a trend that has persisted through the entire SOAR era, as SOAR vendors like Demisto, Phantom, Siemplify, and Cybersponse would be acquired by cybersecurity giants, leaving few independent options for buyers. This transformed the SOAR landscape as many tools were rolled into larger suites, or in some cases, even became add-ons to platforms like Splunk.
In its early years, both investment dollars and analyst projections suggested that SOAR would rise fast. In 2019, Gartner forecasted that the number of enterprises using SOAR would increase 14x by 2021. This raises the question, were the projections wrong, or does the SOAR market continue to grow, despite what its critics might claim?
Gartner’s Assessment of the SOAR Market
The change in SOAR’s perception is reflected in—or perhaps driven by—how it has been covered by Gartner. In the 2023 Hype Cycle for Security Operations, SOAR was in Gartner’s “trough of disillusionment”. Despite the bleak-sounding name, this isn’t necessarily an indictment. Rather, the trough is merely the stage before the “slope of enlightenment”, where the expectations for new technologies become more realistic and they can reach true maturity.
In the 2023 Hype Cycle, Gartner describes SOAR as being in the early mainstream era of its maturity, with a high benefit rating, 20-50% market penetration, and 5-10 years until it plateaus.
In the 2024 edition of the same report, the assessment looks identical, except SOAR’s benefit rating is now moderate and instead of being 5-10 years away from plateauing, it is listed as obsolete before plateau. One would expect this strong claim to come with a clear explanation, but the text regarding SOAR is almost word-for-word the same as the previous year’s report.
That means it is necessary to read between the lines to decipher why Gartner has become bearish on SOAR. The critiques of SOAR in the 2024 Hype Cycle mention:
- The development resources required to maintain SOAR.
- The lack of options in the market, due to acquisitions.
- A level of expense that can be hard for some potential buyers to justify.
The closest thing the authors make to an argument for SOAR being obsolete is that there are automation capabilities in larger platforms that might be more suitable for some organizations with generalized automation requirements. This is nothing new, as SOAR has always been best for managed security service providers (MSSPs) and large organizations with mature security operations.
None of these critiques make much of a case for SOAR being past its peak or say much about its capabilities. Despite Gartner’s outsized influence, there isn’t anything in its assessment that should dissuade an organization from buying SOAR, if they believe it is a good fit.
Security Automation Alternatives: New Ideas or Just New Names?
Perhaps because of Gartner, some vendors are ditching the term SOAR, instead saying their products are hyperautomation, workflow builders, and AI-driven security automation, among other new terms.
Among the various attempts at defining a “post-SOAR” category, hyperautomation deserves a closer look. It sounds cool, but what is hyperautomation exactly, and how is it different from SOAR?
Hyperautomation is not a specific technology, but rather the strategy of integrating tools and technologies with the goal of automating as many processes as possible. Sounds kind of like SOAR so far, right? SOAR can be a key component of a hyperautomation strategy. In fact, because of the capabilities of our SOAR product, D3 was recognized by Gartner all the way back in 2021 as a representative vendor in the hyperautomation space.
Vendors that position their products as hyperautomation make many claims about how they are better than SOAR, but because the definition of hyperautomation is so broad, buyers will need to evaluate those claims case by case. There is nothing inherent to hyperautomation that makes it different from—or better than—SOAR.
The other “post-SOAR” categories can be best understood as SOAR by new names. Understandably, vendors want to hedge against the fluctuating perception of SOAR by distinguishing their products as something new. Gartner cuts through the fluff in its 2024 Hype Cycle by classifying all of these companies—including the biggest proponent of hyperautomation—as representative SOAR vendors.
XDR Is Not a SOAR Replacement
Almost as long as SOAR has been on the scene, extended detection and response (XDR) has been positioned as its potential successor. However, XDR has settled into the market alongside SOAR, not in place of it. Gartner’s 2024 Hype Cycle for Security Operations puts XDR right behind SOAR towards the bottom of the “trough of disillusionment” and lists it among technologies that have not kept pace with enterprises’ changing requirements. This is far from the world-beating expectations that XDR had just a few years ago.
