Google announced the acquisition of Siemplify, a security orchestration, automation, and response (SOAR) tool, this past Monday. Google Cloud’s acquisition of a SOAR tool in and of itself is not surprising — this has been a missing piece for its Chronicle offering that other security analytics platforms have built in for the past several years.
What is interesting, however, is the timing of this acquisition, which comes years after the spate of SOAR acquisitions from 2018–2019. Siemplify was one of the few remaining holdouts as a standalone SOAR, as most other independent SOAR vendors were acquired or diversified their portfolio with other products such as threat intelligence platforms (TIPs).
In some ways, that makes this a heady acquisition, as it signals the true end of the standalone SOAR. Forrester predicted early on that the SOAR market could not stand on its own, and given that that was five years ago, it’s starting to feel like we are belaboring the point. The bottom line is this: The SIEM has irrevocably been altered to the more holistic security analytics platform, incorporating SIEM, SOAR, and SUBA in a single offering.
Just offering a piece of the puzzle — a SOAR, a SIEM, or SUBA — is not enough. Security teams want a unified security analytics platform that they can use through the entire incident response lifecycle, from detection to investigation to the orchestration of response … and beyond? …
SOAR Is Part Of A Larger Set Of SecOps Capabilities
Security teams now have one less standalone SOAR offering to choose from. This is detrimental in some ways, since some of the practitioners I advise prefer to use a separate, independent SOAR offering. They find the depth of available integrations to be more powerful and prefer a tool and the vendor behind it to be entirely focused on improving automation in the SOC.
While standalone SOAR is becoming a rarity, SOAR still exists in many forms. There are benefits to having a security analytics platform that tightly integrates SIEM and SOAR. A combined tool can help you implement more seamless automation and streamline the entirety of the incident response lifecycle in one place. It also gives you one less vendor to manage, and data from the latest Forrester Analytics Business Technographics® Security Survey shows that security pros are looking to consolidate security tooling.
Buying SOAR as a standalone versus as part of a broader platform is the classic best-of-breed versus best-of-suite debate. The tricky part, though, is that SOAR is the supporting act, not the headliner. This means things get a little more complicated — as you will find in the flavors of SOAR below.
Consider the different flavors of SOAR and the risks of each:
- Integrated security analytics platforms can provide tight integration and a simpler user experience. The main challenge with these vendors is ensuring that they stay cutting-edge — big suites of products tend to lead to complacency on innovation and bloat. Some examples of vendors include Microsoft, Exabeam, LogRhythm, LogPoint, Micro Focus, and Securonix.
- Security analytics portfolios try to balance the best of what standalone SOAR offers while providing that integration (but this makes them more likely to fail at both as a jack of all trades). If these vendors struggle with one element of their SOAR offering, it’s more likely to be the integrations with other vendors than their own tools. Some examples of vendors include Splunk, Sumo Logic, Gurucul, IBM, Rapid7, and Palo Alto Networks.
- SOAR + TIP + etc. vendors, or those with other additional areas of focus, bank on the fusion between SOAR and their other adjacent offerings. This can be unique and provides them a way of staying independent while still gaining ground in different markets. Combining SOAR and TIP capabilities also helps to operationalize threat intelligence in the SOC. Some examples of vendors include Cyware, ServiceNow, ThreatConnect, and ThreatQuotient.
- Standalone SOAR can have a great depth of integrations because of its independence and its singular focus on building better automation for the SOC. Even if you choose a standalone SOAR, however, it may not be standalone for much longer. Some examples of vendors include Swimlane, D3 Security, and Tines.
I will be releasing in-depth research soon on SOAR. In the meantime, get in touch with me to schedule an inquiry if you have questions.