“Dumb SOAR” Is Failing Its Customers. Are You One of Them?

While cybersecurity spending is on the rise, security leaders also have higher expectations from their product suppliers and service providers. For example, Managed Security Services Providers (MSSPs) once focused on basic management of a customer’s tools, but today’s service offerings include detecting stealthy threats, continuous threat hunting, and enhancing the customer’s security posture. These are outcomes that any business would want.

The same evolution is happening in the SOAR market, creating a fork in the road between what we call “Dumb SOAR” and “Smart SOAR”.

What is Dumb SOAR?

Dumb SOAR is basic SOAR. When implemented correctly, it does basic alert enrichment and basic remediation actions. It doesn’t create high-fidelity alerts. It doesn’t help you with the ‘yellow alert’ problem. It doesn’t reduce the volume of alerts. It doesn’t help you respond smarter by utilizing IOC, IOB and identity data to search across your stack and prove the full scope of an incident. It doesn’t retain incident data to help you identify unusual behavior. All of these shortcomings make Dumb SOAR essentially a whack-a-mole solution. While you’re busy whacking moles all day, the moles are already in your house, moving from room to room.

What is Smart SOAR?

First off, Smart SOAR is not a whack-a-mole solution. Every alert is normalized, de-duped, enriched and triaged upon ingestion. The process works to dismiss false positives and automate IR  to validate incidents, generating only high-fidelity incidents for human investigation. In many cases, assignments to analysts are reduced by over 90%. Analysts, therefore, spend more of their time investigating better alerts. Smart SOAR also saves and utilizes IOC, IOB, and identity data, allowing you to correlate IOCs or ATT&CK TTPs across your security stack to uncover the full scope of incidents. Identity data is part of every alert in D3; it’s crucial to identifying unusual behavior in users, devices, and accounts. In order to achieve these capabilities, Smart SOAR requires superior integrations, utilizing non-public APIs to ensure the best functionality.

Let’s compare side-by-side:

Dumb SOAR 

Smart SOAR

Lacks Any Structure
Limited in its ability to process and prioritize incoming alerts, which slows response times. Increases analyst workload, and compromises the effectiveness of the SOC.
Has Event Pipeline
Automatically normalizes, deduplicates, enriches, triages, and dismisses thousands of alerts every hour. Enables an organized workspace where the most critical alerts are dealt with first.
Has “Amnesia”
Doesn’t make crucial IOCs, IOBs, and identity data actionable for investigations.
Has Memory
Retains IOC, IOB, and identity data to prove incident scopes and quickly identify high-risk patterns.
Doesn’t reduce alert volume
Does not normalize, de-dupe, or enrich upon ingestion.
Dismisses and deduplicates alerts
Cuts alert volume by as much as 98% by normalizing, de-duplicating, and eliminating false positives.
Is Blind to Identity
Can’t tell if different alerts are connected to the same person or device.
Values Identity
Incorporates identity information, like user accounts and devices, to build links and patterns across events.
Doesn’t correlate across silos
Analysts have to manually gather and correlate data, making it time-consuming, and error-prone.
Correlates and orchestrates across the stack
Reduces manual work and risk, provides a complete picture of an incident, and enhances response capabilities.
Limited ATT&CK Mapping
Causes gaps in your security posture, makes it harder to measure and improve your security coverage.
Comprehensive ATT&CK Mapping
Provides better visibility and situational awareness. Helps upgrade threat hunting from event-based to intent-based response.
Uses Public APIs
Has superficial integrations with non-suite products, with limited actions and functionality. Limits its ability to automate IR playbooks and respond to threats.
Uses Partner APIs
Has deep integrations with security tools and IT products, providing advanced functionality, and enabling more effective orchestration and automation.
Runs Playbooks Sequentially
Slower and less efficient. Unable to handle large volumes of security alerts.
Can Run Playbooks Sequentially and in Parallel
SecOps teams need both. Parallel or looping playbooks helps reduce response times.
No Case Management Features
Makes it difficult to track, prioritize, and manage incidents effectively. Leads to delays and inefficiencies.
Extensive Case Management Capabilities
Enables collaboration and maintains a provable chain of custody. Supports role-based access. Generates a fully compliant audit trail of action.

