SOAR Is an Architecture, Not a Product

Over the past several years, the rising star of security orchestration, automation, and response (SOAR) tools keeps climbing higher. As organizations struggle to handle the crush of alerts surging out of their security controls with not enough cybersecurity professionals to manage the work, SOAR products promise to bring some sanity to the process. The promise is that SOAR platforms can help security operations teams to sail through the massive volume of alerts they face and better coordinate their security incident response lifecycle with custom playbooks tailored to an organization’s response policies. Many organizations are already starting to reap these benefits. But as SOAR use cases evolve to real-world situations and industry analysts adjust their definition of the market, it's becoming increasingly clear that SOAR is less of a singular platform and more of a comprehensive architecture for tying a lot of threads in the security stack together in a meaningful fashion, including threat intelligence platform (TIP) capabilities. <h2>What is SOAR?</h2> SOAR is part of the cybersecurity industry's long-term push toward improved security automation. As the name suggests, there are three core functions that SOAR products have historically delivered to security teams: <ul> <li>Orchestration: Customized security orchestration helps integrate the dozens of best-of-breed security tools that the typical SOC has accumulated over the years. These tools often do very specialized tasks, but teams struggle because they don’t play nicely with one another. Orchestration within a SOAR product is usually used to aggregate data from a number of different sources to enrich alerts, consolidate and deduplicate alert data, and initiate remediation actions on third-party systems.</li> <li>Automation: In the context of SOAR, security automation executes a sequence of tasks related to a security workflow without requiring much human intervention. It’s typically implemented via ‘playbooks’ that script automated processes to replace time-consuming but relatively simple processes, leaving skilled analysts freed up to carry out more advanced threat mitigation activities.</li> <li>Response: Incident response consists of alert triage, case management, security incident investigation, threat indicator enrichment, and response actions. For example, a security event or alert should automatically pull in contextual data like IPs, domains, file hashes, user names, and email addresses to provide the analyst a rapid understanding of the security scenario. Then the analyst should be able to issue investigative, containment or response actions against the data.</li> </ul> To accomplish these tasks, SOAR uses threat intelligence to prioritize and enrich the incidents that they manage. <h2>TIP and Gartner's Latest Definition of SOAR</h2> This vital role of threat intelligence management in SOAR has grown to such prominence that many SOAR tools have started building in limited threat intelligence capabilities that mirror some of what a more fully-featured TIP would offer. In fact, Gartner's latest definition of SOAR now names the operationalization of threat intelligence as "table stakes" for SOAR tools. Its 2020 market guide says that SOAR convergence is now not only roping in security incident response platform (SIRP) and security orchestration and automation (SOA) technology, but also TIP technology. <img alt="SOAR architectures" src="https://cdn.filestackcontent.com/p7nrt80Tdiw0GgQCp7KQ"/> Soar architectures are comprised of a combination of proven technologies, with threat intelligence platforms (TIPs) and the integrations they provide serving as a cornerstone. But here's the thing, while SOAR is certainly enriched by TIP and while SOAR tools depend on native threat intelligence functionality, true SOAR benefits from a deep integration with a true intelligence platform that curates and cultivates information aligned with an organization’s intelligence initiatives. SOAR is one of many critical parts of any large enterprise response strategy that TIPs support. Mature security teams need the flexibility to plug threat intelligence into all of these parts of the greater architecture to enable detection, investigations and response. In other words, TIPs will remain a cornerstone component of large enterprises that rely on SOAR in addition to integrating into newer technologies like Extended Detection and Response (XDR) to deliver on the promise of automated response. <h2>Why SOAR functions expand beyond a platform</h2> This TIP dynamic highlights the more fundamental truth at play within the SOAR market. Gartner sees SOAR as settling into the role of the "control plane of the modern SOC." While SOAR tools can orchestrate the work of other security controls and functions, none of them really do the work of SIEMs, EDRs, firewalls, TIPs and so on. Instead, they're just tasked with automating the response to the threats that only these systems can detect. If there's one thing that's certain in cybersecurity, it's that there's never a technological silver bullet for the hardest problems faced by security analysts and operators. The threat actors are too dynamic and they're too well equipped with evolving and automated attack tools for defenders to ever stop tinkering with their security technology stack. Enterprises have sprawling, complex architectures filled with best-of-breed products for this very reason. The last thing they need is for SOAR platforms to try to replicate these solutions — of which TIP is one of many — with a 'one tool to rule them all' approach. Instead of a pitch to rip and replace big swaths of their security stack, they want flexible integration points that allow them to maximize their investments in the best the market has to offer. Looking at Gartner's definition of the market and where SOAR appears to be headed, it's looking increasingly like the key to SOAR success is going to be how organizations practically deploy SOAR products in a way that glues technology and processes together. "What sets these products apart is their ability to receive inputs from many other security products and organize the SOC’s workflow. The vast majority of this type of product is also sold separately, maintaining a maximum interoperability level with other vendors, even if they are competing products, such as SIEM solutions." Which sounds more like an architectural approach supported by SOAR tools than a singular platform that can be acquired through a simple bake-off.