Can SOAR technology help SOCs regain the advantage in threat detection?

For much of 2021, security teams in the U.S. struggled to keep up with the volume, pace and sophistication of threats targeting businesses, critical infrastructure providers and government agencies.

A preexisting shortage of qualified workers and the pandemic-led shift to remote operations, combined with a historic rise in ransomware and supply chain attacks, created the need for security teams to better prioritize urgent threats through automation.

Security vendors began to address their inefficiencies through internal growth or by acquiring providers of a relatively new technology, security orchestration, automation and response (SOAR).

Earlier this week, Google acquired cybersecurity firm Siemplify, one of the few remaining independent providers of SOAR.

Independent SOAR providers include Swimlane, D3 Security, Torq, SIRT, and Tines, all companies that do not sell an adjacent product like a threat intelligence platform or security information and event management (SIEM), according to Forrester analyst Allie Mellen.

Demand for the technology has grown significantly as the need for sophisticated threat detection at scale has outpaced the ability of human-led teams to secure environments that are heavily dependent on automation to perform basic functions.

The security orchestration market is expected to register a compound annual growth rate of more than 17%, according to Mordor Intelligence. Siemplify, after launching in Israel in 2015, reported revenue growth of 645% between 2017 and 2020 and raised $58 million in funding over multiple investment rounds.

SOAR technology provides organizations two key advantages in combating cyberthreats, according to Pete Shoard, research VP at Gartner:

SOAR assists quick identification of security events that teams can potentially remediate.
SOAR offers efficiency gains for the security part of an organization, so teams may be able to do more with less staff, or better prioritize issues that require more human-led interaction, which typically involve complicated threat activity.

"Automation in security does not simply mean the removal of the human from the loop," Shoard said. "The most successful elements of automation have been around for many years — augmenting security staff and simply making them more effective at their jobs."

SOAR helps address a growing problem in the information security space: the risk of missing a legitimate security threat due to a high rate of false positives that lead to alert fatigue.

As applications, endpoints and networks, alongside the application sprawl to the cloud, generate more data, "we should not be surprised that billions being spent on cybersecurity are still not enough to prevent breaches, leaks and attacks," Cody Cornell, co-founder and chief strategy officer at Swimlane, a Denver-based security orchestration and SOAR platform.

Technology differentiation

As the demand for security automation has grown, a number of SIEM providers have explored the integration of SOAR into their platforms. Rival firms like IBM, FireEye, Splunk and Palo Alto Networks have integrated SOAR into their respective platforms through acquisitions in recent years.

SOAR is traditionally deployed as an addition to SIEM technology in larger organizations that have 24/7 security staff and have to deal with large numbers of security incidents, according to Jan Quach, global director of customer success engineering at LogPoint, a Copenhagen-based security firm that offers SIEM, SOAR and user behavior analytics (UEBA) technology.

The ability to detect and quickly respond to threats was one of the most important issues that emerged during 2021, as enterprises often operate with minimal staffing during extended weekends or holiday breaks.

Some of the largest ransomware attacks against critical infrastructure or IT organizations took place over holiday weekends last year, including the Kaseya attack during the Independence Day weekend in July and the JBS USA attack that took place around the Memorial Day holiday.

Google's security evolution

By adding SOAR technology to Google Cloud, the company hopes to provide a unified security platform to customers in a way that enables more intelligent and faster responses to security threats and helps support overworked and understaffed security teams.

Chronicle launched as a standalone enterprise security firm in January 2018 after operating under the Alphabet "moonshot factory" known as X. In 2019, Google Cloud integrated Chronicle, but the company was slow to incorporate SOAR technology into its platform, falling behind rival security firms, Mellen said.

Chronicle was designed to provide a comprehensive security tool for the enterprise that enabled teams to use data analytics to more efficiently track a multitude of threat alerts and prioritize security staff to focus on legitimate threats.

"The Siemplify platform is an intuitive workbench that enables security teams to both manage risk better and reduce the cost of addressing threats," Sunil Potti, VP/GM Google Cloud Security said in a blogpost released Tuesday.