As you can see, there’s a big difference. But much of Smart SOAR’s capability occurs behind the scenes, which makes it more user-friendly while still providing an abundance of features. And while Dumb SOAR can be helpful in automating the tedious, it doesn’t help your detection and response program become any better. In fact, Dumb SOAR reinforces bad habits by limiting visibility.

We have extensive experience working with customers from various industries and regions. In many cases, we’ve replaced less efficient SOAR products with our NextGen SOAR. Our SOAR replacement service migrates existing playbooks, reports, and incident data, making it easy for customers to make the switch. Through our interactions with these customers, we have gained a deep understanding of the common issues and limitations of outdated SOAR tools. As a result, we have come to some realizations, which we would like to share.

SecOps teams want a SOAR platform that doesn’t just have basic “connectors”—it must offer fully featured integrations that provide the right data for detection and response.

Suite-based SOAR tools that are tied to larger conglomerates don’t play well with products that aren’t owned by that company, particularly tools belonging to competitors. They inevitably end up having superficial integrations with limited actions. As an independent SOAR vendor, we have no such conflicts of interest, and have deep integrations with a wide range of security tools and IT products. Our goal when building these integrations is to help customers to utilize their preferred tools without any limitations.

SecOps teams want a SOAR platform that can help them uncover and disrupt the full scope of an attack—the vendor shouldn’t pretend that “whack-a-mole” response is good enough.

Treating each alert and incident in isolation prevents you from connecting the dots, and linking an attack to an attack group and campaign. NextGen SOAR takes a comprehensive approach by tying each alert to ATT&CK TTPs, as well as identities – such as users, accounts, and endpoints – to develop a more comprehensive and thorough understanding of the threat. This approach greatly improves the efficacy of your incident response.

SecOps teams want to be able to focus on real threats—but the vendor shouldn’t let “yellow” alerts go uncorrelated and uninvestigated.

Dealing with yellow alerts is a significant challenge for security teams, one which Dumb SOAR fails at due to its limited approach to data enrichment. D3’s Event Pipeline addresses this challenge by adding context to every alert that’s fed into our SOAR platform by processing all alerts through three phases. In the Normalization stage, it extracts fields and artifacts from various sources and standardizes the data into a consistent format that’s easy to query. Next, in the Threat Triage phase, it correlates artifacts against sources such as threat intelligence tools and user’s identity. In the Auto-Dismissal and Escalation phase, it auto-prioritizes alerts that are potentially high-severity incidents or involve key assets. The dismissal rules are customizable, so organizations can align their risk comfort levels. The end result is that our customers can greatly augment the amount of alerts that receive scrutiny.

SecOps teams want to prioritize events and incidents based on identity context—SOAR should be contextualizing every alert with identities and accounts.

Dumb SOAR suffers from amnesia. It has no way of knowing if the same IOCs were found in multiple previous alerts. A Smart SOAR solution like NextGen SOAR adds identity data to every alert, and retains that data (along with all other incident data) for 90 days. By contextualizing every alert with identities, security teams can prioritize security events and incidents based on their risk to the organization. For example, if an endpoint belonging to a CFO has been recently targeted, any subsequent alerts would automatically be classified as high risk.

Break up With Dumb SOAR with Our SOAR Replacement Program

If your current SOAR tool is not meeting your needs and expectations, we make it easy to break up with them. Our SOAR replacement service provides an expert migration of playbooks, automation scripts, historical incident and case data to the NextGen SOAR platform. And the best part? We offer a seamless transition with no downtime or loss of data. Learn how you can streamline your SecOps with Smart SOAR.

Social Icon
Alex MacLachlan

Alex is a marketing leader in the cyber security industry. He runs worldwide marketing for D3 Security, which include recruitment campaigns for enterprise and MSSP buyers, public relations, digital marketing, and business planning. On the weekends, you can find Alex fishing deep in the outdoors, rain or shine.