Too Many SOAR Vendors are Failing MSSPs

Credit: Pixabay

Why do companies outsource security to MSSPs? These three statistics from recent surveys provide a few good reasons:

  • 70% of cybersecurity teams have seen alert volume more than double in the past few years, with 24% seeing an increase of 10x or more (source).
  • 75% of companies spend as much time investigating false positives as they do on actual attacks (source).
  • 64% of incident responders say they have sought out mental health assistance because of the “extreme” stress of their jobs (source).

These numbers might be shocking, but they represent issues that you’ve probably heard about for a long time. These types of issues are why so many companies have invested in SOAR, either directly or via an MSSP. But here’s the catch: these surveys included many large enterprises and MSSPs, which are the companies most likely to already have SOAR. So why are they still experiencing these challenges?

In the past year, an increasing percentage of our new SOAR customers have been companies that have previously bought a SOAR tool. This suggests that many SOAR buyers are not getting the solutions to pressing problems like alert volume that they had hoped for. This is especially troubling for MSSPs who have invested in SOAR, because alert-handling is pivotal to the services they offer their clients.

To actually solve the problems of MSSPs, SOAR needs to get smarter. So, what makes a SOAR tool “smart”? It needs to incorporate these four things.


Smart SOAR needs to have memory. This means retaining alert and incident information so new alerts can be correlated against it. Without a sense of what has already happened, you’re fighting blind, allowing the same users, accounts, and devices to be targeted again and again.

If a SOAR tool has memory, it can identify these related events, such as the same user showing up in five different alerts in one week, and automatically flag them as high-risk. Without memory, these alerts could not be recognized as part of the same incident.


Smart SOAR needs to go beyond indicators of compromise (IOCs) to incorporate indicators of behavior (IOBs). Frameworks for attacker behavior, such as MITRE ATT&CK, provide valuable information with which to categorize, predict, and counteract attacks.

For MSSPs, this can make their operations more efficient, or enable new high-value services. If a SOAR tool can label alerts with ATT&CK techniques, this adds another layer to the analysis that users can perform to identify patterns, uncover larger attacks, and develop better rules to automatically dismiss or escalate alerts.

MITRE also publishes defensive measures for techniques. So, if your SOAR tool is tracking IOBs in the form of ATT&CK techniques, you can trigger automated response playbooks based on these best practices.


Smart SOAR needs to correlate across tools and data silos. Strangely, for a technology that prides itself on its integrations, a lot of SOAR workflows are segregated. An endpoint alert comes in, so the SOAR tool checks the IOCs, queries the EDR tool for some more information, and orchestrates a response.

In the real world, an endpoint security incident isn’t always limited to the endpoint, which should be reflected in how it is processed by the SOAR tool. For example, that alert could be correlated against firewall logs to find network activity related to the suspicious activity on the endpoint. This provides a more complete picture of an event and enables MSSPs — or their clients, depending on the services provided—to respond more effectively.


Why doesn’t every SOAR tool do all these things? Why aren’t all the tools “smart”? The answer is normalization. Every one of the elements we’ve discussed relies on data normalization. It isn’t sexy or exciting, but it is the cornerstone of smarter SOAR.

Data from each detection tool comes into SOAR in a different format. It is very difficult to collect and store that data in a consistent model. If your SOAR tool can achieve normalization, raw data from any device, tool, or log source can be presented to you in a single, normalized stream. This provides MSSP users with a huge advantage, including the enablement of the “smart SOAR” elements covered in this article.

Want to leverage memory of past incidents? You’ll need to normalize the fields for user, device, and account information across tools so that it can be retained and correlated without painstaking manual work.

Want to use IOBs to identify attacker techniques? You need normalized alert data that so that technique labels can be applied accurately.

Want to correlate across silos? You need to normalize the data so all your tools are speaking the same language.

What Smart SOAR Means for MSSPs

Lots of SOAR platforms can provide some relief from tedious work, but they can’t solve the biggest problems plaguing security operations. That means those platforms aren’t suitable for MSSPs. With a smart SOAR platform, MSSPs can futureproof their tool investments, provide better services to clients, and improve business outcomes.

D3 Security supports MSSPs around the world and enables high-value services with our NextGen SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs. The NextGen SOAR Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with Trifork Security to see how a successful MSSP uses NextGen SOAR.

Guest blog courtesy of D3 Security. Read more D3 Security guest blogs hereRegularly contributed guest blogs are part of MSSP Alert’s sponsorship program.