Dec 29, 2022
Hugo
David
Today, we'll see why there is an urgent need to unbundle SOAR solutions. SOAR (Security Orchestration, Automation, and Response) platforms are designed to automate and streamline various security operations and response tasks. As such, they often make several promises or claims about their capabilities and benefits, such as improving efficiency and effectiveness and enhancing the security posture by integrating with other security tools to reduce the risk of human error and increase productivity.
However, as they evolved, traditional SOAR solutions became unfit for the job. We're going to see that, because of their core misconception, they can be designed as bundles. Bundles that bring complexity more than simplicity. Contrary to this, no-code Orchestration and Automation platforms take advantage of a laser-focused conception toward a clear-defined goal with the support of no-code to ease understandability, useability, and usefulness.
Traditional SOAR solutions come in bundles
SOAR solutions can be considered bundle software because it is traditionally sold as a platform comprising multiple tools. A SOAR solution, as sold by legacy vendors, is typically composed of several key components:
Integration with other security tools: SOAR solutions typically integrate with various other security tools and systems, such as endpoint protection software, security information and event management (SIEM) systems, and incident response platforms to enable the end user to orchestrate them according to their predefined incident response plans.
Data collection and analysis: Following this integration capability, SOAR platforms typically allow end users to collect data about potential security threats generated by these tools for analysis. This data is then analyzed using artificial intelligence and machine learning algorithms to identify patterns and trends that may indicate the presence of a security threat.
Threat intelligence: SOAR solutions often include threat intelligence capabilities, which allow them to access and analyze real-time data about known security threats and vulnerabilities. This helps security teams stay updated on the latest threats and make more informed decisions about how to respond to them.
Incident response: When a security threat is detected, a SOAR platform can help automate the response process by providing or allowing the end-user to create a set of predetermined actions or steps to take to mitigate the threat. This may include quarantining infected systems, blocking malicious traffic, or escalating the issue to the appropriate team or individual for further investigation.
Reporting and analytics: SOAR platforms often include reporting and analytics capabilities, which allow security teams to track and analyze security events over time according to predefined KPIs or KRIs. This can help them identify patterns and trends that may indicate areas of weakness in an organization's security posture and make more informed decisions about how to improve it.
Case management: SOAR solutions may include case management capabilities, which allow security teams to track and manage individual security incidents or cases. This may consist of task tracking, collaboration tools, and documentation management, which can help teams stay organized and coordinate their efforts more effectively.
Like other types of bundle software, SOAR solutions sold as such always promise a range of benefits, like improved efficiency and effectiveness of security operations and a more holistic view of an organization's security posture. However, they often pose risks because of their core conception, as we will see now.
That dramatically impacts SOAR solutions' performance
There are several potential risks associated with bundle software:
Lack of integration capabilities: One risk with bundled software is that the included software may not be easily integrated with third-party services. As they're built to fit all of a company's needs, they're not designed to be agnostic to the rest of the ecosystem and tend to try to provide solutions inside the vendor's environment. This phenomenon is known as vendor lock-in syndrome. Moreover, moving out from such locked environments raises important challenges as the software covers many of your business processes.
Limited customization: As said above, bundle software are sold as a "one size fits all" solution, which means that users may not be able to easily customize the included programs to meet their specific needs or preferences. As every company's environment is unique, they need unique solutions that cannot, due to the nature of bundles, be provided without vendor customization supplied at extra costs.
Limited choice: Following the abovementioned point, bundle software may not include all the programs you need or may include solutions you don't even need. This can lead you to pay for products you won't use or be unable to meet one specific need.
High total cost of ownership: By providing much more features than your pinpoint solution, bundle software are typically more expensive than purchasing included products individually, especially if you only need or want a few of the products comprised in the offering.
Lack of innovation: Since bundle software is often sold as a "one size fits all" solution, it may not include the latest and most innovative software programs or features. This can be frustrating for users looking for cutting-edge products and may lead them to look elsewhere for more advanced or specialized tools at the risk of affording better but redundant tools or going to shadow IT. Additionally, multiple products in a bundle limit the ability of each product to evolve and innovate independently.
Complex to use: The wide range of products included in the bundle can generate complexity for end-users to navigate between them or to utilize them together effectively. Mastering such products also becomes more arduous, especially considering that sometimes these solutions will come as purpose customized for the company and thus slightly more complex. This can be especially frustrating for users unfamiliar with the solution and who need to ramp up on it.
Building a laser-focused no-code Orchestration and automation platform
Contrary to bundles that look to solve as many problems as possible, at the risk of being average at every one of them, laser-focused tools are designed to perform a specific task or function very well. These tools are pinpoint solutions, more specialized and efficient than bundle software.
These bundled software are, as we said, on the other hand, various solutions developed and sold together in a single environment. Bundle software can include multiple types of programs and may offer a range of features and capabilities. However, it may also be more complex and may not have the most innovative or specialized programs. All in all, applying to SOAR platforms led to vending over complex tools, providing redundant features such as ticketing, case management, or threat intelligence capabilities, expensive and, in the end, average at best. This leads us to bring forward more straightforward Orchestration and Automation platforms that only focus on orchestrating tools and automating the communications between them, nothing more.
On top of that, the specificity of no-code platforms, making the product more understandable, combines with the core Orchestration and Automation capabilities of the SOAR and tackles the issue that one would put forward when trying to use multiple tools at once. People usually say that a company that uses lots of different tools coming from different vendors introduces complexity and tends to generate noise. Such phenomenon is described as Tool Sprawl. On top of that, having more tools makes it more challenging to use them thoroughly.
However, orchestration through a no-code platform enhances the useability of the products you use by providing a pane of glass that increases the understandability of each and every tool comprised in your tech stack.
Finally, let’s compare traditional SOAR solutions and no-code Orchestration and Automation platforms. The former tries to provide bundle solutions to cover an extensive field of action. They end up overcomplex and costly, besides lacking innovation and integration with third-party capabilities. No-code Orchestration and Automation platforms, despite not providing features like integrated threat intelligence or case management, take advantage of the no-code to simplify the use of such products as third-party services through their platform through their Orchestration capability and enable their automation thanks to their core automation engine.