<p>”SOAR is dead,” a cybersecurity vendor recently proclaimed on its website. But the evolution of <a href=”https://www.techtarget.com/searchsecurity/definition/SOAR”>security orchestration, automation and response</a> suggests that the supposed death is more about semantics than obsolescence.</p>
<p>While some companies experienced success with SOAR technology, many organizations struggled to implement it. Those difficulties harmed SOAR’s reputation. In fact, many analysts and vendors now shy away from the term, even though core SOAR functionality — collecting, coordinating and responding to threat data — remains vital to security operations.</p>
<p>SOAR vendors have rebranded. Companies once considered SOAR providers now describe their offerings as <i>AI SOC</i>, <i>agentic AI</i>, <i>workflow automation</i> or <i>intelligent workflows</i>.</p>
<p>”[SOAR] was a little bit of a made-up term,” said Thomas Kinsella, co-founder of Tines, a security vendor that is often included in lists of SOAR providers. The company, however, has never identified as such, referring to its primary offering as an <i>AI orchestration platform</i>.</p>
<section class=”section main-article-chapter” data-menu-title=”What is SOAR?”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>What is SOAR?</h2>
<p>Gartner coined the term SOAR about 10 years ago to describe a stack of security tools that collects data about detected threats and responds automatically or with minimal human assistance. It was touted as a way to maximize the productivity of security teams.</p>
<p>SOAR includes the following three components, which create a deterministic system for identifying and responding to security events:</p>
<ul type=”disc” class=”default-list”>
<li><b>Orchestration</b>. The process of getting all necessary security tools, such as endpoint protection, SIEM platforms and firewalls, working together and integrated with a central SOAR application. This is done through custom or built-in integrations.</li>
<li><b>Automation. </b>Occurs in response to data signals coming from security orchestration. When a potential threat is detected, SOAR sends an alert and can automatically respond based on predetermined criteria.</li>
<li><b>Response.</b> Refers to the actions taken by the SOAR application once it identifies a potential threat, either acting on its own or sending an alert to a human operator. Security teams can see response activity on a dashboard.</li>
</ul>
</section>
<section class=”section main-article-chapter” data-menu-title=”What happened to SOAR?”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>What happened to SOAR?</h2>
<p>The concept of SOAR was compelling to enterprise cybersecurity leaders. Security talent was scarce, and the idea of <a href=”https://www.techtarget.com/searchsecurity/tip/Top-6-SOAR-uses-cases-to-implement-in-enterprise-SOCs”>reducing stress on security teams through automation</a> was and still is a big selling point. At one point, at least 20 vendors provided standalone SOAR products. Larger security vendors took notice and acquired SOAR providers; most rolled the functionality into broader security platforms to fill gaps in their own offerings.</p>
<p>Implementation and maintenance presented challenges, however. As yet another standalone product in the security stack, SOAR vendors had an uphill battle to show that the implementation effort would be worth it.</p>
<p>”Organizations struggled to implement SOAR for a number of reasons,” said Kevin Schmidt, senior director analyst at Gartner. “You had to write code or scripts or use some sort of an interface to build executable blocks that you would link together.”</p>
<p>The better an organization understood and maintained its workflows, security playbooks and technology stack, the easier it could <a href=”https://www.techtarget.com/searchsecurity/tip/Streamline-SecOps-with-SOAR-workflows-and-playbooks”>implement and maintain SOAR</a>. According to Schmidt, the necessary integrations posed short- and long-term maintenance challenges that became harder when people with knowledge of them left the organization. “[With] the nature of [SOAR] being code, at the end of the day, it is sometimes very brittle,” he said.</p>
<p>To use legacy SOAR technology effectively, added Cody Cornell, CEO and founder of security automation vendor Swimlane, a SecOps team needed experience in incident response, security operations, threat intelligence and the <a href=”https://www.techtarget.com/searchsecurity/definition/MITRE-ATTCK-framework”>MITRE ATT&C
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: