SOAR is dead, long live the SOAR

Gorka Sadowski
4 min readAug 7, 2024

--

Gartner recently published their 2024 Security Operations Hype Cycle. It pegs SOAR (Security Orchestration, Automation and Response) in the trough of disillusionment, and mentions that SOAR will be obsolete before plateau.

Some pundits quickly claimed that SOAR was dead. It’s a bit more nuanced. Although I don’t want to speak on behalf of the Gartner team who wrote this hype cycle, I do have some context around this. Actually, lots of context. Read on…

The genesis of SOAR

I was part of the Gartner team who coined and defined the term SOAR (Security Orchestration, Automation and Response) in 2017. I also co-authored Gartner’s first research note on the topic (Innovation Insight for Security Orchestration, Automation and Response, 30 November 2017).

The idea was simple. SOCs that manually repeated some tasks over and over again could definitely get value from automating these.

SOAR was born as a tool that could centralize security orchestration, automation and response for SOCs (security operations center). For good measure, we also specifically called out case and incident management, and operationalization of threat intelligence in support of the SOC’s mission — both of which do require automation, orchestration etc.

The golden era of SOAR

With enough time and effort, you could theoretically automate pretty much everything in a SOC.

During the golden era of SOAR, there was a “the sky is the limit” thinking about SOAR, and we saw larger vendors heavily investing in this technology.

Some efforts were done internally, for example at Splunk. As Director Business Development for Security at Splunk, I drove Splunk’s Adaptive Response Initiative — a crude version of a SOAR — in March 2016.

Other efforts were driven by acquisitions. For example:

Some of these acquisitions represented a pretty penny, with a combined multi-billion dollars spent in these acquisitions.

The SOAR hangover after the party

At Gartner we kept emphasizing that SOAR was a real endeavor, requiring people, process and technology — not merely a magic tool that organizations could deploy easily to automate everything.

Vendors kept perpetuating the myth that SOAR was the solution to all SOC issues, and that it would be easy to deploy and run across the whole organization.

Claims were so outrageous that it sometimes felt like science fiction. I wrote another blog in 2022 titled “Security automation is real. Science fiction is not”. I kept saying that SOAR had lots of value in automating some manual tasks sometimes, but not all manual tasks all the time.

One of the limiting factors in the operationalization of SOAR is the management of playbooks. We saw organizations with hundreds of playbooks who needed to:

  • Write playbooks
  • Test playbooks
  • Fine-tune playbooks
  • Manage dependencies between these playbooks
  • Retire playbooks

And every time a new technology was introduced, a new use case was being put in production, or an exception was needed, the playbook team had to go to work again. It was a never ending story and ROI was getting progressively worse.

A few “low code/no code” SOAR vendors tried to solve the playbook management problem, but they were just replacing one problem with another. Nothing fundamentally changed — most organizations were overwhelmed by the sheer complexity of what needed to be automated.

Finally the industry came to grips with the following:

  • SOAR is a people, process and technology effort
  • Automation needs an iterative, phased approach based on organizations’ maturity
  • Automating some low hanging fruits offered phenomenal ROI
  • However, automating everything in a SOC is just not possible

SOAR as an automation and orchestration feature is everywhere

Is SOAR dead, or is it everywhere?

Let’s look at another example that I also know well — UEBA (user entity behavior analytics). I authored several Gartner research notes on UEBA, including the last UEBA Market Guide in 2019. At the time, I wrote that “Security and risk management leaders considering UEBA are finding that the market keeps shifting away from pure-play vendors, toward a wider set of traditional security products that embed core UEBA technologies and features to benefit from advanced analytics capabilities.” Indeed you can see today that UEBA is embedded in all aspects of cybersecurity, whenever there is a need to detect anomalies and to generate alerts — mainly SIEM, but also CASB, CNAPP, anti-fraud, EDR, IAM, etc. The broader industry distilled the best of the UEBA techniques and applied those into solving low hanging fruits within their own scope. The same is happening/has happened with SOAR.

UEBA became a feature of any well-respected SIEM, as well as many other CyberSec tools.

Likewise, there are instances of SOAR-like features under the cover of most tools today, notably SIEMs and CloudSec tools. Sometimes we forget, but let’s keep in mind that there is automation everytime that:

  • Your tool fetches context for a specific alert to enrich it
  • Your SIEM creates a case and auto-populates it with relevant context for validated alerts
  • A cloud asset get destroyed when a SOC deems it compromised
  • You use an IAM tool that automatically suspends an account that is hacked
  • Locally produced Threat Intelligence gets operationalized inside your organization
  • A user gets added to a watch-list after HR flags them as a flight risk
  • And so many more examples…

Is there a need for pure-play, standalone SOAR tools? Sometimes, but most organizations can leverage SOAR features in the tools that they already have in their technology stack, notably their SIEM and CloudSec tools.

SOAR is dead, long live the SOAR.

--

--

Gorka Sadowski
Gorka Sadowski

Written by Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.