Purchasing a Security Orchestration, Automation, and Response (SOAR) platform can be an overwhelming decision. If you make the right choice, this tool will be at the heart of your security team’s operations--taking data from different areas and running workflows to shutdown threats before they have a chance to hatch! When making such a selection, there are many considerations, including time to value, ease of use, and, of course, pricing.
SOAR tools are often expensive, unnervingly brittle, and overly complicated. That’s ultimately why some believe that best-of-breed, standalone S-O-A-R software is disrupting various parts of the infosec stack thanks to “downward pricing pressure, robust workflow automation, and simplicity.”
To help you avoid some common pitfalls, here are five things to carefully consider before investing in a SOAR tool.
Most SOAR vendors offer out-of-the-box playbooks for everyday use cases, which might seem like an ideal option at first glance. Ask around, and you’ll quickly learn that customization of these playbooks is, in fact, complicated and frequently requires purchasing additional professional service hours or other hands-on assistance.
Even with professional services, it can take a minimum of three to six months to get value from these solutions. It might not always be apparent, but the quality and approach to integrations are often more important than the number of integrations on offer. App-based integrations typically need to be built and maintained by the vendor, which can take one to two months. If and when an integration breaks, the vendor will also need to fix it.
All of these things translate into additional time, which is somewhat unpredictable, and ultimately means you will lack control.
(It should go without saying that you and your team have a role to play here too. If you aren’t willing or able to invest the time and effort required to implement a SOAR tool, you will make even less progress.)
It’s surprisingly common for SOAR customers to have less than five use cases in operation in their first year.
The interfaces of some legacy tools can be very overwhelming and inaccessible for junior analysts. If your team has Python or other developer resources readily available, awesome! Unfortunately, if not, you won’t get much value from many SOAR vendors beyond what their professional services build for you.
If you’re using other tools built by competitors of a SOAR vendor, make sure they’re still willing to build out those integrations quickly so you can maximize return on your existing investments.
Ensure you have a clear understanding of the vendor’s onboarding process and customer support. Continuously tap your network for insights and feedback, and check out what people in the industry are saying on review sites like G2 and Gartner. Pay attention to frequent mentions of hidden costs, poor documentation, or other issues.
Dig a little deeper into the vendor’s marketing site. There is usually an excellent reason why some SOAR vendors have little to no customer feedback or testimonials on display.
Unfortunately, according to research, acquisitions are often a killer for innovation. Be sure to ask the different vendors how their software has evolved, what new features are in the works, and quiz them on their current approach to integrations for new and emerging security tools.
Most SOAR vendors tend to charge for data volume or the number of user licenses. The best tool for your team will depend mainly on the size of your organization and the tool’s ability to support you as you scale. Pricing based on the number of user licenses might seem preferable, but adding additional users later down the line can be very expensive, so try to think long-term.
Here at Tines, we believe in delivering flexible, robust, and well-tested solutions to our customers. To learn more about our automation platform, check out our Tines 101 webinar. Or, if you’re interested in evaluating Tines for yourself, sign up for our free, full-featured Community Edition.
With Tines, time to value is measured in days or weeks, and we're transparent about our pricing. And because Tines is a no-code solution built for security analysts and those on the frontlines performing the work, our customers typically have 20+ use cases in production in year one.