The Gartner 2020 Market Guide for Security Orchestration, Automation and Response

Gartner still hasn’t released a SOAR Magic Quadrant yet and hasn’t given a timeline for releasing one. But with extended detection and response solutions and security automaton being listed as the top 2 security trends in the “Gartner Top 9 Security and Risk Trends for 2020”, SOAR is clearly something that they consider to be important.

The 2020 Gartner Market Guide for Security Orchestration, Automation and Response Solutions, authored by Claudio Neiva, Toby Bussa, Gorka Sadowski and Craig Lawson, offers valuable perspective on why organizations need to prioritize security automation, the challenges that can hamper its implementation, and the evolution of SOAR platforms as they adapt to meet threat detection and response needs. It also offers brief, unbiased descriptions of a number of representative vendors.

There is also additional information to help you understand how the security automation that SIEMs and other security solutions offer may have specific applicability but are not an adequate replacement for a dedicated SOAR solution.

You can register to access your complimentary copy of the report here.

Gartner Market Guide 2020

What is SOAR, really (according to Gartner)?

For those who aren’t familiar with how a SOAR solution is different from security platforms that offer at least limited security automation and orchestration capabilities, let’s start with a quick primer on the “table stakes” capabilities for SOAR as defined by Gartner.

Security Orchestration —This is a key SOAR solution capability that refers to how different technologies can be integrated by the SOAR solution to work together by coordinating the exchange of relevant security and threat data. Security orchestration allows security teams to get more value and greater efficiency out of their security stack by allowing previously disparate systems to work together, delivering deeper threat detection for a broader range of attacks, while reducing the need to bounce between platforms during the incident response process.

Security Automation —This is how the SOAR solution makes machines perform task-oriented “human work”, like sending an IP address to a threat intelligence platform for analysis, or automatically disabling a user’s account in response to verified malicious activity.

Incident management and collaboration —This is the platform’s ability to deliver end-to-end incident management capabilities by centralizing and coordinating the detection and response process, including built-in collaboration capabilities using integration with Slack or other tools.

Dashboards and reporting —Data’s only as valuable as your ability to understand what it means. Any SOAR is expected to collect and report on security operations metrics and deliver dashboards with clear data visualization to quickly understand key detection and response details and trends.

Threat Intelligence —The ability to ingest threat intelligence in multiple forms and formats, to store and enrich that data and the ability facilitate secure exchange of threat intelligence outside of and within an organization.

A few observations on the 2020 SOAR Market Guide

Key Findings

Large security teams with well-established and tested processes to automate are main buyers for SOAR platforms. And that makes a lot of sense. An organization that lacks the time and/or resources to create and validate security automation playbooks isn’t going to be able to implement a SOAR solution on their own.

Gartner also observes that SOAR is becoming ubiquitous in managed security and MDR because of its ability to facilitate better client interactions with faster and more consistent results. Again, this isn’t surprising. MDRs and MSSPs are built on the strength of their processes and their ability to deliver high quality, consistent value to their customers. In order to do that cost effectively, security automation is critical.

Gartner also makes several observations about the maturity of existing deployments, and recommendations about what to consider and how to get started with a new SOAR deployment.

Differences with Adjacent Technologies

One notable addition to this year’s market guide is that it addresses how established an established software (SIEM) and an emerging technology (XDR) deliver security orchestration and automation capabilities and why SOAR is still more effective for addressing a greater number of use cases.

SIEM (established market)

  • SIEM aggregates and analyzes while SOAR takes alerts and develops a response to decide if an alert is an incident
  • SOAR allows better decisions and faster response, and potentially automate the best workflow to response to the incident

XDR (emerging market)- extended detection and response solutions are listed as a top security trend for 2020

  • Vendor created to provide better user experience around multiple, threat-focused security technologies
  • These are considered SOAR-lite by Gartner because they are vendor platform focused with limited customizability

“Although XDR and SIEM have similar use cases, buyers who prefer the best-of-breed approach will find capabilities that can provide flexibility, vendor-neutrality and room for non security use cases with broad-based SOAR solutions.”

A look at past SOAR Market Guides

Looking at past versions of the Gartner SOAR Market Guides is also useful for tracking how the market has evolved and how vendors are adapting to meet your requirements.

Why people are evaluating and implementing SOAR

  • Staff shortages
  • Continued evolution of threats and increases in volume
  • Improving alert triage quality and speed
  • Need for a centralized view of threat intelligence
  • Reducing time to respond, contain and remediate
  • Reducing unnecessary, routine work for the analysts

According to Gartner, SOAR solutions are steadily gaining traction in real-world use to improve security operations. And while the market includes a broad range of solutions, a true SOAR platform will support the SOC environment by making incident processes more efficient and accurate through the automation of common sub-tasks or an entire workflow.

At a minimum, Gartner says that a SOAR should include (but not be limited to) the following capabilities:

  • Orchestration-how different technologies are integrated to work together
  • Automation-making machines perform task-oriented “human work”
  • Incident management and collaboration-end-to-end management capabilities of an incident
  • Dashboards and reporting-visualizations and the ability to collect and report on metrics
  • The ability to ingest threat intelligence in multiple forms and formats, to store and enrich that data and the ability facilitate secure exchange of threat intelligence outside of and within an organization.

LogicHub addresses these capabilities in a number of ways.

Alert Triage and Prioritization: LogicHub’s open API framework integrates with virtually any product to take both alert and raw event inputs. We have hundreds of out-of-the-box integrations, commit to delivering new integrations within two weeks, and have an in-playbook request process that delivers new actions for integrated products within 1 to 3 days. LogicHub’s comprehensive approach to security automation delivers automated threat detection, alert triage, and incident response within a single platform. Our intelligent automation engine uses machine-learning enhanced automated decision making at scale to analyze, investigate and triage millions of alerts and events per day for faster MTTD and MTTR.

Security Orchestration and Automation: LogicHub’s playbooks can coordinate any combination of automated and manual processes, working with any abv

Case Management and Collaboration: Having to bounce between screens and products during an incident is inefficient at best. Cases within LogicHub’s case management system include all relevant event context, recommended actions, one-click automated responses, an auto-populating command line response to execute ad hoc commands, analyst comments, relevant attachments, comprehensive incident response timeline tracking, and integration with Slack and other communications tools.

Dashboards and Reporting: LogicHub delivers out-of-the-box content for dashboards and reporting that deliver a combination of KPI-level metrics and detailed incident tracking Dashboards and reports can also be easily created or cloned leveraging data points from our own platform or other data sources. A broad range of configurable visualization options display data in the most relevant and informative format.

Threat Intelligence: LogicHub can integrate with any open source and commercial threat intelligence platform and/or feed. Automated playbooks can leverage this data for automated investigations decision making, alert triage, risk scoring, case enrichment and virtually any other relevant use. This data is automatically aggregated and enriched in the most optimal way for each individual use case. Security analysts and end users can be automatically queried for additional input to add great threat context to any alert or case. LogicHub also has out-of-the-box integrations to feed intelligence directly to any open source or commercial threat intelligence platform.

LogicHub’s SOAR+ platform delivers automated alert triage, threat detection and incident response in whatever form factor works for you, including cloud native, on-premise or via fully managed SOAR-as-a-service.

If you’d like to learn more about how LogicHub can deliver security automation in a way that makes sense to your organization, schedule a demo.


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More