Big Data

Standalone SOAR is Alive and Kicking


Multiple publications and analyst firms have predicted a doomsday scenario for the standalone SOAR following a number of acquisitions in the space, mainly by SIEM vendors. Google acquired Siemplify, Devo acquired LogicHub, Fortinet acquired CyberSponse, Palo Alto Networks acquired Demisto, Splunk acquired Phantom, Sumo Logic acquired DFLabs, and Micro Focus acquired Atar Labs, which, in turn, got acquired by OpenText.

But this high-level view has very low resolution. It assumes that all possible SOARs are already in circulation, that every acquisition minimizes the pool of standalone vendors, and that an acquisition means that the SOAR will be natively integrated within a SIEM or XDR. As part of my research on SOAR, I have seen numerous developments over the past three years that indicate that not only is there a place for the standalone SOAR, but the solutions are evolving to support new use cases. 

Here are some key reasons why the standalone SOAR solutions will not be consumed into SIEM or XDR in the near future:

  1. More standalone vendors enter the market.
  2. Large players still choose to offer standalone.
  3. The inherent benefits of standalone and vendor-agnostic solutions.
  4. Non-security event ingestion.
  5. Non-security automation.

More Standalone SOARs Enter the Market

Compared to the second iteration of the GigaOm SOAR Radar, the third iteration features three more standalone SOAR players, namely Cyware, Tines, and Torq. Torq is the most recent player, having been established in 2020 and has built an impressive portfolio of customers. Tines has also been gaining traction in the market. I have repeatedly and adventitiously seen Tines added to integration portfolios across various network and security vendors over the past couple of years.

Large Players Still Offer Standalone SOARs

While a selection of security vendors have chosen to integrate SOARs into their SIEM – such as OpenText, Huntsman, Sumo Logic, and Devo – others have kept SOAR as a standalone and vendor-agnostic product. Most notably, heavyweights such as Fortinet, IBM, Splunk, and Palo Alto Networks. 

Why would they do that? The most obvious reason is to expand their total addressable market. If an integrated SIEM plus SOAR solution (see our GigaOm Radar on ASOM) is only suitable for customers that either want to migrate from the incumbent SIEM or don’t have a SIEM at all, a standalone SOAR can also target customers with a third-party SIEM that don’t want to migrate.

But there’s more to standalone SOARs than just a larger target market, which we explore in the section below.

The Inherent Benefits of Standalone and Vendor-Agnostic Solutions

A SIEM with native SOAR capabilities could become unwieldy and difficult to manage, with slower cadence on new features. A very large portion of your SOC becomes dependent on this one solution, and despite all the automation and ML-powered insights, the platform will likely incur a lot of technical debt.

Here, SOAR platforms have two advantages—Standalone and vendor agnostic – which are two sides to the same coin. Vendor agnosticism means that a SOAR solution can work with any third-party SIEM, considerably lowering the dependency on a single platform and making migration considerably easier, whether it’s switching out the SOAR or SIEM part of a solution. 

The standalone quality means that the SOAR solution can fulfill its purpose in the absence of SIEM. This aspect enables SOAR to branch into two more use cases unavailable for integrated SIEM and SOAR solutions, directly ingesting non-security events, and automating non-security tasks.

Non-Security Event Ingestion

Recent developments indicate that the remaining standalone SOAR vendors are finding a way of side-stepping SIEM, with the option of becoming the main tool for SOC analysts. Rather than relying on SIEM to ingest logs and generate alarms, some SOAR vendors are now ingesting events directly from the tools that generate them. In this context, non-security events are not generated by a security tool such as SIEM, XDR, firewall, or antivirus.

While this scenario sounds very similar to SIEM’s log collection functionality, SOAR solutions do not capture everything, only events such as API calls, HTTP requests, or login attempts. This approach indicates that events are fewer and richer compared to logs, which means two things:

  • SOAR will not have the same issue of collecting, digesting, storing, and analyzing billions and trillions of logs as SIEM does.
  • SOAR will not provide the same level of deep visibility that SIEM does. 

This ability to ingest events directly without a dependency on SIEM does not mean breaking away from SIEM altogether—the two solutions can continue working together, especially when their features are complementary. However, it may be the case that SOAR solutions would offer a lighter and more agile way for security analysts to handle incident response in the context of simpler IT environments, such as start-ups and other cloud-native and cloud-only organizations.

Non-Security Automation

SOAR and drop the S to become Orchestration, Automation, and Response. How is this different from other IT workflow automation tools? SOAR has been bred in a high-stakes environment and benefits from strong audit, compliance, governance, and, most importantly, trust. Not to mention, an all-purpose SOAR can still carry out its core security functions besides the additional IT automation. 

As a multi-purpose tool, (S)OAR can become its own category that blends IT automation and security response. Adding non-security-related functions into a SIEM would make little to no sense, meaning that only a standalone SOAR can play in this market. Yes, I can automate responses for the alerts generated by SIEM, but it can also be used for automated patch management, ensuring compliance, asset management, and onboarding new employees.

A vendor such as ServiceNow has a distinct advantage considering their ITSM background and comprehensive SOAR capabilities.

Exit Options for Standalone SOAR Vendors

From a less technical viewpoint, one likely reason we’ve seen so many acquisitions is that an acquisition is the most likely exit for SOARs. Most of these start-ups were acquired within five to ten years of inception. Are we likely to see an IPO from a SOAR-only vendor? The most likely candidates are D3, Swimlane, and ThreatConnect, well-established players with long tenure.

Perhaps the answer to this stands within the last two points I made above for the non-security event ingestion and non-security automation. There are only a handful of point-solution SOAR vendors that expand their capabilities to open up new use cases for their products, which means that there are revenue streams that cannot be tapped by adjacent solutions such as SIEMs or IT workflow automation. 

Whether we’ll see a SOAR IPO or not, the near-future prognosis for the SOAR market is strong, and no amount of acquisitions will spell the end of the standalone SOAR, as its inherent standalone and vendor-agnostic capabilities cannot be replaced.