Over the past few years, Security Orchestration, Automation, and Response (SOAR) tools have emerged as multi-faceted and ever-present components in a SOC, enabling security teams to centralize incident management, standardize processes, and reduce response times through automation.
Are you still unsure about SOAR, its drivers, implementation best practices, and future trends? Don’t panic! Gartner has released what we believe to be their most comprehensive research on the SOAR market to date. In their report – Market Guide for Security Orchestration, Automation and Response Solutions – Gartner tracks the growth of the market over the past few years, provides a representative list of SOAR vendors, and delivers advice that security practitioners should keep in mind while procuring SOAR tools.
In this blog, we’ll go through some highlights from the report and study Gartner’s recommendations for organizations looking to implement SOAR solutions in their SOC.
Rapid Market Growth
According to Gartner: “By year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.”
This market growth will be driven by existing security challenges such as staff shortages and increasing alert volumes. The value proposition that SOAR provides will also drive adoption – namely, the need to improve alert triage quality, the need for centralized threat intelligence, and the need to reduce mundane analyst tasks.
All About Use Cases
We now know that SOAR products are the result of a convergence of three previously distinct technology sectors: security orchestration and automation, security incident response, and threat intelligence.
Gartner notices the continued presence of this convergence in 2019, but states that SOAR tool deployment is now more use-case driven than ever. The use cases depend on the maturity of the organization, the capabilities of the SOAR tool, and the processes most ripe for early automation, among other things. According to Gartner:
“SOAR selection in 2019 and beyond is being driven by use cases such as:
- SOC optimization
- Threat monitoring and response
- Threat investigation and response
- Threat intelligence management"
Gartner also acknowledges the emergence of cloud security and non-security use cases, but maintains that these use cases are still incipient.
Download Gartner's full market guide below
Our View on Gartner's SOAR Advice
Based on their reading of the industry, Gartner has compiled some guidelines for security practitioners to follow while selecting and deploying SOAR tools. Here are what we believe to be the highlights:
- SOAR implementation should be driven by use cases. For example, do you value case management? Or do you already have a ticketing system and consider threat investigation more valuable?
- Organizations should be able to easily code/port any existing playbooks into SOAR tools for automation, either via UI or scripts.
- Organizations should look for SOAR tools that optimize analyst collaboration through either in-product chat capabilities or incident management.
- SOAR tools that have predictable pricing models should be preferred. Gartner suggests avoiding price structures based on data volumes or number of playbooks run, as these metrics place a penalty on more frequent use of the SOAR tool.
- SOAR tools that offer flexibility in deployment and hosting should be preferred. SOAR tools with cloud-based, on-premise, and hybrid deployment options will be able to adapt to organizations’ evolving infrastructures.
If you’re interested in learning about how Demisto maps with Gartner’s SOAR recommendations based on their 2017 research, you can view the infographic below.
Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski, 27 June 2019
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.