The term “SOAR” originated from Gartner® in 2015 and was updated in 2017 to describe a platform designed to orchestrate the response to incidents, leveraging automated processes called playbooks. These playbooks list all the tasks, data, and implications needed to respond to a specific type of incident and can be automated for routine tasks.
The value of a SOAR platform lies in its ability to improve the accuracy, speed, and depth of data for responding to incidents, especially in security operations. It addresses the growing pain point that security programs continuously encounter as businesses expand, which is event and incident overload. This overload arises from the need to analyze every event to verify its impact or concern to the business.
The SOAR buzzword has been accompanied by some overstated claims, such as it being the “only” tool a company needs to manage its security. Another claim is that “any programmatic process can be done via SOAR,” which, while not untrue, misses the focus on security and becomes OAR instead.
For executives considering adopting SOAR, it is important to view it as a step taken on a journey of improving the security organization. When a company aims to improve SOC efficiency, reduce errors, or streamline security processes, SOAR becomes highly compatible with that journey. Proper adoption and maintenance of SOAR have the potential to solve massive scalability issues, but simplifying integrations and focusing on existing security tools and solutions is crucial.
For a successful SOAR adoption, executives should ask their team critical questions, such as how the SOC will maintain security posture without increasing worker count if the business doubles in size, which routine processes can be automated, and which systems and IT operations would benefit from an OAR platform.
Overall, despite the buzz around SOAR, companies should carefully consider the implications and integration process before adopting it into their security strategy. It has the potential to improve efficiency and scale, but only when implemented and maintained properly.