Darkmore Toggle Button

Why the ‘SOAR is dead’ idiom needs more thought

Editorial team

9 July 2024

In the world of security automation, you don’t need to look very far to find bold pronouncements that SOAR (security orchestration, automation and response) and SIEM (security information and event management) are dead in the water as concepts.

This talk needs to be treated with suspicion. It’s coming from vendors with products to entice security teams nursing SOAR and SIEM fatigue. The two concepts have been a talking point for years but, of course, cybersecurity has changed massively in that time.

Cutting through the marketing hype, however, there remains an unchanged need for the functions that SOAR and SIEM fulfil. A more helpful debate considers the merits and drawbacks of the new generation of solutions carrying out these functions.

Meeting lived requirements and needs

There are multiple solutions for security teams to roll out automation today which serve the traditional ‘SOAR’ role. There’s no question that expectations for such solutions are shifting towards data-driven automation that adapts to organisations by pulling in live data that reflects the real, on-the-ground state of play.

The A-Ops platform has unique functionalities that make it optimal for carrying out data-driven automation. It can integrate directly with an organisation’s asset inventory to add context and meaning to a security event in an automated manner. For example, if a phishing email lands an inbox – A-Ops can identify the person that’s being spoofed, typically a senior executive, and make the security team aware.

New ways of doing data integration

We’ve previously written about how the success of data-driven automation hinges on choosing the right data lake. Among standalone products that carry out automated data analysis – A-Ops boasts the functionalities to run such analysis integrating with OpenSearch, AWS’ open-source family of data search and analytics software, in the same platform that security teams are building automated workflows. This isn’t a simple case of replacing a ‘dead’ SIEM. It’s rendering it far cheaper to carry out and crushing old siloes.

Ensuring what’s new is also better

A focus on the demise of SOAR and SIEM also shouldn’t overlook questions of the usability of what comes next. Data-driven automation can’t just be reserved for technical users with heavy coding experience. The barriers to entry should be lowered as much as possible. That’s really important to us in the development of A-Ops. Our recently launched Template AI platform integration speeds up and simplifies the building of automation workflows, and the platform is deliberately designed to be intuitive and accessible for a broader set of teams beyond traditional security and IT. Our Managed-Automation-as-a-Service offering is also there for those organisations looking to benefit from data-driven automation but lacking the in-house resources and expertise to act on this.

Musings about SOAR and/or SIEM being dead have more substance when focusing on what comes next and how it can deliver more for organisations. Data-driven automation holds huge potential and A-Ops is the practical platform solution to realise this.