Here’s why companies are spending hundreds of millions on cybersecurity startups built on SOAR, a tech trend that automates the tricky business of guarding against threats
This story requires our BI Prime membership. To read the full article,
simply click here to claim your deal and get access to all exclusive Business Insider PRIME content.
- SOAR is an acronym for “Security, Orchestration, Automation, and Response.”
- SOAR technologies enable companies to respond more quickly to cybersecurity threats, and reduces the need for repetitive human processes.
- Venture capitalists have poured tens of millions of dollars into multiple startups all aiming to profit from the need for security orchestration and automation.
- Among the exits in the SOAR space is the $560 million acquisition of Demisto by Palo Alto Networks.
- In the not-so-distant future, the same SOAR approach that helps automate cybersecurity could also expand into other fields like managing cloud computing environments, too.
- Click here for more BI Prime stories.
While detecting potential risks is one thing, among the biggest challenges that faces any organization is the ability to respond quickly to cybersecurity threats. That’s the domain where an emerging category of technology known by the acronym SOAR fits in.
Security Orchestration, Automation and Response (SOAR) defines a category of technology and vendor solutions that brings together multiple security functions, in an automated approach to accelerate and enable speedy response. Multiple vendors sell SOAR solutions as a way to help organizations reduce risk and improve security operations.
SOAR technologies integrate inputs from different security products a company already has, such as Security Information and Event Manager (SIEM) log data, perimeter and endpoint defenses. The inputs are analyzed by the SOAR system with an automated approach that can prioritize high-impact items and then make a decision for remediation and response.
For businesses there are multiple benefits which have attracted users, vendors, and plenty of investors to the space. Part of the challenge for companies is dealing with the volume of different alerts from various protection technologies, as well executing the multiple steps needed to coordinate different cybersecurity tools.
“SOAR’s biggest benefit is reducing repetitive tasks,” William Lin, partner at ForgePoint Capital (FPC) told Business Insider. “Asking security engineers to continuously do the same task is draining and doesn’t scale with the increasing amount of data and events being generated.”
The need for SOAR has led to a number of acquisitions, as larger players acquire startups to supplement their product portfolios. Among the bis SOAR acquisitions in recent years: Splunk acquired Phantom Cyber in 2018 for $350 million, while Palo Alto Networks acquired Demisto in February for $560 million.
Running the playbook
One of the ways that SOAR technologies helps to automate tasks is by using an approach known as a playbook. Much like how a playbook in sports defines the actions that different players on the field should take in different scenarios, a SOAR playbook defines a sets of actions are followed if a certain event occurs, such as a violation of policy, or a specific threat detection.
Incident response — literally the field of responding to a cyberattack — is a foundational component of SOAR, and a place where playbooks are a primary element.
Ted Julian, VP Product Management and Co-Founder, IBM Resilient told Business Insider that Incident Response is one of the most mature and widespread use-cases for SOAR, but it’s only one piece of the broader puzzle. IBM acquired Resilient Systems back in April 2016 in a bid to add incident response to its security portfolio. Over the years, IBM Resilient has been building out its SOAR capabilities, looking beyond just incident response.
“While SOAR platforms are great for orchestrating a fast response for incidents that require a response, there are broader functions within security operations that can also be orchestrated – including general security hygiene and activities such as vulnerability management and remediation,” Julian said. “Any activity within the security function that has specific processes and workflows can be orchestrated via SOAR platforms, which are all about connecting and streamlining security activities across people, process, and technology.”
Automation is key, but not the whole story
Cody Cornell, CEO of venture-backed SOAR startup Swimlane, sees automation as a driving force behind SOAR, though that’s not the only thing that most organizations need.
“Every vendor wants to be a part of the automation trend because it will be the biggest change to how we do security in over a decade,” Cornell told Business Insider.
In Cornell’s view what is often overlooked is that organizations need automation that is not siloed to a handful of products or use cases that are scoped to solve one isolated threat vector or another. Rather in his view, organizations need a system that enables them to apply automation across all facets of not only the security solutions, but at all the levels that interact with security, including IT, HR, legal, and other business technologies.
“SOAR as a named category by the analyst community including Gartner and Forrester was needed to describe an automation solution that organizations could use for security operations, addressing their daily pain points when trying to keep their organizations secure from relentless bad actors,” Cornell said. “Now th