Security Strategy, Plan, Budget

SOAR’s myopic focus may be its undoing

By Gunter Ollmann, CSO, Cloud and AI Security Division, Microsoft

Practically every CISO I speak with ranks the difficulty in getting multiple vendors “best of breed” security products working together and returning any measurable ROI as a constant entry in their Top-5 daily gripes. As access to experienced security professionals become scarcer and more expensive, the need to get security products working in harmony and reducing the overall energy needed to respond to and mitigate threats grows more pressing.

At some point in the past, with each best-of-breed product myopically solving a single security problem, a new class of security product was invented to fill in the gap that competing vendors couldn’t solve the first time around – and so Security Orchestration and Automated Response (SOAR) entered the CISO’s vocabulary.

For over a decade independent SOAR solutions have tried to bridge and glue together ensembles of multi-vendor security products. The premise being that Vendor A’s best-of-breed product could alert on a threat, and that alert could be translated into an action that Vendor B’s best-of-breed product could perform to mitigate it – and to do this across dozens of vendors and hundreds of independently operating network and endpoint security products.

SOAR has faced an uphill battle to fulfill that role. Chief amongst those hurdles is that traditionally best-of-breed technologies have arisen from smaller (or up-start) security companies rather than the largest and most established vendors – making it more difficult to integrate and connect today’s hottest products with each other.

Today, the market is changing rapidly, and SOAR is undergoing a rapid change.

For starters, the average age and experience of CISO’s continues to rise. Many now have the battle scars of trying to manage complex multi-vendor best-of-breed cobbled solutions to protect the enterprise and are adopting new protection strategies.

A convenient analogy for the change is custom car building. It’s relatively easy to mine car part reviews to determine what’s the hottest and best muffler, brake, transmission, or whatever part on the market and to acquire it. But to build an entire car through such a sourcing process is time-consuming and leaves you with the tough problem of cobbling everything together. If you know what you’re doing you’ll have a unique vehicle that, on paper, suits today’s needs – but the reality of trying to get all these multi-vendor parts to connect and work together seamlessly is you need a heightened degree of expertise and access to advanced machine shop capabilities.

CISO’s are forcing themselves to answer the tough question of whether they’re building a vehicle designed through a lens of passion to be lovingly maintained by a team of expert mechanics, or should they be opting for the latest showroom minivan and a stand-by helicopter service (if the budget will stretch so far)?

In turn, the larger security vendors are doubling down on integration scope and capabilities – using both open-API models and “suite-like” approaches to reduce the burden on in-house security teams.

The growth of open-API’s is making it easier for products to work at enterprise scale and amalgamate with in-house security processes or Security Operations Center (SOC) systems. SOAR, instead of being yet another product from yet another vendor, is being dissected into its constituent orchestration and response API’s and incorporated on a per-product basis – further enabling SOC integration.

But perhaps the most important change for CISO’s is the pursuit and advancement of “suite-like” solutions from the largest security vendors.

Unlike decades past, today’s delta between best-of-breed and “industry average” has (on average) shrunken to single-digit percentages. While many smaller or start-up vendors focus their energies differentiating within that single-digit delta, the reality is that percentage difference continues to shrink year on year.

What seasoned CISO’s have also learned is that seamless integration between different classes of threat detection and mitigation yield even better results. For example, an average anti-virus product may stop 90% of daily malware variants, while an average anti-spam gateway may stop 95% of daily malicious emails. Integrated and working together, they may stop 99.9% of daily phishing threats (including associated malware) – soundly beating a stand-alone best-of-breed anti-phishing product.

Seamless integration between complimentary product categories is further enhanced when they can be managed as a single product – adopting a single consistent interface, mode of navigation, and shared open-API. It's for this reason that a new age of “suite-like” solutions have grown in favor.

This evolving category of enterprise-scale security management suites focuses on reducing the workloads of in-house security teams and making them more efficient in responding to threats. CISO’s are subsequently getting closer to not only measuring, but continually monitoring the ROI of their security investments. That investment may not be a garage of track-day custom-built race cars; but the fleet of minivans is delivering packages on time, with higher than ever customer satisfaction scores.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.