SOAR is Dead, So What’s Next?

Security Orchestration, Automation and Response (SOAR) solutions are being significantly disrupted by alternatives that are easier to use and more integrated with the rest of IT operations. I know this stings, but hear me out. 

Let’s start from the place that one of the primary use cases where SOAR is the automation of fixing stuff. This fixing activity is what brings us, security professionals, out of our focused security solutions and into the larger ecosystem of IT operations. We need others to take action on the firewall, in Exchange / O365, or on individual systems. 

One of the primary advantages of SOAR solutions in a world with multiple Platform as a Service (PaaS) offerings and thousands of security offerings is portability and integration.

These SOAR platforms could answer questions like: How do you take advantage of all the security services AWS has to offer without being locked into AWS forever? How do you continue to be able to fix things when the infrastructure is changing across platforms? How do you bridge the gap between security solution alert and IT response?

The big change we are in the middle of is that requests to fix things are being centralized at a fast pace. The growth in the use of digital transformation platforms, namely ServiceNow, is the engine that is now automating workflows across enterprises and in information security teams.

ServiceNow is the centralizing hub for alerts and for orchestrating response activities. Click To Tweet

ServiceNow is not only centralizing response activities but making those activities easier to design. No longer do you have to write a script to parse out email headers in your phishing playbook. Now, integrations and pre-built playbooks will do that activity, and drop it into readable, queryable fields. Don’t worry, you still have the option to write those scripts. Also, pre-built extensions already exist for you to check those observables against VirusTotal or other threat intelligence sources.  Most importantly, an analyst can create a change request, task, or issue with a mouse click and with the relevant IoCs and IoAs, all natively within the platform that IT operations is already using. 

This means that in the security context, what we used to think of as SOAR, these platforms for building playbooks that we crafted in our favorite scripting language, is being commoditized into Playbooks and Integrations in ServiceNow. 

We don’t have to hang up our engineering spurs as our home-grown scripts get turned into out-of-the-box features. There is still plenty of work to do. The security craft can now move more into developing more effective hunting, defense design, and response techniques, rather than focusing on the mechanics of automating those activities. 

Also, in order to make these integrations work in a coordinated manner takes a heavy lift of cooperation between different firms. There is a growing and complex ecosystem of integrations being developed, some by the security solutions themselves, some by ServiceNow, and they have differences that need to be taken into account.

This growing ecosystem of integrations will have its own economy, with implications for traditional SOAR platforms. Click To Tweet

Some integrations and playbooks will come free, some will be shared, and some will cost money, all depending on the costs to develop, demand, and revenue model. Established SOAR solutions are actually in an ideal position to design the integrations and playbooks needed in ServiceNow. 

The bottom line is that we are moving to a world where automating security response is easier, more portable, and more integrated by relying on digital transformation platforms.

If you can keep up with rapid release cycles and the dynamic ecosystem of integrations, the net result will be a more consistent, integrated, and effective security response.