SOAR platforms are rising in prominence in the IT security market, and channel partners are taking note.
That's because security, orchestration, automation and response (SOAR) technology merges threat and vulnerability management, security incidence response, and security operations automation into a single offering. Like security information and event management stacks, SOAR platforms aggregate security threat data, but SOAR goes further by integrating a wider range of internal and external applications.
SOAR tools began appearing around 2010, according to Gartner, which coined the acronym. Gartner estimated the SOAR technology market will grow from a 1% adoption rate in 2018 to 15% by 2020.
"MSSPs [managed security service providers] absolutely want to play here, because, in the past, they'd monitor systems and they'd say, 'I see a problem,' and that wasn't the end of the line. It was up to [the customer] to go fix it [themselves]," observed Jon Oltsik, senior principal analyst at Enterprise Strategy Group in Milford, Mass.
It is more advantageous for an MSSP that observes anomalous traffic on a customer's network to fix the problem, because that customer may not know what to do next or take several hours to resolve the issue, Oltsik said.
"So, it's taking it from problem to problem resolution, and that's a tremendous value to me as a customer. And chances are, I'll pay a lot of money for that fix," he said.
Why SOAR now?
The biggest factors driving the SOAR market are the cybersecurity skills shortage and the fact that, traditionally, manually intensive processes can't scale as workloads increase, according to Oltsik.
"We've done a better job in detecting problems, but how do we respond in a timely fashion? Process automation ... and better workflows and much more integration in IT operations" are contributing to interest in SOAR platforms, he said.
Madrid-based security provider A3Sec, which serves enterprises in Spain and Latin America, deployed DFLabs' IncMan SOAR platform about three months ago. A3Sec adopted IncMan to optimize its security operations center (SOC), said Javier Diaz, vice president of Americas at A3Sec.
The firm wanted to have more opportunities with clients in addition to the incident response teams and services A3Sec provides, Diaz said. Besides using IncMan in its SOC, A3Sec is also using the SOAR platform to provide managed security services, he said.
A3Sec uses a lot of open source tools and has done some custom API work to develop a connector between the SOAR platform and FortiWeb, a web application firewall from Fortinet, which A3Sec currently uses for clients, Diaz said.
"SOAR from DFLabs did not have the integration, and we developed [it] with scripts we have," he explained. Right now, A3Sec is working on developing a standard integration in its SOAR offering and plans to open up the script to other DFLabs customers, Diaz said.
Like any new technology that is implemented, the introduction of a SOAR platform can create new risks for clients, Diaz said. SOCs need to be aware of this.
"When you include these new elements, you need to do due diligence in terms of risk management and cybersecurity treatment to see if this new element ... can create a new vulnerability," he said.
That said, Diaz noted that SOAR platforms are providing features that single tools don't have. "Right now, we understand orchestration and automation [are] really important for the security operation," he said.
Process automation and orchestration -- the ability to tie together different tools on a network to mitigate a problem -- are the two ways people use SOAR tools today, Oltsik said.
"The other thing they do is use [SOAR] as a point of integration. So, if there are lots of different tools sending out alerts and things I want to view from a common interface, that may be where SOAR fits in," he said.
But SOAR platforms shouldn't be viewed as a panacea for solving all security issues, Oltsik cautioned. The technology is used as an "overlay label" for all kinds of operational activities, he said. "And the truth is, some SOAR tools are made for automation, and some are made for process management" in areas like ticketing, tracking and help desk systems.
How partners can capture more business with SOAR
Some channel partners excel at selling products, but want to work with customers in more consultative roles. They may look at adding on services associated with SOAR. These services could include deployment, configuration, customization, managed services or ongoing support, Oltsik said.
Jon OltsikSenior principal analyst, Enterprise Strategy Group
At the end of the day, SOAR tools are more about security operations, not technology, he maintained. So, if partners want to build expertise around SOAR, they need to hire people who have built SOCs and can run and manage them and work in tandem with IT operations.
"It's really about understanding the operations and using the technology as the means to get to that really efficient SOC," he said.
There are different skill sets required for detection and response, Oltsik added. "SOAR can translate to both, but the question is, do you have that skill set? You may have good analytics skills, which is detection, but not necessarily good response skills, which is more on the operations side."
Oltsik said there needs to be automation and integration in the security market, "and SOAR can help with both." But citing Microsoft founder Bill Gates, he said you won't get good results if you try to automate a broken process. "So, if your processes are broken, you have to fix those before you get benefits from SOAR."
So far, the payoff has been good for A3Sec. The market is looking for SOAR as a service right now, because it is an expensive tool to install on premises, Diaz said. "As a service, we can have a great solution and return on investment," he said, noting that A3Sec has closed two deals in the last month and has seen an increase of $100,000 in business this quarter.