Gartner’s 2020 Market Guide for Security Orchestration, Automation and Response Solutions (Lawson, Bussa & Sadowski, September 21, 2020) was only released a few days ago, but it’s already become one of the most sought-after resources for security professionals evaluating SOAR.
You can download your very own copy here, courtesy of D3, one of the SOAR vendors covered in the market guide.
Gartner analysts Claudio Neiva, Craig Lawson, Toby Bussa and Gorka Sadowski have put together an undeniably well researched report, offering an expert’s view of SOAR operations, SOAR vendors, and SOAR use cases. Most important, the content is focused on the needs of the many security professionals who are looking into SOAR (one Gartner analyst recently told me that 50% of their overall inquiries in 2020 have been from security managers and architects evaluating SOAR).
However, while the 2020 Gartner Market Guide for SOAR Solutions is overwhelmingly accurate, authoritative, and well written, I don’t agree with 100% of what the authors wrote. So, here are 8 Things Gartner Gets Right About SOAR (And 1 Thing They Get Wrong).
#1. The Basic Capabilities SOAR Tools Should Have
From the Market Guide: “Orchestration and automation, basic incident/case management, and operationalizing threat intelligence are “table stakes” for SOAR tools.”
Why Gartner Gets It Right: Orchestration and automation; incident/case management; and operationalizing threat intelligence essentially offer the basic recipe for process automation. Incident/case management ensures the process is correct, orchestration and automation accelerate the process, and threat intelligence improves decision-making throughout the process. Each element provides has value, and when SOAR brings them together, the user can dramatically streamline almost any use case. So, for anyone looking at SOAR, these should be the minimum (but also much-needed) functionality requirements.
#2. SOAR’s Popularity with Managed Service Providers
From the Market Guide: “SOAR is also becoming ubiquitous in managed security and managed detection and response services by helping providers improve client interactions, speed and consistency when detecting and responding to threats.”
Why Gartner Gets It Right: MSSP and MDR providers are indeed flocking to SOAR, for the reasons Gartner correctly identifies. MSSPs whose clients have their own SOC can use SOAR integrations and user access controls to assign, manage, and report on events, and also collaborate on investigations. MSSPs also love the speed and efficiency gains SOAR provides, allowing for more aggressive KPIs and increased margins. In the case of D3’s NextGen SOAR Platform, the built in MITRE ATT&CK correlation tools and dashboard have helped enable a highly differentiated, high-value service now offered by MSSP and MDR firms.
#3. Vendor Acquisitions are an Important Consideration
From the Market Guide: “Put a contingency plan in place in the event a SOAR vendor is acquired. Acquisitions are occurring frequently as the market evolves, and we note different paths after acquisitions for which buyers should be prepared.”
Why Gartner Gets It Right: Security operations, and especially incident response, are high stakes functions. Acquisitions in the space have impacted product roadmap execution and integration projects. SOAR is all about unifying your security tools, so seamless integration and collaboration is crucial. If your SOAR vendor is owned by a company that also makes a firewall, an endpoint protection tool, and a SIEM, will they work closely with tools that are owned by their competitors? D3 is completely independent, and we’ll stay that way. No conflicts of interests, no incentives that might negatively impact our clients.
#4. SOAR as the Control Plane of the SOC
From the Market Guide: “The SOAR market continues to build toward becoming the control plane for the modern SOC environment, with the potential of becoming the control plane for a variety of security operations functions (e.g., vulnerability management [VM], compliance management and cloud security).”
Why Gartner Gets it Right: There isn’t much to say about this other than that it’s a great statement about the prominence that SOAR is growing into. I like that the authors mentioned vulnerability management, compliance, and cloud security specifically, as these are some of the many areas in which D3 is helping improve speed and efficiency through orchestration.
#5. SIEM is not Redundant with SOAR
From the Market Guide: “Although SIEM has been part of companies’ reality for some years, SOAR is a technology that complements SIEM for incident response.”
