SOAR Is Dead, Long Live SOAR

What Gartner giveth, Gartner can take away.

Seven years ago, analysts at the business intelligence firm coined the term "security orchestration, automation, and response" (SOAR) to describe what they considered a new class of products: integrated security operations that could not only detect threats and issues, but also use playbooks to augment incident responders' efforts and, eventually, completely automate the response.

No wonder, then, that Gartner's labeling of the technology two months ago as "obsolete before plateau" — meaning the category has stalled before becoming a well-established IT tool — created a kerfuffle. Customers inundated the firm with questions on what the designation implied. Vendors in the security automation sector were more blunt.

Any suggestion that SOAR is dead is "the dumbest thing I've ever heard — absolutely asinine," says James Brear, CEO of Swimlane, a provider of security operations automation. "If you just remove the [term] SOAR and added the word automation, [then the assertion] sounds ridiculous. It's kind of like saying that AI is going away."

SOAR is not the first technology to be designated as obsolete on Gartner's Hype Cycle. In 2022, data meshes became obsolete before reaching the plateau — more formally, the "Plateau of Productivity." In 2020, Gartner slapped the label on demand-driven material requirements planning, a supply chain management approach. Ditto for broadband over powerlines in 2010.

"This premature obsolescence typically results from the emergence of a competing technology — for example, analog high-definition TV gave way to digital high-definition TV," Gartner stated in an explanation of its Hype Cycle model.

In the latest case, labeling SOAR as obsolete comes as the components of the product category have become subsumed by other products and services, while automation is increasingly an expected feature, says Eric Ahlm, senior director analyst at Gartner. Security operations centers (SOCs) required orchestration as a standalone feature to integrate disparate products into a single hub for operations, the analyst explains, and as corporate customers sought out simplified operations, vendors further integrated their services to consolidate SOAR with other products and services.

A parade of mergers and acquisitions highlights the trend. Palo Alto Networks bought Demisto in 2019 and acquired QRadar from IBM earlier this year. Rapid7 bought SOAR firm Komand back in 2017, and SumoLogic acquired DFLabs in 2021.

"There's a lot of different ways to add automation — an efficiency boost or increase scale through automation — without going out and buying a standalone, dedicated SOAR platform," Ahlm says. "That's really what we're calling out — not the end of automation or that it's a dead-end concept — but the field of vendors who sell nothing but dedicated platforms for automation, I don't think ... have a very lively future."

Wanted: A Simplified Security Hub

Most companies want a single hub for all of their security information, from which they can manage incidents, conduct investigations, and respond to threats. SOAR was originally envisioned to be that central hub, but strong integration between products, better automation, and a focus on visibility means that other products can now fill that role.

In other words, the central hub does not have to be SOAR. Increasingly, the choice of security operations platform depends on where a business starts out and what core platform it believes delivers most value, Ahlm says. Both extended detection and response (XDR) and security event and information management (SIEM) platforms, for example, are increasingly a security focal point for companies.

The features of SOAR — the integration, visibility, and automated response — have migrated to a variety of security products, says Chas Clawson, field CTO at Sumo Logic, a provider of automated security operations platforms.

"It shows the maturity of the security operations world, when something as critical as automation becomes kind of table stakes, and every solution has to have some flavor of automation," he says. "It's probably long overdue [because of the] pain ... from the defender side — analyst burnout and swivel-chair syndrome ... [from which] we really need some reprieve."

Sumo Logic has its own SOAR product — Cloud SOAR — which focuses on integrating data streams from different IT devices, security products, and cloud services, along with automation for security operations.

Still a Strong Case for Better SOAR

Yet another company behind SOAR is cybersecurity firm Palo Alto Networks, which has doubled down on security automation. The company's security operations center ingests 36 billion events per day — a volume of more than 75 terabytes — with only 10 human analysts. In its use case, the company says its Cortex XSOAR automates the work of 16 analysts and, for its customers, has reduced time spent on manual actions by up to 90%.

"By standardizing and automating time-consuming, manual tasks, SOAR solutions dramatically reduce time spent on incident response," says Gonen Fink, senior vice president of Palo Alto Networks' Cortex and Prisma Cloud products. "While many stand-alone security products will continue to integrate some level of automation, SOAR solutions provide more robust capabilities, orchestrating and automating various actions across an organization's technology stack."

Swimlane has also focused on automating security tasks and incident response, typically for larger companies such as the Fortune 2000. Founded in 2014 — three years before Gartner reportedly created the modern term SOAR — the company's approach is to gather data from all of the IT devices and intelligence from security products and then automate the response to any identified incidents, says Swimlane's Brear.

"The genesis [of the company was], 'How can we make the SOC better?'" he says. "If you go back in time, there were a bazillion different tools that the SOC guys were looking at — it's complicated to try to get visibility."

For those reasons, a standalone SOAR platform is a necessary and reasonable approach to security for many companies — and far from obsolete — but customers will continue to need better integrations with common technologies, such as Microsoft and managed detection and response (MDR) platforms, according to analyst firm Omdia.

"Users of security technologies want to have solutions that are easy to use, require minimum training, and can integrate easily," says Elvia Finalle, senior analyst at Omdia. "SOAR vendors will have to continue to adapt to platforms and expand their compatibility with other vendors and solutions."

AI + Automation = Security Evolution

While the core use case for SOAR remains strong, the combination of artificial intelligence, automation, and the current plethora of cybersecurity products will result in a platform that could take market share from SOAR systems, such as an AI-enabled next-generation SIEM, says Eric Parizo, managing principal analyst at Omdia.

"SOC decision-makers are [not] going out looking to purchase orchestration and automation as much as they're looking to solve the problem of fostering a faster, more efficient TDIR [threat detection, investigation, and response] life cycle with better, more consistent outcomes," he says. "The orchestration and automation capabilities within standalone SOAR solutions are intended to facilitate those business objectives."

AI and machine learning will continue to increasingly augment automation, says Sumo Logic's Clawson. While creating AI security agents that process data and automatically respond to threats is still in its infancy, the industry is clearly moving in that direction, especially as more infrastructure uses an "as-code" approach, such as infrastructure-as-code, he says.

The result could be an approach that reduces the need for SOAR.

"When you have this Copilot technology — you've heard the term 'agentification,' [where] you've got this agent at your disposal that can do anything that you want — it dilutes the value of SOAR," Clawson says. "Because AI can be an expert coder and developer, and it has access to every API and all the documentation, you can almost just start to interact with systems in a more humanlike way."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!