Security Orchestration, Automation and Response Demand Set to Grow

A Demisto-sponsored study found that security operations centers are largely overwhelmed by the volume of alerts, which is helping to drive demand and awareness for Security Orchestration, Automation and Response (SOAR) technologies.

Demisto SOAR report

Among the new security acronyms that have emerged in recent years is SOAR, which stands for Security Orchestration, Automation and Response. SOAR technology aims to solve multiple pain points for enterprises, which Demisto outlined in its State of SOAR Report 2018, released on Sept. 6.

Demisto surveyed 250 senior IT business leaders as part of its second annual report. The study found that the average number of days to resolve an incident has increased from 2.8 to 4.35. On a positive note, however, the study found that the time it takes to fully train new security analysts has gone done from nine months in 2017 to eight months in the 2018 report.

Staffing is a key challenge for security operations centers, with 79 percent of respondents indicating that they don't have enough people to handle the required tasks within their organization's security operations center (SOC). Security teams tend to be overwhelmed by volume—there were 174,000 security alerts per week, of which security analysts were only able to review and respond to 12,000 of them.

Given the resource challenges that security operations face, it's not surprising that 70 percent of the survey’s respondents say they could benefit from SOAR and a more automated approach to handling security incidents.

"A silver lining we noticed was that security professionals were aware of the challenges at hand and are cognizant of the benefits that SOAR tools can provide in this landscape," Rishi Bhargava, co-founder of Demisto, told eWEEK. "There was a strong readiness to automate and also a good alignment between perceived benefits and SOAR capabilities."

Defining SOAR

Although SOAR is a relatively new term and model for the security industry, Demisto's study did not ask the survey respondents if they have heard of SOAR. Bhargava noted, however, that the term was defined in the beginning of the survey.

"In our regular interactions with customers, we find that they are very aware of the terminology," Bhargava said. "Being such a young space, we believe the awareness levels are extremely high, which correlated to the need in the market." 

In its report, Demisto explains that incident response focuses primarily on addressing issues after they have been identified. However, an incident's life cycle involves more stages, including aggregation, enrichment, correlation and investigation. According to Demisto, SOAR, unlike incident response, addresses all the different stages required to help remediate and respond to security incidents.

The Orchestration component of SOAR brings together different data sets and security technologies to work together, Demisto said. The Automation piece aims to minimize the need for human interaction for repetitive tasks in the incident response process to help accelerate time to resolution. Response is at the core of SOAR, combining the orchestrated elements of different technologies in an automated way that enables incidents to be resolved.

Barriers to SOAR Adoption

While there are benefits to SOAR that will help organizations deal with the pressures of resource challenges, it's still a nascent space. Bhargava said that the report contains a question about SOAR budget. 

"Results show that the SOAR space is not mature enough to demand its own budget line. However, it's growing at an appreciable pace," he said. "Around 38 percent of respondents stated that while SOAR tools didn't have a dedicated budget, they were a part of the overall security budget."

Additionally, Bhargava said that a further 15 percent of respondents projected a plan of including SOAR tools in their budgets for the following year. Looking forward, Bhargava said he expects over the coming year that a clear definition of SOAR will emerge as the market continues to evolve.

"There are a lot of unknowns, such as the role of threat intelligence in SOAR," he said. "We expect customers and organizations in general to have a clear view on this." 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.