Saying Goodbye to SOAR: What’s Next for Security Operations?

A recent report from Gartner states that security orchestration, automation, and response (SOAR) is no longer as useful or relevant as it used to be. It is now at the lowest point in Gartner’s "trough of disillusionment," meaning that people are less satisfied with it. Based on this, the focus in cybersecurity is clearly shifting towards more advanced automation tools, especially those powered by generative AI.

The Original Vision of SOAR

Introduced around 2017, SOAR was initially designed to change how businesses deal with security incidents. Gartner coined the term to describe tools that simplify and automate security tasks, aiming to improve the productivity and efficiency of incident response teams. SOAR primarily rests on three main pillars:

1. Security Orchestration: This component integrates different security tools and systems to create a cohesive and automated response mechanism, providing a unified approach to threat detection and response.

2. Security Automation: Focused on automating repetitive tasks like vulnerability scans, log analysis, and incident ticketing, this aims to reduce the manual workload on security analysts, allowing them to concentrate on more complex threats.

3. Security Response: SOAR platforms provide predefined playbooks for incident response, enabling automated or semi-automated actions based on the nature of the threat. Actions can include isolating infected systems, blocking malicious IP addresses, and notifying relevant stakeholders.

The objective is quite clear: enhance incident detection and response times, improve the efficiency of security operations, and better manage the increasing volume of security alerts. 

By automating routine tasks and orchestrating complex workflows, SOAR aims to reduce the mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents, thus minimizing potential damage from cyber threats.

5 Promises and Their Under Delivery

Despite its potential, SOAR faces several significant challenges that ultimately lead to its decline. Here are some of those limitations:

1. High Costs: Implementing a SOAR platform requires substantial investment in time and money. Customizing the platform to fit specific security infrastructures can be a complex and resource-intensive process.

2. Ongoing Maintenance: Keeping a SOAR platform up-to-date with threats and security changes requires continuous updates and adjustments, adding to the total cost of ownership.

3. Specialized Skills: Effective use of SOAR platforms often requires employees with specialized skills, including extensive coding knowledge and expertise in various security tools, creating a dependency on highly skilled analysts.

4. Integration Issues: While SOAR is designed to integrate with a wide range of security tools, achieving realistic interoperability is often challenging. Custom connectors and integrations require technical expertise, and not all tools can be easily integrated, limiting the platform’s effectiveness.

5. Expectation Gaps: A lot of organisations view SOAR as a silver bullet for all their security issues. However, the harsh reality is that SOAR platforms are not designed to address every possible threat scenario and often require human intervention for complex or novel threats. This gap between expectations and reality leads to frustration and disillusionment among users.

The Future of Security Automation

Moving forward into 2024, Gartner points to a future where security automation is driven by generative AI-based solutions rather than traditional SOAR platforms. Generative AI offers several advantages that address the limitations of SOAR:

Work With Blink Ops Today

An excellent example of this new era in security automation is offered by us at Blink Ops. With natural language prompts, tasks can be automated as precisely as needed, eliminating the necessity for security engineers and coding.

For more information on how generative AI and security automation can benefit your organization, check out the: Dark Reading Report on the State of Generative AI in the Enterprise.

This report provides valuable insights and trends on how security teams are leveraging generative AI alongside security automation to enhance their security posture and response times. You can download a copy for all the details.