For a term that was only coined less than five years ago, SOAR (security orchestration, automation, and response) has matured significantly to a point where it has become table stakes for a modern SOC. SOAR helps security teams cope with several challenges, including information overload from a deluge of alerts coming from disparate tools, a longstanding cybersecurity talent crunch, and increasingly sophisticated attacks from threat actors. When analysts and practitioners talk about tools that are the cornerstone of every modern SOC, SOAR inevitably gets mentioned.
The SOAR market has exploded across recent years as companies try to address the need for orchestration and automation in the SOC. Gartner forecasts that the SOAR market will grow to $550 million by 2023. KBV Research projects a $2.3 billion market by 2025. Even the US government acknowledged that SOAR is a “practical necessity” in a recent memo that outlines its move towards a zero trust architecture.
If you haven’t already, the best time to implement SOAR is now. The problems that SOAR solves are not going away. Here are some data points that illustrate why SOAR is so indispensable to the modern SOC:
There is a gap of 2.72 million professionals that organizations need to fill to adequately defend their digital assets, says the 2021 (ISC)² Cybersecurity Workforce Study. The workforce gap is increasing in North America, Europe, and Latin America, the study notes. In a survey of cybersecurity professionals by ESG and ISSA, 95% of the respondents said the cybersecurity skills shortage has not improved over the past years. 44% said it has gotten worse. The most significant skills shortages are in the areas of cloud computing security, security analysis and investigations, and application security.
Ransomware attacks, cryptojacking attacks, IoT malware, and intrusion attempts are all on the rise, SonicWall’s 2022 Cyber Threat report notes. Most notably, ransomware attacks grew 105% year-on-year, with 623.3 million attacks in 2021. The report also notes that 2021 was the fifth consecutive year where a record number of CVEs were published (20,136), and the first time in history that the number of CVEs passed the 20,000 mark.
76. That’s the average number of cybersecurity tools deployed by large enterprises, according to a 2022 survey by security vendor Panaseer. Financial Services (87) and Healthcare (82) companies used the highest number of cybersecurity tools. Companies with 10,000 or more employees used 96 tools on average. The study, which polled 1200 US and UK VP-level enterprise security decision-makers, attributed the 19% increase from 2019 to 2022 to the shift to cloud-enabled remote working.
One of the problems with having so many security tools is that they tend to generate a high volume of low-quality alerts. A typical security operations team receives over 11,000 security alerts daily, Forrester Research noted in a 2020 study. Most teams are simply unable to cope with such a high volume of alerts. A 2021 survey by Trend Micro highlights how alert fatigue is the main reason why a majority of SOC teams feel emotionally overwhelmed and stressed out. Coping mechanisms range from turning off alerts, to walking away from the computer, hoping another member will step in, or ignoring what is coming in entirely. All of which can adversely impact an organization’s security posture.
Increasing workloads, being on call 24/7/365, lack of visibility into the attack surface, too many alerts to chase, information overload, and lack of tool integration are some of the reasons why working in the SOC can be painful, a recent survey of global cybersecurity professionals finds. Burnout among SOC analysts is common when incident response is a manual process, with a lot of repetitive cutting and pasting between tools.
SOAR emerged as a product category in the cybersecurity space precisely to deal with the above challenges. By automating repetitive and routine tasks, SOAR eliminates fatigue and lets the analyst do more in less time. By orchestrating and leveraging its integrations with a wide variety of security tools, it provides the SOC team a unified interface to respond to threats. D3’s Smart SOAR Platform can filter out, auto-close, and consolidate ~98% of alerts through its Event Pipeline ensuring that the remaining 2% of alerts that need investigation get the analyst’s attention.
In an ever-evolving cybersecurity landscape, being saddled with outdated tools and technologies is a recipe for failure. There are many examples where market leaders failed to transition and adapt to emerging technology and ended up ceding potential windfalls and entire markets to competitors.
In 1979, Xerox failed to recognize the revolutionary potential of the graphical user interface they had been working on in-house at their Palo Alto research center. Instead, they allowed Apple engineers to visit their research center to tinker and test their prototypes. Fast-forward to the present, and Apple’s market capitalization is around $2.6 trillion USD, while Xerox has a market capitalization of approx. 3.1 billion USD.
While sales of RIM’s BlackBerry phones grew for a few years after the iPhone’s launch, RIM was slow to introduce touch-screen phones and keep up with its competitors on usability and features like the App Store. Constrained by its success as a keyboard-centric smartphone maker, RIM’s share of the smartphone market fell from 21% in 2009 to 2% in 2013. RIM eventually wound up its smartphone business in 2016.
SOAR is a major leap in cybersecurity – as game-changing as the rifle in the era of the musket, or a fighter jet in the era of the propeller plane. When motivated and well-resourced threat actors stage attacks with increasing sophistication and severity, your SOC team needs the best tools to level the odds. Don’t get caught fighting tomorrow’s war with yesterday’s weapons.
While it’s true that SOAR is a significant investment, it more than makes up for it by improving efficiency across your team. Through deep integrations, SOAR also gets the most out of all the security tools that you already have. The price of not having SOAR when you need it can be much greater, considering the average cost of a data breach now stands at USD 4.24 million.
Operating and maintaining playbooks in a SOAR tool traditionally required knowledge of Python scripting. However, D3’s next-generation SOAR platform has eliminated that need through its codeless playbooks and integrations. D3 currently supports unlimited out-of-the-box integrations with security vendors, enabling analysts to conduct complex operations quickly in a drag-and-drop fashion.
The two are not interchangeable. SOAR operates one layer above the SIEM in the security stack, ingesting alerts from the SIEM tool, enriching them with threat intelligence, IOC correlations, and other data. Unlike SIEM, which offers limited response workflows, SOAR offers incident-specific, automation-powered response workflows. Unlike SIEM, SOAR can orchestrate actions by leveraging its integrations with a wide variety of security tools.
Adding SOAR capabilities to your SOC is a bit like getting Marie Kondo to declutter your home. It automates away all the tedious tasks that lead to burnout and lets your analysts be more effective at what they were hired to do – secure your business infrastructure from external threats.
D3 Smart SOAR is a powerful, but accessible SOAR solution that your SOC team will love because it’s the only platform that offers:
Your SOC team goes to battle every day against unknown adversaries armed with the most sophisticated and stealth cyber weapons. SOAR is the tool organizations need to futureproof their security operations.
To learn more about how security operations are rapidly evolving, get your free copy of this Gartner report, courtesy of D3.