In our 2024 MSSP Survey, respondents most frequently cited SOAR as their primary automation tool, with XDR coming in third at just 20%.
Despite some overlapping capabilities, XDR may be seen as more of a SIEM alternative than a SOAR alternative. Many larger organizations use both XDR and SOAR; the former for detections and predictive insights, and the latter for triage and orchestration.
In a webinar last year, Stephan Tallent, the then-CRO of MSSP High Wire Networks, highlighted why XDR can’t always replace SOAR, saying, “As you look at the different XDR platforms and security operations center platforms that will deliver XDR functionality, what you’re going to find is a real gap and limit in the true, full-blown SOAR capabilities: alert triage and risk reduction and reducing response times and increasing the efficiency of your operational staff.”
SOAR Must Evolve Beyond Legacy SOAR
Whether it’s an organic sentiment or a line being pushed by marketing teams, there is a narrative that SOAR has not lived up to expectations. In Gartner’s reports and elsewhere, there are a few common refrains about SOAR:
- SOAR is too complicated. It takes too many resources to implement and operate.
- SOAR isn’t scalable or cloud-native.
- SOAR is too expensive.
- SOAR doesn’t leverage the latest advancements in AI.
The fact is, these are legitimate critiques, but they all apply to a particular version of SOAR. Let’s call it Legacy SOAR.
Legacy SOAR tools are the tools that have become stuck in place, unable to overcome these challenges and provide true value to customers. The reasons for this stagnation can be traced back to the composition of the market. As we covered in our brief history lesson, most of the early SOAR vendors got scooped up by giant cybersecurity companies. Now, there are very few independent SOAR vendors, and the vendors that were acquired are now part of large suites of tools or rolled into SIEMs and other products.
This has led to incentives that don’t lead to ambitious development and customer success. After an acquisition, the team that built the SOAR tool usually moves on. In a company where SOAR represents just a few percentage points of revenue, there is little reason to invest heavily in ambitious development.
Legacy SOAR vendors also want to sell you their entire suite, so they prioritize integrations with their other tools. This works against one of the key benefits of SOAR: its ability to integrate best-of-breed tools across a SOC into a cohesive arsenal against threats.
The bottom line is that Legacy SOAR has let down many of its customers. Some believe that makes SOAR as a whole obsolete and the future lies in some other form of automation.
We believe the answer is better SOAR.
Smart SOAR
D3’s Smart SOAR transcends the common criticisms of SOAR because it has none of the limitations of Legacy SOAR. D3 is a rare independent SOAR vendor, so it can stay laser-focused on SOAR development without falling prey to bad incentives and conflicts of interest.
Instead of being stuck in the past, Smart SOAR is helping to solve the biggest problems in cybersecurity, such as alert noise, reducing alert volume by 91% or more.
Unlike Legacy SOAR, Smart SOAR can dynamically scale to process hundreds of thousands of alerts per day. This means the largest enterprises and managed service providers can put every alert into Smart SOAR for automated processing.
Smart SOAR is also easier to implement and operate than Legacy SOAR. One of the key differences is Smart SOAR’s high-performance integrations, which are designed, maintained, and upgraded entirely by D3’s expert team. That means maximum interoperability across the stack without the user ever having to worry about writing scripts, studying API documentation, troubleshooting, or updating integrations to stay compatible with new versions of tools.
The features that make Smart SOAR easier to use don’t just improve its functionality; they also make its total cost of ownership lower than that of Legacy SOAR because customers don’t need to allocate internal resources or expensive professional services to managing the tool.
Finally, D3 continues to push Smart SOAR forward, recently announcing Ace AI, its intelligent automation assistant. Far from a mere chatbot, Ace AI is capable of generating end-to-end playbooks that incorporate its comprehensive knowledge of MITRE, NIST, privacy laws, tool APIs, regulations, and much more.
If you are wondering about the future of security automation, get a demo of D3’s Smart SOAR to see for yourself why SOAR is by no means obsolete.
The post Is SOAR Obsolete? appeared first on D3 Security.
*** This is a Security Bloggers Network syndicated blog from D3 Security authored by Walker Banerd. Read the original post at: https://d3security.com/blog/is-soar-obsolete/