Sophos adds SOAR capability to MTR and XDR solutions through Refactr acquisition

Refactr had been selling their platform for DevSecOps automation, and while it is good at that, the same capabilities also make it ideal as a SOAR platform, Sophos says.

The Refactr automation of CIS-CAT assessments for the Center for Internet Security

Cybersecurity vendor Sophos has announced their third acquisition in a month, all of them aimed at extending the capabilities of the Sophos Adaptive Cybersecurity Ecosystem [ACE], their next-gen data platform that was released this spring, and  which is now the base for their MTR [Managed Threat Response] and XDR [Extended Detection and Response] offerings. The acquisition of Seattle-based startup Refactr, like the earlier ones of Braintrace and Capsule8, strengthens ACE, in this case by further automating the platform and making possible the addition of SOAR [Security Orchestration Automation and Response] capabilities.

“This is the culmination of many years of vision and development,” said Joe Levy, Sophos’ CTO. “All along, we had been intending to build robust automation into the ACE platform. We wanted to make it more broadly accessible and more easily programmable. And rather than build automation through coding, we wanted a low-code or no-code approach to automating security workflows. The addition of this technology will make security automation more efficient, reduce errors and provide better scale, and reduce the load on humans.”

Refactr has been selling their solution as a DevSecOps automation platform that makes it easier to bring cybersecurity into DevOps. It lets DevOps teams augment existing continuous integration, and continuous delivery and continuous deployment workflows, and allows cybersecurity teams to leverage the platform’s visual drag and drop builder.

“Refactr sold their solution into the DevSocOps market specifically, and while it is good for that, its capabilities also make it ideal as a SOAR solution, which is how Sophos will position it primarily,” Levy indicated.

“They never attempted to position themselves as a SOAR company but they created a set of capabilities that are in many ways a super set of what SOAR does,” he added. “They have a low code interface that allows prepackaged integrations with touch points within an ecosystem, like AWS, GitLab, GitHub, and a firewall. If something presents an API, they can create a very rapid integration to create logical linkages. That kind of potential lends itself to DevSecOps applications, and to security orchestration and response. It’s the same set of motions, created very elegantly.”

Refactr’s customers included the Center for Internet Security.

“Selling the solution as a DevSecOps enablement platform, they worked with the Center for Internet Security on a CIS-CAT project where vendors can prescribe a certain configuration state, with their role being to automate the CIS-CAT evaluation,” Levy noted.

Levy sees a positive differentiation between the approach taken by Refactr, and that taken by other SOAR vendors, most of which have now been acquired by larger companies like Splunk and Palo Alto Networks.

“The extent to which Refactr has supported the open source community is different,” he said. “They started off as a DevSecOps community, not a commercial closed mentality like many SOARs started with. The other differentiation is the programmability of the platform. When we did our internal evaluation, we used a commercial SOAR product internally. We took our most complex workflow, and asked if we could reproduce it with Refactr. They were able to do it in about two days. Even though it didn’t have the off-the-shelf integration with these workflows, we were able to reproduce them because of the programmability of the platform with its low code drag-and-drop interfaces. Refactr was able to imagine more complex workflows than had been imagined by the vendors.

“Integrators will be able to help to automate the process and bring baskets of vendors into desired certification states in the same way,” Levy pointed out. “This is just one of many channel use cases.”

Levy noted that Refactr had been on Sophos’ radar for a while.

“I’ve known the CEO and cofounder Mike Fraser for years,” he said. “He’s an outspoken personality with a passion for moving the industry forward around DevSecOps. We had kept in touch over the years, and when our ACE became a reality this year,  I knew it was time to pull the trigger and bring the automation capabilities from Refactr in.” Refactr’s entire team of team of developers and engineers have joined Sophos.

The Go-to-Market strategy for the new acquisition will roll out in stages until early 2022.

“We will begin working on a rebranded version, which will continue to serve their customers, and that will keep us busy for the next quarter or two,” Levy said. “That will be the basis for the ACE integration. The first manifestation there will be to make our MTR better, and then the XDR. By early 2022, it will be a user-accessible option within the MTR offering.”