Sunday, February 9, 2025

Standalone SOAR is Alive and Kicking


A number of publications and analyst companies have predicted a doomsday state of affairs for the standalone SOAR following various acquisitions within the area, primarily by SIEM distributors. Google acquired Siemplify, Devo acquired LogicHub, Fortinet acquired CyberSponse, Palo Alto Networks acquired Demisto, Splunk acquired Phantom, Sumo Logic acquired DFLabs, and Micro Focus acquired Atar Labs, which, in flip, bought acquired by OpenText.

However this high-level view has very low decision. It assumes that each one attainable SOARs are already in circulation, that each acquisition minimizes the pool of standalone distributors, and that an acquisition implies that the SOAR might be natively built-in inside a SIEM or XDR. As a part of my analysis on SOAR, I’ve seen quite a few developments over the previous three years that point out that not solely is there a spot for the standalone SOAR, however the options are evolving to assist new use instances. 

Listed here are some key explanation why the standalone SOAR options won’t be consumed into SIEM or XDR within the close to future:

  1. Extra standalone distributors enter the market.
  2. Giant gamers nonetheless select to supply standalone.
  3. The inherent advantages of standalone and vendor-agnostic options.
  4. Non-security occasion ingestion.
  5. Non-security automation.

Extra Standalone SOARs Enter the Market

In comparison with the second iteration of the GigaOm SOAR Radar, the third iteration options three extra standalone SOAR gamers, specifically Cyware, Tines, and Torq. Torq is the newest participant, having been established in 2020 and has constructed a powerful portfolio of consumers. Tines has additionally been gaining traction available in the market. I’ve repeatedly and adventitiously seen Tines added to integration portfolios throughout numerous community and safety distributors over the previous couple of years.

Giant Gamers Nonetheless Provide Standalone SOARs

Whereas a number of safety distributors have chosen to combine SOARs into their SIEM – resembling OpenText, Huntsman, Sumo Logic, and Devo – others have stored SOAR as a standalone and vendor-agnostic product. Most notably, heavyweights resembling Fortinet, IBM, Splunk, and Palo Alto Networks. 

Why would they do this? The obvious purpose is to increase their complete addressable market. If an built-in SIEM plus SOAR resolution (see our GigaOm Radar on ASOM) is barely appropriate for purchasers that both need to migrate from the incumbent SIEM or don’t have a SIEM in any respect, a standalone SOAR may also goal prospects with a third-party SIEM that don’t need to migrate.

However there’s extra to standalone SOARs than only a bigger goal market, which we discover within the part beneath.

The Inherent Advantages of Standalone and Vendor-Agnostic Options

A SIEM with native SOAR capabilities may change into unwieldy and troublesome to handle, with slower cadence on new options. A really massive portion of your SOC turns into depending on this one resolution, and regardless of all of the automation and ML-powered insights, the platform will probably incur plenty of technical debt.

Right here, SOAR platforms have two benefits—Standalone and vendor agnostic – that are two sides to the identical coin. Vendor agnosticism implies that a SOAR resolution can work with any third-party SIEM, significantly decreasing the dependency on a single platform and making migration significantly simpler, whether or not it’s switching out the SOAR or SIEM a part of an answer. 

The standalone high quality implies that the SOAR resolution can fulfill its objective within the absence of SIEM. This facet allows SOAR to department into two extra use instances unavailable for built-in SIEM and SOAR options, instantly ingesting non-security occasions, and automating non-security duties.

Non-Safety Occasion Ingestion

Latest developments point out that the remaining standalone SOAR distributors are discovering a means of side-stepping SIEM, with the choice of changing into the primary software for SOC analysts. Somewhat than counting on SIEM to ingest logs and generate alarms, some SOAR distributors at the moment are ingesting occasions instantly from the instruments that generate them. On this context, non-security occasions should not generated by a safety software resembling SIEM, XDR, firewall, or antivirus.

Whereas this state of affairs sounds similar to SIEM’s log assortment performance, SOAR options don’t seize every part, solely occasions resembling API calls, HTTP requests, or login makes an attempt. This method signifies that occasions are fewer and richer in comparison with logs, which suggests two issues:

  • SOAR won’t have the identical problem of amassing, digesting, storing, and analyzing billions and trillions of logs as SIEM does.
  • SOAR won’t present the identical stage of deep visibility that SIEM does. 

This means to ingest occasions instantly with no dependency on SIEM doesn’t imply breaking away from SIEM altogether—the 2 options can proceed working collectively, particularly when their options are complementary. Nonetheless, it could be the case that SOAR options would provide a lighter and extra agile means for safety analysts to deal with incident response within the context of easier IT environments, resembling start-ups and different cloud-native and cloud-only organizations.

Non-Safety Automation

SOAR and drop the S to change into Orchestration, Automation, and Response. How is that this totally different from different IT workflow automation instruments? SOAR has been bred in a high-stakes surroundings and advantages from sturdy audit, compliance, governance, and, most significantly, belief. To not point out, an all-purpose SOAR can nonetheless perform its core safety features in addition to the extra IT automation. 

As a multi-purpose software, (S)OAR can change into its personal class that blends IT automation and safety response. Including non-security-related features right into a SIEM would make little to no sense, which means that solely a standalone SOAR can play on this market. Sure, I can automate responses for the alerts generated by SIEM, however it may also be used for automated patch administration, making certain compliance, asset administration, and onboarding new staff.

A vendor resembling ServiceNow has a definite benefit contemplating their ITSM background and complete SOAR capabilities.

Exit Choices for Standalone SOAR Distributors

From a much less technical viewpoint, one probably purpose we’ve seen so many acquisitions is that an acquisition is the most definitely exit for SOARs. Most of those start-ups had been acquired inside 5 to 10 years of inception. Are we prone to see an IPO from a SOAR-only vendor? The most definitely candidates are D3, Swimlane, and ThreatConnect, well-established gamers with lengthy tenure.

Maybe the reply to this stands inside the final two factors I made above for the non-security occasion ingestion and non-security automation. There are solely a handful of point-solution SOAR distributors that increase their capabilities to open up new use instances for his or her merchandise, which implies that there are income streams that can’t be tapped by adjoining options resembling SIEMs or IT workflow automation. 

Whether or not we’ll see a SOAR IPO or not, the near-future prognosis for the SOAR market is robust, and no quantity of acquisitions will spell the tip of the standalone SOAR, as its inherent standalone and vendor-agnostic capabilities can’t be changed.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

0FansLike
3,912FollowersFollow
0SubscribersSubscribe
- Advertisement -spot_img

Latest Articles