The Challenges of SOAR Adoption in Cybersecurity

SOAR (Security Orchestration, Automation, and Response) allows organizations to automate the response and remediation of security incidents, thereby improving the mean time to respond, which is how long it takes an organization to neutralize an identified threat or failure within their network environment. Given the adequate investment, this goal is realizable. However, SOAR is incredibly hard to implement beyond the most basic scenarios and not without cost and risk. Here are five reasons why SOAR adoption is low.?

1. SOAR is an expert system that captures specialized knowledge, but that knowledge is often basic. There are a few reasons for this fact. 1.) Only some problems contain unambiguous, universal, and completely formalizable facts. The ones that do are generally simple. Consequently, explicit rules are valid for beginners, which is why so-called expert systems like SOAR are, in practice, akin to beginner systems.?2.) Security analysts may respond to alerts they recognize without considering what rules might apply. Their knowledge is implicit and informal and difficult to codify into playbooks required for the SOAR to be successful.
2. Response and remediation is a long tail with many edge cases. This complexity leads to many events occurring infrequently. So, figuring out what you want the SOAR to consider beforehand is challenging.
3. Automation is a risk that may inadvertently cause a critical server to shut down, block daily backup uploads, or cause other catastrophic events. As a result, the SOAR often assigns alerts to an analyst for completion, as it is impossible to program a reliable response. This leads to tying up a considerable portion of the budget, creating additional failure points, and merely shuffling delays in the alerting system.?
4. SOAR creates the paradox of automation, which is a specific class of errors people make in automated environments. The paradox is that a well-designed system will hide (not overcome) human weaknesses, which are still risk factors. If an automated system has an error, it will multiply that error until it's fixed. Still, humans may be unable to take over when systems fail after losing some keen ability or failing to upskill their ability due to automation.?
5. SOAR technology can create a false sense of security because it fails silently. While SOAR has systematized previous workflows, attackers have evolved their methods and are not being detected by the system. This can go unnoticed for a while because you may not regularly monitor the system. SOAR technology should be used where most appropriate and complement other security measures.

SOAR is a valuable tool that can reduce the number of alerts for mature organizations that have ample budgets and experienced personnel. However, it is a complex and time-consuming process that is unlikely to reduce headcount since automation often demands more humans. Plus, it is crucial to avoid over-automation, which can create as many problems as it solves. It is necessary to incorporate up-to-date security expertise to ensure that the SOAR capability improves as the organization's security posture matures and is always prepared to respond effectively to new threats. It is also important to ensure that automation does not mask underlying issues or eliminate necessary steps to validate correctness.