Considerations for the future of SOAR solutions
I recently had the opportunity to discuss state-of-the-art technologies to support security operations with industry analysts. I asked questions and confirmed that the current view of SOAR (security orchestration, automation and response) and SIEM (security information and event management) goes well beyond the security operation center (SOC).
SOAR: a broad spectrum connective tissue
The first question I asked was: where is SOAR going? This curiosity is motivated by the numerous acquisitions made in the sector in the last three years, which have generated questions about the future of a consolidating market. Analysts offer two outlooks:
The SOAR market is consolidating with SIEM and other tools within the security operations ecosystem (SecOps).
SOAR is “broad spectrum connective tissue” intended to serve—both in the platform and standalone versions—a wider range of use cases that go far beyond the SOC.
If we look at the data presented by analysts such as Forrester or Gartner, enterprise end users look at SOAR both as a product in its own right and as a component (mainly modular) of a platform composed of SIEM, security analytics, etc. In this article, we set aside the XDR segment (on which there are still doubts about real adoption by customers) and focus on a tangible theme: the last mile managed by the SOAR. In this case, SOAR is still seen as an object with its own SKU, even if SOAR is highly integrated with third parties and, in the case of SOARs resulting from acquisitions, with the entire technology stack.
The investment banking community seems to have a different opinion. It sees an increase (or a recovery) of growth investments in companies that produce a stand-alone SOAR solution which is the entry-level segment of the market and subsequently has a feature set that is difficult to compare with more mature competitors.
In my experience, enterprise clients and MSSPs look at SOAR as an intelligent hub capable of pragmatically solving a series of critical use cases, both simple and complex. The enhancement of SOAR has passed through the SOC. However, the trend is changing rapidly and is moving from support for cyber use cases to broader support for operational case management, from ITOps to DevOps. This leads us to analyze another trend: cloud vs on-premises SOAR.
SOAR as a Service
Another question I asked was regarding the level of adoption—current and prospective—of SOAR in the cloud, or SaaS, versus on-premise solutions.
One common point is clear: there is still a conservative preference for SOAR on-premises installations, but it's shrinking at a rapid pace. The driver of this conservatism depends on geography and compliance needs. However, enterprise customers and MSSPs, which also serve the mid-market, are realizing a series of factors in favor of cloud adoption:
SOAR as a SaaS solution is more manageable, both architecturally and operationally. This has positive downstream effects on the end customer. The more customers integrate and manage their stack with SOAR—the more it can help reduce their reaction time. With Sumo Logic Cloud SOAR you can integrate all SOC tools which allow a series of very effective data interactions, with the result of favoring the protection of our Cloud both in operation and internal supply.
SOAR in the cloud is more integrated and the execution of actions at the playbook level is more secure and scalable than it is with on-premises installations. This occurs both at the level of DevOps deployment of corrections and improvements (patching), and at the level of monitoring the operating tenants. In practice, this means a playbook written for a cloud instance is deployed with a much higher speed than the counterpart deployed on-premises.
Conclusions: Sumo Logic vision
Sumo Logic is continuously increasing the existing integration level of its Cloud SOAR solution with its Cloud SIEM and security analytics, while innovating and serving use cases beyond cyber, such as ITOps, observability, etc. at the platform level. The architecture of our Cloud SOAR, the result of the acquisition of DFLabs in mid-2021, is designed and implemented to have a single engine capable of being mounted on a virtually infinite series of chassis, to use an automotive comparison. This translates to scale, flexibility and a clear return on investment for our customers.
Explore how SOAR improves SOC efficiency, how to maximize the ROI of your SOAR solution, and the strengths of Sumo Logic Cloud SOAR here.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.