Last month, Gartner published what we believe to be their most comprehensive research on the Security Orchestration and Automation market to date. In their report, Innovation Insight for Security Orchestration, Automation, and Response (or SOAR), Gartner tracks the evolution of the market over the past few years, coins the term SOAR as a convergence of hitherto different technologies, and describes should-have components for ideal SOAR solutions.

Here, we’ll go through some highlights from the report and discuss what functional components users should look from SOAR solutions going forward.

SOARing Market Growth

According to Gartner, the share of organizations with security teams larger than five people that will leverage SOAR tools for orchestration and automation will rise from less than 1% today to 15% in 2020. As the security skills shortage persists, alert numbers and attack vectors grow, and product proliferation continues, more organizations will consider SOAR solutions to unlock the full potential of both their analysts and security product suite.   

Technology Convergence

After studying the progress of the market over the past few years, Gartner is witnessing a convergence of three previously distinct technology sectors: security orchestration and automation, incident management and response, and threat intelligence.

With time, users will realize that security orchestration and automation platforms with native incident management as well as basic in-built threat intelligence form the most efficient nerve centers for SOCs, enabling incident resolution with the highest fidelity, most robust documentation, and least dead time.

See How Demisto Maps With Gartner's SOAR Recommendations

What Drives SOAR

The chief drivers for SOAR technologies that Gartner identifies are staff shortages, alert fatigue stemming from a surfeit of sources, the increasingly destructive nature of threats, and the need for a central repository and action center for SOCs.

While the former two drivers are security-based, the latter two intersect security with overall business metrics. Destructive threats can cause massive financial loss to organizations, and CISOs are facing pressures to show tangible returns on security investments. SOAR solutions have the potential to strike an ideal balance between improving security posture and reducing business risk.

Mapping Functional Components

Gartner has prescribed four should-have components for SOAR solutions, and summarized capabilities within those components. The components are orchestration, automation, incident management and collaboration, and dashboards and reporting.

This is a logical outcome of the technology convergence covered earlier in this blog. While each component set is distinct in features, requirements, and benefits, they feed into each other in a virtuous cycle and form pieces of the complete SOAR jigsaw.

Going forward, users will prefer SOAR solutions that straddle across these four security functions, either natively in the platform or through seamless third-party integrations. As these tools continue to form the central consoles for security operations, flexibility will be vital. An ideal SOAR solution will be able to satisfy disparate user sets (analyst, SOC manager, CISO) and handle use cases with varying levels of complexity.

If you’re interested in learning more about Demisto’s approach to SOAR, we invite you to schedule a live demo.