This post was previously published on The New Stack
The Drawbacks of a SOAR
We’ve said it before, and we’ll say it again: Security Orchestration, Automation and Response (SOAR) platforms are great tools for helping teams work smarter, faster, and more efficiently against security risks.
But, used on their own, SOARs are far from perfect for meeting the full security needs of the modern organization. Among other limitations, SOARs are too complex, too difficult to integrate with other tools, and too out of touch with modern security cultures to enable the agile, holistic security strategies that businesses require today.
To prove the point, here are seven ways in which SOARs come up short.
One of the biggest problems with SOARs is that they are, in a word, complex.
You can’t exactly fault them for that. Security threats come in so many sizes, shapes and forms that they require complex systems to detect and manage them. (Using a SOAR is necessarily going to be quite a bit harder than using, say, Windows Calculator.)
Still, the fact that SOARs are so complex is a drawback in the sense that it limits who can take advantage of a SOAR. For the most part, only security engineers and analysts have the skills necessary to use SOARs directly. The rest of the organization only benefits indirectly, and its ability to leverage a SOAR is limited by the number of security experts available to work with the SOAR.
SOARs are often touted for their ability to integrate with a wide variety of third-party tools and platforms.
That’s certainly a benefit. However, the problem with most SOAR integrations is that they require technical expertise to implement. You can’t just click a button in your SOAR and say, “integrate with my ticketing system” or “connect to my log aggregator.” Instead, you have to have your developers or IT engineers write custom code to enable the integrations.
Here again, this limitation means that a business’s ability to leverage SOARs fully is contingent upon the availability of technical experts who can build the necessary integrations. It also means that non-technical stakeholders have to work through intermediaries to create the security integrations they require with their own systems, a requirement that often leads to confusion and misaligned goals because technical and non-technical folks don’t always speak the same language or share the same priorities.
Inability to Define Security Strategy
SOARs are great at automatically detecting, assessing and helping to mitigate security threats.
But threat detection, assessment and mitigation is only one element of a broader cybersecurity strategy. Defining a total security strategy also requires efforts like determining where the greatest cybersecurity risks to your business lie, optimizing your security posture (which SOARs don’t really do), and ensuring that security is a priority across the organization, not just for security engineers. Without these insights, you don’t know how to prioritize threats, how to assess the impact of breaches, and so on.
Over-reliance on SOARs alone, then, leaves businesses at risk of focusing too much on the operational components of security (like incident detection and response) and not enough on the broader strategy that forms the foundation for effective security operations.
Lack of Support for a Security-Centric Culture
The fact that SOARs cater mostly to security experts also means that they do a poor job of enforcing a security-centric culture across the organization.
This wouldn’t be an issue if only security engineers and analysts needed to be involved in managing threats. But the fact is that the massive scope, complexity and dynamism of modern security risks requires everyone to be a security practitioner – from the HR department to legal teams to humble entry-level office drones.
You can’t do this when you need a master’s degree in cybersecurity to deploy security automation, which is what happens when you rely on a SOAR alone.
Over Reliance on Software
The core mission of a SOAR is to automate complex tasks so that humans don’t have to suffer the tedium and toil of performing them manually.
The problem, however, is that not every task can be automated. To be sure, the vast majority of risks can be automatically identified and assessed, and sometimes even automatically remediated. But occasionally, you run into truly complex threats — like brand-new risks which exploit vulnerabilities that have yet to be recognized and recorded in a threat intelligence database — and these can only be mitigated through extensive human intervention.
If you rely on SOARs alone, you deprive yourself of the agility necessary to bring human expertise into play when circumstances call for it.
Redirecting Staff Resources to Technology Resources
For similar reasons, SOARs pose the risk that businesses might become too confident in their security software and, as a result, underinvest in human expertise. After all, if you have a great SOAR that catches 99 percent of threats, why keep paying for multiple security analysts?
The answer, of course, is that 99 percent of threats is not 100 percent of threats, and you’ll need humans to handle the risks that your SOAR can’t. But it’s easy to overlook this fact when your SOAR can replace most of your analysts most of the time.
Modern SOARs are very good at detecting and mitigating threats. But they can’t identify or resolve every risk every time.
And yet, it’s easy to fall into the trap of assuming they do. If you rely too heavily on a SOAR, you might hear your engineers say things like “the SOAR says there’s no threat, so we know there’s no threat.”
It’s critical to avoid this mindset by recognizing that SOARs are just one tool and one line of defense. They can’t catch every risk under the sun.
Again, we love SOARs, and we think everyone should have a SOAR at their disposal to help meet the security threats that loom over every organization today.
But we also think it’s a huge mistake to be overly confident in your SOAR, or fail to implement security tools that help the organization as a whole — not just security and IT experts — to benefit from automated security detection, assessment and response. SOARs do a lot, but they don’t do everything.