The Gartner 2020 Market Guide for Security Orchestration, Automation and Response

The Gartner 2020 Market Guide for Security Orchestration, Automation and Response

Gartner still hasn’t released a SOAR Magic Quadrant yet and hasn’t given a timeline for releasing one. But with extended detection and response solutions and security automaton being listed as the top 2 security trends in the “Gartner Top 9 Security and Risk Trends for 2020”, SOAR is clearly something that they consider to be important.

The 2020 Gartner Market Guide for Security Orchestration, Automation and Response Solutions, authored by Claudio Neiva, Toby Bussa, Gorka Sadowski and Craig Lawson, offers valuable perspective on why organizations need to prioritize security automation, the challenges that can hamper its implementation, and the evolution of SOAR platforms as they adapt to meet threat detection and response needs. It also offers brief, unbiased descriptions of a number of representative vendors.

There is also additional information to help you understand how the security automation that SIEMs and other security solutions offer may have specific applicability but are not an adequate replacement for a dedicated SOAR solution.

You can register to access your complimentary copy of the report here.

Gartner Market Guide 2020

What is SOAR, really (according to Gartner)?

For those who aren’t familiar with how a SOAR solution is different from security platforms that offer at least limited security automation and orchestration capabilities, let’s start with a quick primer on the “table stakes” capabilities for SOAR as defined by Gartner.

Security Orchestration —This is a key SOAR solution capability that refers to how different technologies can be integrated by the SOAR solution to work together by coordinating the exchange of relevant security and threat data. Security orchestration allows security teams to get more value and greater efficiency out of their security stack by allowing previously disparate systems to work together, delivering deeper threat detection for a broader range of attacks, while reducing the need to bounce between platforms during the incident response process.

Security Automation —This is how the SOAR solution makes machines perform task-oriented “human work”, like sending an IP address to a threat intelligence platform for analysis, or automatically disabling a user’s account in response to verified malicious activity.

Incident management and collaboration —This is the platform’s ability to deliver end-to-end incident management capabilities by centralizing and coordinating the detection and response process, including built-in collaboration capabilities using integration with Slack or other tools.

Dashboards and reporting —Data’s only as valuable as your ability to understand what it means. Any SOAR is expected to collect and report on security operations metrics and deliver dashboards with clear data visualization to quickly understand key detection and response details and trends.

Threat Intelligence —The ability to ingest threat intelligence in multiple forms and formats, to store and enrich that data and the ability facilitate secure exchange of threat intelligence outside of and within an organization.

A few observations on the 2020 SOAR Market Guide

Key Findings

Large security teams with well-established and tested processes to automate are main buyers for SOAR platforms. And that makes a lot of sense. An organization that lacks the time and/or resources to create and validate security automation playbooks isn’t going to be able to implement a SOAR solution on their own.

Gartner also observes that SOAR is becoming ubiquitous in managed security and MDR because of its ability to facilitate better client interactions with faster and more consistent results. Again, this isn’t surprising. MDRs and MSSPs are built on the strength of their processes and their ability to deliver high quality, consistent value to their customers. In order to do that cost effectively, security automation is critical.

Gartner also makes several observations about the maturity of existing deployments, and recommendations about what to consider and how to get started with a new SOAR deployment.

Differences with Adjacent Technologies

One notable addition to this year’s market guide is that it addresses how established an established software (SIEM) and an emerging technology (XDR) deliver security orchestration and automation capabilities and why SOAR is still more effective for addressing a greater number of use cases.

SIEM (established market)

• SIEM aggregates and analyzes while SOAR takes alerts and develops a response to decide if an alert is an incident
• SOAR allows better decisions and faster response, and potentially automate the best workflow to response to the incident

XDR (emerging market)- extended detection and response solutions are listed as a top security trend for 2020

• Vendor created to provide better user experience around multiple, threat-focused security technologies
• These are considered SOAR-lite by Gartner because they are vendor platform focused with limited customizability

“Although XDR and SIEM have similar use cases, buyers who prefer the best-of-breed approach will find capabilities that can provide flexibility, vendor-neutrality and room for non security use cases with broad-based SOAR solutions.”

A look at past SOAR Market Guides

Looking at past versions of the Gartner SOAR Market Guides is also useful for tracking how the market has evolved and how vendors are adapting to meet your requirements.

Why people are evaluating and implementing SOAR

• Staff shortages
• Continued evolution of threats and increases in volume
• Improving alert triage quality and speed
• Need for a centralized view of threat intelligence
• Reducing time to respond, contain and remediate
• Reducing unnecessary, routine work for the analysts

According to Gartner, SOAR solutions are steadily gaining traction in real-world use to improve security operations. And while the market includes a broad range of solutions, a true SOAR platform will support the SOC environment by making incident processes more efficient and accurate through the automation of common sub-tasks or an entire workflow.

At a minimum, Gartner says that a SOAR should include (but not be limited to) the following capabilities:

• Orchestration-how different technologies are integrated to work together
• Automation-making machines perform task-oriented “human work”
• Incident management and collaboration-end-to-end management capabilities of an incident
• Dashboards and reporting-visualizations and the ability to collect and report on metrics
• The ability to ingest threat intelligence in multiple forms and formats, to store and enrich that data and the ability facilitate secure exchange of threat intelligence outside of and within an organization.

LogicHub addresses these capabilities in a number of ways.

Alert Triage and Prioritization: LogicHub’s open API framework integrates with virtually any product to take both alert and raw event inputs. We have hundreds of out-of-the-box integrations, commit to delivering new integrations within two weeks, and have an in-playbook request process that delivers new actions for integrated products within 1 to 3 days. LogicHub’s comprehensive approach to security automation delivers automated threat detection, alert triage, and incident response within a single platform. Our intelligent automation engine uses machine-learning enhanced automated decision making at scale to analyze, investigate and triage millions of alerts and events per day for faster MTTD and MTTR.

Security Orchestration and Automation: LogicHub’s playbooks can coordinate any combination of automated and manual processes, working with any abv

Case Management and Collaboration: Having to bounce between screens and products during an incident is inefficient at best. Cases within LogicHub’s case management system include all relevant event context, recommended actions, one-click automated responses, an auto-populating command line response to execute ad hoc commands, analyst comments, relevant attachments, comprehensive incident response timeline tracking, and integration with Slack and other communications tools.

Dashboards and Reporting: LogicHub delivers out-of-the-box content for dashboards and reporting that deliver a combination of KPI-level metrics and detailed incident tracking Dashboards and reports can also be easily created or cloned leveraging data points from our own platform or other data sources. A broad range of configurable visualization options display data in the most relevant and informative format.

Threat Intelligence: LogicHub can integrate with any open source and commercial threat intelligence platform and/or feed. Automated playbooks can leverage this data for automated investigations decision making, alert triage, risk scoring, case enrichment and virtually any other relevant use. This data is automatically aggregated and enriched in the most optimal way for each individual use case. Security analysts and end users can be automatically queried for additional input to add great threat context to any alert or case. LogicHub also has out-of-the-box integrations to feed intelligence directly to any open source or commercial threat intelligence platform.

LogicHub’s SOAR+ platform delivers automated alert triage, threat detection and incident response in whatever form factor works for you, including cloud native, on-premise or via fully managed SOAR-as-a-service.