The Evolution of SOAR: From Obsolescence to Integration in Cybersecurity
A recent statement from a cybersecurity vendor, boldly proclaiming "SOAR is dead," has sparked a debate in the industry about the fate of Security Orchestration, Automation, and Response (SOAR). However, a closer examination reveals that this narrative may be more about semantics than the actual technological obsolescence of SOAR. The ongoing journey of SOAR technology continues to evolve, offering critical functionalities for modern security operations.
Many organizations have found varying degrees of success with SOAR systems, but not every entity could navigate the complexities of implementation. This struggle has tarnished SOAR’s once-promising reputation, leading some analysts and vendors to shy away from the term altogether. Despite this, the essential capabilities of SOAR—such as the collection, coordination, and automated responses to threat data—remain indispensable in the landscape of cybersecurity.
As the perception of SOAR has shifted, vendors have been quick to adapt. Companies historically identified as SOAR providers have begun rebranding their solutions under new monikers like AI SOC, agentic AI, workflow automation, and intelligent workflows. This shift exemplifies a broader trend in the cybersecurity sector, where firms are attempting to distance themselves from a term that has encountered skepticism.
Reflecting on the origins and challenges of SOAR, it’s essential to understand that Gartner coined the term approximately a decade ago. Initially, SOAR was heralded as a groundbreaking suite of security tools capable of automatically collecting threat data and enabling quick, effective responses. The underlying promise was to enhance the output of security teams amid a backdrop of a dwindling talent pool in the cybersecurity space. At one point, over 20 unique vendors were offering standalone SOAR products. Major cybersecurity players, realizing the potential, began acquiring these providers, folding SOAR capabilities into more expansive security platforms to bridge gaps in their existing solutions.
However, the dream of effortless implementation grappled with harsh reality. SOAR systems often found themselves as yet another standalone component within an already crowded security stack. As Kevin Schmidt, a senior director analyst at Gartner, pointed out, organizations encountered significant hurdles: "You had to write code or scripts or use some sort of an interface to build executable blocks that you would link together." This requirement placed a premium on an organization’s understanding of its workflows, security protocols, and technology ecosystem, revealing a critical layer of complexity that many organizations were ill-equipped to handle.
Critical to SOAR’s implementation was the necessity for a skilled workforce capable of navigating incident responses, developing security operations skills, and understanding the MITRE ATT&CK framework. Unfortunately, experts in these areas were in short supply. Many teams lacked the capability to codify security domain knowledge into the necessary logic and rules for successful automation.
Then came the watershed moment around 2020, when the emergence of low-code/no-code SOAR solutions revitalized interest in the technology. As Matt Rodriguez, director of service delivery at cybersecurity consultancy Phoenix Cyber, noted, "A lot of people jumped on the bandwagon because the demos were great." These new platforms showcased the ability to configure complex automations with minimal effort, capturing the attention of organizations that struggled with traditional SOAR systems.
For more sophisticated security programs, the transition to low-code/no-code SOAR adoption has often yielded positive results. Nelson Conard, director of cybersecurity solutions at Phoenix Cyber, emphasized that organizations with well-defined workflows and processes were more likely to navigate the SOAR landscape successfully. Conversely, he cautioned that less mature organizations faced greater challenges in fully automating their security protocols due to their more ad hoc approaches.
Despite the newfound enthusiasm for low-code/no-code solutions, the reputation of SOAR has been mixed. Rodriguez mentioned, "Everything is easier in the demo," suggesting that while these solutions facilitate building playbooks, they still present intricate challenges. Often, clients don’t fully grasp the complexities within their environments, leading to difficulties in automation.
Today, artificial intelligence continues to alter the landscape of SOAR significantly. Modern AI agents can help organizations create and maintain automation pipelines that previously required a high level of human oversight and expertise. This integration between SOAR and AI enhances flexibility and adaptability, allowing organizations to build custom agents reflecting their particular security needs.
However, the relationship between SOAR and AI is not without caveats. While AI offers the promise of increased efficiency, its cost implications necessitate careful deliberation. Thomas Kinsella, co-founder of Tines, warned organizations to be judicious in their application of AI within SOAR environments, emphasizing that deterministic workflows should continue to serve as the backbone of security automation.
In contemplating the future of SOAR, it appears that traditional models will likely coexist alongside emerging technologies. While large enterprises may have been the initial target market for SOAR solutions, they are increasingly becoming accessible to medium-sized businesses and managed service providers (MSPs). Schmidt noted that companies already benefiting from SOAR are unlikely to abandon effective tools solely in pursuit of the latest AI innovations. Instead, they may choose to enhance their existing capabilities with AI-driven strategies to bolster efficiency in tasks like change management and audit trails.
The evolution of SOAR underscores the need for ongoing adaptation in cybersecurity practices. As the landscape continues to shift, organizations will need to engage fully with both traditional and new technologies to maintain robust security strategies. The bottom line is clear: embracing SOAR is not merely about surviving; it’s about thriving in an ever-complex digital landscape, armed with the right tools and insights.
By observing the intricate dance between SOAR and AI, it becomes evident that the innovations ahead may well offer organizations not just survival, but genuine advancement in their cybersecurity endeavors.