Why Gartner Gets it Right: We’ve said this before ourselves: just because you have a SIEM, doesn’t mean you can skip SOAR. In fact, one of the most common use cases for a SOAR tool is streamlining the management of SIEM alerts. SOAR helps make your SOC more efficient by contextualizing SIEM alerts, flagging the risky incidents, and kicking off both simple and complex incident response playbooks.
#6. Phishing is the Archetypal Automation Use Case
From the Market Guide: “The most common use case mentioned by Gartner clients who are planning to implement, or who have already implemented an SOAR solution, is automating the triage of suspected phishing emails reported by end users. This is a classic example of a process that follows a repeatable process, dozens to hundreds of times per day, with the goal of determining whether the email (or its content) is malicious and requires a response. It is a process ripe for the application of automation.”
Why Gartner Gets it Right: For most companies, phishing represents both a high-volume threat and a complex workflow that often involves multiple tools and steps. In D3’s case, we are able to automate everything, from the phishing inbox and event enrichment, through malware analysis and incident conviction, to the endpoint and network security tasks. Not all customers choose a fully automated workflow; partial automation, which brings a human into the loop to confirm incidents and approve blocks or other actions, are very common.
#7. The Differences Between Broad-Based and Product-Oriented SOAR
From the Market Guide: “What sets [broad-based SOAR] products apart is their ability to receive inputs from many other security products, and organize the SOC’s workflow. The vast majority of this type of product is also sold separately, maintaining a maximum interoperability level with other vendors, even if they are competing products, such as SIEM solutions.”
Why Gartner Gets it Right: The authors of the market guide wrote about how SOAR features are finding their way into different security tools, which they call “product-oriented SOAR”. D3 would be considered “broad-based SOAR”, meaning that we apply orchestration and automation across different tools, offering maximum functionality to the SOC. Having some automation functionality in tools is useful, but it’s no replacement for a single platform that can intake alerts and intelligence from numerous sources and orchestrate incident response across the entire environment.
#8. Low-Code/No-Code is Important
From the Market Guide: “When selecting a solution, SRM leaders should favor SOAR solutions that… Offer the capability to easily code an organization’s existing playbooks (using a low- or no-code model) that the tool can then automate, via an intuitive UI.”
Why Gartner Gets it Right: Low-code/no-code playbooks—what we call codeless playbooks—are hugely important for ensuring that client get value out of their SOAR investments. They reduce maintenance costs, lower barriers to adoption within client organizations, and make SOAR available to teams that don’t have experienced Python coders on staff. D3 has been going codeless for a while now, and our latest release makes our Codeless Playbook Editor even more powerful. D3 Codeless Playbooks are covered in the market guide’s section on D3 Security.
What I Think They Got Wrong: The Current Limitations of SOAR
From the Market Guide: “Use cases to support security operations beyond threat monitoring and detection, threat intelligence, and incident response and threat hunting are still nascent.”
Why Gartner Gets it Wrong: Depending on how you interpret the word “nascent”, this assessment is probably true for some SOAR vendors. However, here at D3, we’ve been extending our orchestration and automation workflow far beyond the SOC, for years. In fact, the vast majority of our clients have been able to use D3 SOAR to support use cases outside the ones listed in the market guide. From APM and cloud security through our integrations with Datadog and AWS, to physical security-oriented use cases like laptop theft or enriching events with CCTV/VMS or access control data. Even cross-enterprise incident/case management, which brings investigators and specialists from across the enterprise into a single workflow, is among the standard use cases supported by D3. Are these capabilities nascent? Hard to say, but I know D3 customers have had a lot of success fielding these capabilities.
You can download Gartner’s complete 2020 Market Guide to Security Orchestration, Automation and Response Solutions here. If you want to learn more about how D3 is driving the next generation of SOAR, schedule a one-on-one demo today.
Source: Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski, 21 September 2020.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.