The security orchestration, automation, and response (SOAR) market is relatively new. Indeed, research firm Gartner only coined the term a few years ago. Today, this growing market has many vendors offering solutions that IT departments can either customize in-house or buy as services from managed security service providers (MSSPs).
Gartner defines SOAR as “technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow.”
SOAR enables organizations to implement machine-driven incident analysis and response procedure workflows to automate repetitive security tasks until, and if, human intervention is required.
Enterprises are embracing security operations automation and orchestration technologies, noted ESG analyst Jon Oltsik recently. ESG research shows that 19 percent of enterprise organizations have adopted security operations automation and orchestration technologies extensively, 39 percent have done so on a limited basis, and 26 percent are currently engaged in a project to automate/orchestrate security operations.
The big question facing enterprises that want to implement SOAR is whether they should do it themselves or outsource the deployment using a managed service provider. For both alternatives, a key prerequisite is having a mature security program in place before implementing SOAR.
Without robust security tools and adequate human resources, a SOAR solution will not deliver requisite value.
- Provides full control of SOAR and integration with existing security infrastructure. Security Operations Center (SOC) staff can customize APIs, other settings and so on to best meet the needs of the organization and the strengths of its IT staff.
- Maintains privacy of systems and data, and eliminates risks associated with third-party security breaches.
- Avoids service provider lock if vendor fails to meet performance and service level agreements.
- Requires dedicated in-house expertise, which for most organizations will involve training and/or hiring qualified staff. Training can be time-consuming and expensive, and finding qualified security professionals is extremely difficult.
- For smaller companies and those with less mature security programs, the expenses associated with DIY SOAR can exceed those of managed service
Without adequate resources, SOAR responsibilities put a drag on IT efficiency if staff is torn between SOAR and other IT duties. Under these circumstances, the ability of SOAR to properly address security incidents will likely be compromised.
- Eliminates the need for in-house expertise. Outsourcing delivers on-demand services that relieves organizations of hiring and/or training people on SOAR.
- No additional resources are needed for implementation, management, and maintenance. A cloud-based SOAR solution delivers turnkey, automated services.
- No additional IT infrastructure is needed. SOAR simply slots into an existing network, with minimal fuss and human intervention.
- Predictable, recurring cost. Organizations pay an annual, monthly or quarterly fee that does not change, enabling them to budget accordingly, without facing surprise price hikes.
- Security of systems and data is not guaranteed. Giving an MSP access to a network introduces the possibility of third-party breaches.
- Organizations are locked into a year-long or multi-year contract with an MSP. See in-house section above.
- As with any outsourced service, SOAR can contain hidden or unanticipated costs. Any additional projects outside the scope of the service agreement (i.e. unanticipated on-site visits, etc.) can drive up expenses. There is also the risk of MSPs providing junior engineers with on-the-job training that is paid for by customers.
- Not all MSP customers are created equal. Larger companies that represent a greater percentage of a service provider’s revenue are likely to receive greater priority compared to smaller or mid-size customers.
Choosing whether to deploy SOAR in-house or use a managed service provider requires taking several variables into consideration. These include the maturity level of a company’s security program, existing IT security infrastructure, the experience and expertise of security personnel and resources to train and/or hire new staff to support SOAR.
Viewing DIY and outsourced SOAR through this lens will enable an organization to choose the alternative that is best suited to their needs.