SOAR for Security, COAR for Cloud?

It’s only been a few years and the acronym SOAR is not offbeat anymore. In fact, SOAR (Security Orchestration, Automation and Response) is now widely known across the security operations circles as security teams are acknowledging the fact that automation is required to bridge the gap due to shortage of professionals and increasing alerts and incidents. Having worked at Demisto (acquired by Palo Alto Networks), the leader in SOAR solutions, it was a natural pivot for me to head the cloud workflow automation product team at Fylamynt, given that we were fixing very similar challenges in both domains. Granted the cloud automation space lags behind SecOps automation but easier to handle than security automation without the hacker element - anticipate that cloud automation will outstrip security automation once it gains momentum.

The problems we see in security operations are echoed in cloud operations. Alert fatigue, disjointed tools, context switching and of course the chronic shortage of on-call professionals are the same set of demons faced by both operations teams. One could argue that, if there’s SOAR for security, why not COAR (Cloud Orchestration, Automation and Response) for Cloud? Let’s see if this holds true as we unpack the argument with key data points.

The reason for SOAR becoming so popular

When I joined Demisto in early 2018, I could see the complex nature of security alert investigations. With an increased attack surface, new threat detection tools were being created. Alert fatigue was a common issue, with the number of security alerts generated by these solutions overwhelming the security team. Speed to resolution was also a challenge as things were running with manual intervention. There was absolutely no time even for sophisticated SOCs (Security Operations Center) to prioritize and standardize their alert investigation processes.

This was a perfect time for SOAR to become a de-facto workbench of the security analyst, enabling them with a visual workflow editor and needed integration actions. Amidst fast-growing adoption of security technologies, Demisto attained significant momentum with its ability to unify intelligence and scale incident response, with orchestration, automation, collaboration and case management. Each security company at that point had its own API, but SOAR added a cross-product workflow.

The chaotic nature of Cloud Automation

Enterprise infrastructure is seeing a disruption due to?

• Migration of workloads from private to public clouds?
• Deployment and delivery of software as SaaS.

The cost of operations is very high in cloud enterprises with application downtime costing an estimated $1.25 to $2.5 billion per year and the average cost per hour for critical application failures $500,000 to $1 million.

Cloud teams are trying to handle the ever-increasing complexity of their tasks with automation. However, to automate any workflow, we need developers to write code and maintain it over a long period of time.

Is automation the problem, or the solution? Today, CloudOps teams use a myriad range of tools to achieve a desired level of automation. Jenkins, Chef, Ansible, Terraform, CloudFormation, Kubernetes, Pulumi, PagerDuty, Datadog, Slack - this list is just the tip of the iceberg. In their attempt to automate, they end up using tools that need cross-platform scripting which gets even more complicated with hybrid cloud deployment.

So a genuine question I ask to all the SREs and DevOps out there. If there’s SOAR for Security, why not COAR for Cloud?