Cybersecurity Monitoring

Is the Respond Analyst a SOAR Tool?

Matt Eberhart
by Matt Eberhart
category Cybersecurity Monitoring

The theme at this year’s RSA conference was “the Human Element,” which naturally means there was lots of talk about automation. Automation, used well, allows human security analysts to focus their efforts and attention on higher-value activities by taking over the mundane and repetitive parts of the incident response workflow. When it goes awry, however, automation creates a ton of work for security analysts—they’ll spend countless hours writing playbooks and trying to keep the automations working. Security operations automation software can have the biggest impact when it’s used to investigate high volumes of alerts, enriching them with additional data, and scoping them into true incidents for human responders. The best automation software applies its automation at the right time automatically, instead of becoming yet another tool that must be adapted to your environment.

Automation promises to speed incident response times, solve chronic problems posed by the scarcity of skilled cybersecurity professionals, and realize unprecedented efficiencies. It’s the key to securing today’s increasingly complex IT infrastructures in the face of ever-more prevalent and sophisticated threats. So it’s no wonder that automation has been the subject of so many conversations lately.

While there are lots of point products that automate specific processes within security operations (such as vulnerability scanners, for instance), comprehensive automated solutions that aggregate alerts and data from multiple sources are less common. When many security professionals think of this type of solution, what comes to mind are security orchestration, automation and response (SOAR) tools. SOAR tools promise to bring the benefits of automation, but the work required to build and maintain playbooks can be considerable. SOAR is a lot like a box of Legos. There’s potential to build something really cool, but in reality, it can take a ton of work to do it. There’s no prospect of immediate relief for overworked security teams.

Because this solution category is now well known, and the Respond Analyst is (let’s face it) unlike anything else on the market today, our team has gotten the same question over and over again: is the Respond Analyst a SOAR tool?

Our answer is a qualified “yes.” We are an automated SOAR. But we’ll explain further. We’ll also discuss how the Respond Analyst can reduce costs and benefit the business in ways that go above and beyond what SOAR can do.

What, exactly, is a SOAR solution, anyway?

The term SOAR was coined by analyst firm Gartner to describe the convergence of threat and vulnerability management, incident response and security operations workflow orchestration tools into a single automated platform. This category represents an amalgamation of discovery and incident response functionalities into a solution stack that’s able to collect threat intelligence from multiple sources and initiate playbooks in response to certain security events without human intervention. Gartner predicts widespread adoption of SOAR platforms among mature SecOps programs, with an estimated 30 percent of organizations with security teams larger than five forecast to implement SOAR tools by late 2022.

There are good reasons for the growing popularity of SOAR tools. They promise to improve security teams’ ability to manage individual security incidents, increase possibilities for collaboration, and integrate with security information and event management (SIEM) software and other tools and solutions.

In essence, SOAR tools can be programmed to perform a number of security analyst functions, both upstream and downstream of incidents. They’re designed to reduce the amount of work that security analyst teams perform manually, saving time and lessening the burden of performing repetitive incident response procedures over and over again.

If we think of SOAR platforms as tools that make it easier to respond to security events, then yes, the Respond Analyst can indeed be considered a SOAR solution.

More like cousins than identical twins: The Respond Analyst vs. SOAR

When we talked about how SOAR tools can be programmed to perform a number of workflow automation tasks that human security analysts are doing manually in many security operations programs today, the operative word was “programmed.” SOAR platforms require a great deal of programming in order to translate their theoretical promise into real-world operational efficiencies.

For many security teams, this is a resource-intensive process that demands many hours of labor to build playbooks and develop custom integrations. That’s why SOAR solutions are best suited for use in mature security operations programs: these organizations have the largest number of skilled employees, and (ideally) the most time to spend on complex engineering tasks.

The Respond Analyst is like a SOAR solution, minus the need for all that development and engineering. Whereas SOAR tools are decidedly not “plug and play,” the Respond Analyst is able to reason through all the alert data that’s collected in your environment on its own. There are no rules or playbooks, and there’s nothing to configure. Out of the box, the Respond Analyst is ready to detect and escalate only those incidents that are malicious and actionable. The difference is that we’ve moved from workflow automation to reasoning and decision automation. The Respond Analyst understands the products, alerts, and enrichment sources in your environment and knows when and how to put the puzzle together.

While SOAR tools are capable of automating parts of the incident response component of the security incident workflow, the Respond Analyst fully automates the discovery portion of that workflow. And while SOAR solutions necessitate coding, customization, and many rounds of adjustment and maintenance, the Respond Analyst arrives in your SecOps workflow already prepared to handle millions of events per day, and already capable of escalating only those that are truly worthy of human attention.

Want to reduce your budget and save time? Automate incident discovery and triage with the Respond Analyst

Security monitoring—the part of the security incident workflow where potential threats are investigated and their seriousness is prioritized—isn’t readily amenable to the kinds of labor-intensive, manual playbook-building that SOAR solutions demand. In part, this is because threat actors are endlessly inventive. They’ve already thought up thousands of different attack tactics and strategies, and they’re constantly trying to find new ones. When an automated solution is based on probabilistic mathematics, it’s scientifically engineered to discover what’s most likely to be true on the basis of data sets too large for the human brain to process.

This means that the Respond Analyst can perform incident discovery and triage at scale far more efficiently than a SOAR tool. The result is that smaller teams can accomplish more. You can move your Tier 1 analysts up into Tier 2 roles, increasing the security team’s capabilities without increasing your budget.

For organizations of any size that are looking to do more with less in today's business climate, the Respond Analyst SOC automation tool offers the many benefits of security automation at a small fraction of the ongoing labor costs that you'd incur with a SOAR tool. It's a win for the CISO, the security operations program, and the business as a whole.

Want to learn more about how the Respond Analyst can be integrated into your existing security solution stack? Check out our extensive list of supported technologies. Or watch this video, in which Matt Eberhart explains how we are—and aren’t—like a SOAR solution.