SOAR is Going in Two Directions (and One of Them is Bad for MSSPs)
If someone stopped following the SOAR market a few years ago and just checked back in now, they’d be very confused. A lot of the brands they would recognize are nowhere to be found.
But, if you’ve been paying attention, you know why those prominent names aren’t around anymore: they got acquired by security giants. This has created a bifurcation in the SOAR market, and the divide is getting wider.
On one side is where you’ll find the SOAR tools that were acquired. They’re now what we call suite-based SOAR, where the SOAR tool is part of a larger suite of security tools made by a parent company. On the other side of the split are the independent SOAR vendors. These are the vendors that only focus on SOAR. The implications of these divergent paths are more than just philosophical; they have already affected the solutions that the different types of vendors provide to customers. MSSP customers have felt those effects most directly, with some SOAR vendors completely abandoning the MSSP market.
In this article, we’ll describe the two types of SOAR in more detail, and show you why we think one is well-suited to the needs of MSSPs, and one is not.
We won’t beat around the bush. We don’t think suite-based SOAR is a good trend for MSSPs. There are a few reasons for this.
One is vendor lock-in. These larger companies acquired SOAR vendors to add to their suite of solutions. They want to offer a complete set of tools that make a buyer’s decision easy: buy everything from us, and you’re good to go. For some companies, this is appealing. You simplify your purchasing decisions, guarantee interoperability, and maybe get a discount compared to buying a la carte. But for MSSPs who serve dozens or hundreds of clients, each with their own set of tools, this is a non-starter. MSSPs need to be able to integrate with their clients’ preferred tools, and suite-based SOAR makes that difficult. While suite-based vendors may still offer some level of integration with hundreds of tools, corporate conflicts of interest prevent them from investing in high-quality integrations with their competitors.
The second reason we think suite-based SOAR is bad for MSSPs is that suite-based SOAR is where innovation goes to die. It’s happened many times now: a SOAR vendor gets bought, their tool is rolled into a suite of products—or even reduced to being an add-on for a SIEM—and then the SOAR features stop improving. No significant new features, no new integrations, no SOAR-specific customer support.
When a team that created a SOAR tool is absorbed by a company that makes a number of other products, they’re no longer focused on making that SOAR tool the best it can be. This means that MSSPs with suite-based SOAR are not getting the “next-generation” of SOAR. They’re stuck in the recent past.
Why Independent SOAR is the Futureproof Solution for MSSPs
Presented with this split in the market, MSSPs are resoundingly choosing independent SOAR vendors. Largely, this is because independent SOAR has none of the downsides of suite-based SOAR that we covered in the previous section. Independent SOAR vendors can build high-quality integrations with anyone, they don’t have any interest in locking you into specific tool sets, and their business models rely on them producing innovative SOAR technology.
Because of that requirement to innovate, it is independent SOAR vendors that are leading the next-generation SOAR movement. This new generation has many improvements over legacy SOAR that are promising for MSSPs who want to leverage automation in their services. For example:
- Codeless playbooks and integrations are making it easier to get up-and-running with SOAR, and to change things on the fly. This is great for everyone, but especially beneficial for MSSPs, who can easily deploy playbooks across their client base.
- Powerful correlation, enrichment, and filtering have realized the ambitious goal of automating virtually all tier-one tasks. This represents a massive profit opportunity for MSSPs, many of whose services focus on these tasks. What could your analysts do if 90% or more of their time was freed up by automation?
- One option for that free time is threat hunting, which has become much more accessible through SOAR. Threat intelligence can be parsed and turned into automated searches by SOAR playbooks, and IOCs found in investigations can be hunted across endpoints and other systems via SOAR integrations. SOAR makes adding threat hunting services an option for MSSPs that requires minimal investment of resources.
These are just a few of the capabilities that independent SOAR vendors are bringing into the next generation of SOAR tools that MSSPs can benefit from.
Go With the Vendor that is Committed to MSSPs
D3 Security supports MSSPs in every corner of the globe and enables high-value services with our NextGen SOAR platform. D3 Security’s SOAR platform supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re completely independent, so no matter what tools your clients use, our 500+ integrations will meet their needs. Our new offering for MSSPs, D3 Chronos, is a streamlined SOAR package that is designed to start paying for itself within two weeks while increasing your capacity 10x through automation.