Gartner report criticises SOAR systems, Acora defends approach
A recent report by Gartner has sparked a debate within the cybersecurity community by criticising the current state of Security Orchestration, Automation, and Response (SOAR) systems.
The report argues that these systems are failing to meet expectations due to high costs and unfulfilled promises. Several organisations have struggled with substantial expenses and underwhelming returns from their SOAR investments.
Darren Humphries, Chief Information Security Officer (CISO) at Acora, has addressed these concerns by explaining the company's approach to managing the identified shortcomings. Acora's strategy combines partner techniques and SOAR technology to both optimise the system and balance realistic security expectations.
One of the main areas discussed is the management of initial setup costs. Acora tackles this by prioritising critical alerts through integrated workflow intelligence and automated threat hunting designed to efficiently identify attacks, compromises, and phishing attempts. This "workflow intelligence" allows analysts to handle multiple cases in one go, thus focusing senior roles on high-priority issues.
"We have our goals, methodologies of how we want to achieve and, as end users, we have that knowledge as things evolve," Darren Humphries commented. "All lessons learned are incorporated into the playbook data, saving analysts time and money when they check out credentials and enter into systems and metricate them."
Regarding the ongoing costs of maintenance and support, Acora employs a skilled team of analysts and detection engineers to improve detection capabilities. Humphries emphasised the importance of having knowledgeable personnel, comparing their setup to that of a racing car driver and technician, where deep system knowledge enhances overall performance.
Humphries elaborated that as an outsourced service provider, Acora offers a flexible service model that includes both SIEM and SOAR platforms. "With this setup, we cater to 84 clients with up-to-date threat intelligence. By utilising crowdsourced intelligence from our partners and customers, we have the ability to enhance our SOAR and SentinelOne platforms without the need for specialised personnel or analysts with extensive coding skills," he said.
Integration and interoperability are other crucial elements in Acora's approach. The company integrates third-party connections and custom tools to improve and fortify primary security processes. While SOAR systems are central to their workflow, other tools such as Tenable NESSUS are utilised for specific tasks, ensuring the best resources are employed for each requirement.
Humphries also discussed the importance of managing expectations around SOAR, viewing these systems as tools that support human decision-making rather than replace existing security solutions. "SOAR systems are tools meant to support human decision-making, not a replacement for existing security solutions," he explained. "Acora's service architecture is centred on improving these tools to support human intervention and decision-making processes."
The company ensures that its SOAR system remains up-to-date with evolving hacker tactics, techniques, and procedures (TTPs) by treating it as a central workflow system that guides analyst activities and priorities. "Whilst SOAR enhances security operations, it does not replace essential tools like SIEM or cloud systems. Rather, it complements them, similar to how a Swiss Army knife has various tools for different tasks," Humphries added.
He also addressed Gartner's concerns about the relevance of SIEM and SOAR, noting that Acora actively maintains and utilises these tools through rigorous testing and engagement with customers. "We collaborate with our ecosystem partners and utilise top-tier tools and training to support our hybrid models, including SOCaaS," Humphries emphasised.
Acora's proactive strategies and innovative models aim to address the evolving challenges of SOAR systems, ensuring they continue to provide robust security services and remain resilient against emerging threats.