Incident Response, Vulnerability Management

The pros and cons of SOAR explained

FBI Director Christopher Wray speaks to a group in Washington, D.C. Today’s columnist, Perry Carpenter of KnowBe4, writes that with the FBI reporting an increase of 300,000 in internet crime complaints in 2020, SOAR tools can strike a nice balance between automation and human analysis.

The need for a comprehensive cybersecurity strategy to protect an organization has never been clearer. The FBI’s 2020 Internet Crime Report found that complaints about suspected internet crime rose to 791,790 last year, an increase of 300,000 compared to 2019 and reported losses at $4.2 billion.

Social engineering, phishing scams, ransomware, DDoS attacks, and software vulnerabilities are just some of the threats facing overloaded security professionals with limited budgets.

As organizations strive to manage the ever evolving threat landscape, identify vulnerabilities, and mitigate swiftly, they can benefit greatly from adopting security orchestration automation response (SOAR) tools. Deploying the right software tools can increase visibility and remove some of the burdens for security professionals, but there are also some potential pitfalls.

Defining SOAR

A term originally coined by Gartner, SOAR combines three capabilities that the tools can bring to a security program:

  • Security Orchestration aims to bring together threat and vulnerability management technologies with a clear set of parameters and processes.
  • Automation can reduce the burden of repetitive tasks by triggering specific workflows based on a company’s chosen parameters, potentially even fully automating responses to lower-risk incidents.
  • Response accelerates the organization’s mitigation efforts with an easy, central, holistic view for analysts to investigate, discuss, and share threat intelligence and then plan and monitor threat responses.

Bear in mind that SOAR requires a mix of technologies and tools that deliver the capabilities the infosec team requires. It won’t stay effective unless the organization has a solid foundation in the shape of a clear, well-thought, business-aligned security strategy.

SOAR tools can empower security professionals, but they are not a replacement for human expertise.

The pros

There are many different potential benefits when an organization embraces SOAR, not least that it can increase visibility into potential threats and how effectively they are being handled. Centralizing processes and operations to achieve a consistent alert system and effective triage allows for swifter responses to threats and vulnerabilities. SOAR functionality can also help the organization extract maximum value from its existing toolset.

When basic tasks and responses are automated, security professionals are free to employ their talents on the tougher issues and investigate more complex and high-risk incidents. This removes the burden of some tedious and repetitive tasks, and the company can deploy its limited human resources more strategically where their skill sets are put to better use. Greater transparency and easy access to SOAR tools can also encourage greater communication and collaboration across teams.

The cons

There are inevitably some possible drawbacks with SOAR. Because SOAR requires a healthy security culture and a clear strategy, it’s crucial to set realistic expectations. Build on top of shaky foundations, and SOAR will not deliver the desired results. Overconfidence in SOAR tools can also lead management to undervalue security professionals or redirect valuable human expertise away from security efforts.

It’s often difficult to measure the effectiveness of SOAR tools, so set out clear expectations, take baseline measurements, and craft a set of metrics to ensure it’s delivering on its promise. Build a feedback loop into the response portion  as a mechanism to improve overall strategy and learn from failures.

Making SOAR work

Plan the integration of SOAR tools with the company’s systems and processes carefully. There are many different SOAR products on the market, so weigh the features that are most important to the organization.

Ideally, the SOAR tool the company selects will pull information in from all of the organization’s security systems, suggest automated workflows, and orchestrate disparate tools to squeeze the most from each. Assess and estimate the difficulty of integration to ensure the SOAR software works seamlessly with the organization’s systems. It should report on a forensic level to give the security team a clear audit trail, so it can analyze incidents and continually improve processes.

Look at detection capabilities and configuration for phishing attacks, malware, and other kinds of attacks. What threats loom largest for the organization? Delve into the tool’s automation capabilities to see what aligns with your risk tolerance. Do you want to automate intelligence gathering, elements of security investigations, or procedures for containment? Think about cyberattack simulation. Does your chosen SOAR tool have testing built-in?

With a more streamlined centralized system, and automation where possible, security teams can make the best use of limited resources and increase overall resilience in the face of existing and emerging threats. Done right, SOAR tools deliver impressive results by allowing humans and machines to play to their respective strengths so that each enhances and empowers the other.

Perry Carpenter, chief evangelist and security officer, KnowBe4

Perry Carpenter

Perry Carpenter (author of, “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” and host of the “8th Layer Insights” podcast) currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world’s most popular security awareness and simulated phishing platform.

Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner Research, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies. With a long career as a security professional and researcher, Mr. Carpenter has broad experience in North America and Europe, providing security consulting and advisory services for many of the best-known global brands.

Perry holds a Master of Science in Information Assurance (MSIA) from Norwich University in Vermont and is a Certified Chief Information Security Officer (C|CISO).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.