Skip to main content

Why SOAR is overkill for a smaller infosec team

By 21 May 2021No Comments

Dave Mareels, CEO of UK cyber start-up SOC.OS, argues that there are better solutions for hard pressed cyber security teams than complex Security Orchestration Automation and Response platforms

We’re all aware of the scale and sophistication of today’s cybercrime underground. It’s a global economy said to be worth as much as $1.5 trillion annually, with some security vendors blocking over 60 billion unique threats each year.

The result?

Information security teams swimming in a deluge of alerts. To triage and respond to these alerts is a challenging task for even the world’s most sophisticated SOC teams, and an impossible one for a stretched infosec team.

Security Orchestration Automation and Response (SOAR) claims to address this problem today, but for most organisations they’re not the panacea. In fact, for organisations with small cyber teams who are relatively early on in their cyber maturity journey, SOAR is overkill. In the first 5 months of 2021 (quick look at calendar), I’ve had circa 50 calls with CISOs, Infosec Directors and SOC analysts worldwide on this very topic and one thing is very clear: unless you have the appropriately skilled resources who can devote loads of TLC to finetune and maintain SOAR, please think twice before adopting.

The issue with SOAR

That’s exactly where the hidden cost of SOAR lies. To, ‘finetune and maintain’ a SOAR means constantly having to write and update the playbooks. A playbook is simply a sequential combination of, ‘if this, then that’ rules (e.g. ingest alert, parse it, look up the URL in Virus Total, if malicious, do something, etc).

Unfortunately, I’ve seen many skilled analysts get this work thrown at them, and they soon become dedicated full time to writing and updating these workflows. It’s not only super-repetitive work, it’s also quite challenging to get right (not a good recipe for analyst retention). Deciding at what level to abstract your workflow on is tough.

If you go super-granular and low-level – meaning you’ll attempt to parse all the metadata – then you will need to consider a plethora of, ‘if this, then that’ permutations and conditions. This is tremendously time-consuming.

Or alternatively, you can go relatively high-level, but this somewhat defeats the point of automation, as it means a human must be kept in the loop anyway for critical decisions (e.g. if alert of type X is ingested, email Sarah, who can then decide what the remediation steps are). The last thing you want is one of your playbooks to automatically action something, such as isolate a business-critical server, only to realise it acted on a false positive.

A better way

SOAR’s proposition is well tailored for large and sophisticated teams with established processes, but for stretched infosec teams – with a fundamentally different makeup (across the 4 pillars of technology, people, process and philosophy) – the service which they need to consume should also be fundamentally different.

These smaller teams always tell me that it’s less about, ‘how do I write and maintain a plethora of playbooks to automate a response’ as it is, ‘out of these 1,000 alerts generated today across 4 of my security tools, where the hell do I even start looking!?’. It’s more about visibility and prioritisation than it is about automating a response.

The good news is if your organisation is not well suited for SOAR, there are other available technology options that help you answer that very question.

Look for technology which has a strong focus on automating as much as the initial triage process as possible. The technology should be able to collect, parse, and enrich alerts with threat intelligence and business context, and be able to correlate related alerts together to collapse triage volume to a level which is manageable.

Technology which tells the story behind the alerts within the context of your business is also key, as to is presenting this in a highly digestible and intuitive way. This will allow your stretched team to take swift and effective remediation action.

So, before diving headfirst and investing big in SOAR, consider where you are on your maturity journey and your resource profile very carefully. There are alternative and more suitably tailored alert triage technology options out there for small/stretched infosec teams.

Dave Mareels is CEO of SOC.OS, a SaaS-based security alert investigation and triage tool.

Main image courtesy of


All rights reserved Teiss Recruitment Ltd.