August 25, 2021 | 4 minute read
Security Orchestration, Automation, and Response (SOAR) is on the rise. According to MarketsandMarkets, the SOAR market is expected to increase from $868 million in 2019 to $1.791 million by 2024. Such growth would occur at a CAGR of 15.6% in that period - but are organizations getting the value out of SOAR they anticipated?
The forecast above reflects the promise of SOAR. As noted by CSO, SOAR is a security platform whose mission is to coordinate information received from different security tools and to automate those solutions’ analysis and response capabilities. This functionality can help organizations to become more efficient with their resources.
Take the issue of security alerts as an example. With Security Information and Event Management (SIEM) tools, infosec professionals find themselves constantly deluged by a flood of security alerts. There’s no actionable insight into those alarms, so security personnel need to investigate each one—despite the fact that the majority of those alerts those don’t trace back to an actual security issue. Those so-called “false positives” end up wasting infosec teams’ time, thus contributing to a state of alert fatigue in which an organization’s entire security posture suffers.
SOAR promises to reduce false positives and save security personnel time when it comes to investigating alerts. Not only that, but it also claims to shorten teams’ Mean-Time-To-Respond (MTTR) more generally. SOAR solutions suggest this is accomplished by allowing organizations to create automated response playbooks. These playbooks are intended to lighten the workload for SOC analysts because some threat categories demand certain remediation actions across every campaign.
In the case of a ransomware infection, for instance, security teams need to remove the malware payload, determine its scope of infection, and potentially activate their organizations’ backups. SOAR playbooks are supposed to enable security teams to automate these and other steps, thus helping them to respond more quickly and limit the scope of a security event.
All the above sounds pretty good. But after being around for years and years, has SOAR ever delivered on any of those promises? Ask any user, and their answer will most likely be “kind of.”
The actual user experience is more akin to something along these lines: "We had all these products and all these logs and telemetry all over the place. Now we have them all in one place, but it did nothing to actually make the intelligence actionable in the face of a threat.”
In practice, analysts still need to manually intervene and sift through all the “well organized noise” provided by their SOAR solution in order to actually find the “signal.”
The same applies to whether SOAR can deliver true orchestration across different security tools. Indeed, without the necessary correlations and context required for an analyst to understand what all the telemetry means, SOAR cannot effectively coordinate a response across a diversified network and multiple security tools. Thus, there is no option to effectively automate responses that ideally would not still require manual analyst intervention.
Ultimately, SOAR created a much tidier mess, but it's all still a mess. Many organizations are therefore looking to other security approaches in response. They’re looking to Extended Detection and Response (XDR) in particular.
As a reminder, XDR takes the aim of achieving visibility and extends it beyond organizations’ endpoints to include the network, the cloud, and their applications. It then collects all that information, uses AI to analyze, and allows security analysts to craft an appropriate response. It also allows true automation of responses because the telemetry has already been triaged, prioritized and made actionable based on deeply contextual correlations across endpoints, on-prem and cloud networks, user identities and more.
XDR isn’t dissimilar to SOAR, as explained by Hunters. Like SOAR, XDR integrates with various security and IT tools, but where things differ is in the level of integrations that are available at deployment as well as the focus on threat detection and incident response.
Simply put, XDR can work with more security tools than SOAR to eliminate uncorrelated alerts and instead provide real-time actionable intelligence about what’s actually happening on the network. It’s these integrations that ultimately deliver effective threat detection and automated incident response capabilities.
Best of all for organizations, XDR doesn’t require them to waste money on deploying a SOAR-based SOC technology staff that requires time and training. It leverages pre-built policy-based actions based on behavioral detections that enable security teams to automate or coordinate their responses more quickly, thus adding to the time an XDR solution saves by enriching, correlating, and presenting intelligence prior to alerting.
According to Dark Reading, XDR also takes care of the remediation actions itself, which makes confirmation and reporting easier to manage.
Cybereason XDR is designed to go even a step further with automated responses to attack progressions, eliminating the need for Security Orchestration, Automation and Response (SOAR) products as well. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason XDR.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.All Posts by Cybereason Security Team