Why Independent SOAR Beats SIEM With Integrated SOAR

The 2022 edition of the Gartner® Magic Quadrant™ for Security Information and Event Management (SIEM) includes SOAR among the four capabilities. Threat intelligence platform (TIP), user and entity behavior analytics (UEBA), and long-term data storage and reporting (greater than 365 days) are the other capabilities. We feel the latest Gartner Market Guide for SOAR provides some context to this shift, noting that security technologies such as SIEM, XDR, and email security are introducing capabilities particular to security orchestration and automation (SOA). Several SIEM vendors have made SOAR acquisitions over the past two years, while many others are looking to build out SOAR capabilities of their own.

Many vendors on the market today claim to offer a full suite of capabilities to differentiate themselves from others in the market. But these so-called “full suite” solutions lack critical capabilities compared to the best solutions in the market. As a security leader, we understand that you have a lot of choices in SIEM solutions. But we also know that you want to ensure you receive the best available solution that is tailored to your organization’s needs. Does it make sense then, for you to evaluate SIEM solutions on a quadrant of four capabilities that may be found in other product categories?

Many Minefields, from Licensing Options to Limited Integrations

Security architects should pore through the Cautions section in the report when choosing a SIEM with integrated SOAR solution to meet their security needs. Integrated SOAR doesn’t mean that the SOAR is free. Licensing based on Events Per Second (EPS) or volume may further impair your visibility across the ever-growing attack surface because you must decide what may be relevant rather than deciding if it is truly relevant once the data has been assessed.

There is a lot to consider when thinking of SIEM and SOAR from the recent Magic Quadrant for Security Information and Event Management, especially when reading between the lines. In the absence of an easy-to-use platform and codeless playbooks, vendors may even go so far as to provide complementary available service offerings to support operational monitoring of the SIEM and design and development of SOAR playbooks.

Taking a step back, and reviewing what we have learned, it is probably worth noting the benefits of an independent, as opposed to integrated, SOAR that D3 can provide today. Some of the best-of-breed features that NextGen SOAR brings to the table include:

Event Pipeline: Unlock Hyperautomation in your SOC

NextGen SOAR’s Event Pipeline provides a solution to the problem of false positive alerts in security detection systems. This global event playbook normalizes, de-duplicates, and dismisses or escalates security warnings. Only genuine threats are left for responders to handle thanks to the technology that unlocks hyperautomation capabilities in your SOC. Some of our customers have reduced alert volume by up to 98%.

NextGen SOAR Playbooks: Optimized for Speed

The playbook capabilities of NextGen SOAR are advanced, allowing SOC resources to create, edit, test, and publish playbooks in minutes without any coding knowledge. SOC teams can deploy playbooks to manage use cases such as phishing, ransomware, vulnerability management, and more using out-of-the-box playbooks and hundreds of integrations. They’re optimized for speed: One of our customers reported an 80% reduction in playbook execution time after switching from another SOAR tool to NextGen SOAR. Our playbook execution speed optimizations boost your operational efficiency as well as your cybersecurity posture.

Unlimited SOAR Integrations

As an independent SOAR vendor, we enjoy good relationships with other cybersecurity companies, as they see no conflict of interest when working with us. Our SOAR integrations are not community-built like some of our competitors. The industry’s largest internal development team works full-time to keep all our integrations current and fully featured. If necessary, they can quickly build out new and custom integrations with any vendor not on our technology partner list. For example, we recently worked on a custom helpdesk integration with a global MDR provider that enabled them to streamline their customer onboarding process down to a nine-click process that takes less than five minutes.

Case Management with Role-based Access Control (RBAC)

Enable cross-functional teams to work together on a case. Analysts can submit notes, interviews, and other time-stamped artifacts as the case’s scope widens and changes to manage and document it. NextGen SOAR’s incident management capabilities include instant messaging and email integration, which improve collaboration and quicken incident response times. RBAC enables analysts to work on insider threat situations without jeopardizing their ability to maintain confidentiality.

Why SOAR Should Be Independent

Pure-play SOAR is a great strategic hedge against vendor lock-in, allowing enterprises to choose their own security stack today and in the future. It gives you the freedom to choose the best components in each security domain. By offering a “hot-swappable” architecture, D3’s NextGen SOAR platform enables you to literally drag and drop security technologies in and out of the playbook without disrupting your security operations.

When you buy SOAR from a conglomerate as a part of a bundle, they are unlikely to be receptive to integrating their SOAR platform into a security stack that includes technologies owned by their competitors. Many of these conglomerates have added SOAR to their product portfolio through acquisitions just to tick a box. We also regularly hear from customers that SOAR companies that have been acquired stop being innovative as they lose motivation and skin in the game.

Don’t just take our word for it. Here’s a quote from 2022 Gartner Market Guide for SOAR: “Generally speaking, SOAR products must be vendor-agnostic to maintain their best value proposition. This is due to the need for integration, and this will be the reality for some time. Independent solutions will continue to do a better job with their singular focus on roadmap execution and will be better at being ‘vendor-neutral’ with available integrations.”

When partnering with an independent SOAR vendor such as D3 Security, you can be assured that our only priority is helping you succeed with your deliverables. We empower you to seamlessly integrate with any third-party data using open interfaces and protocols. Vendor-neutral SOAR can help make your SOC operations more resilient and poised to migrate to emerging technologies and paradigms such as zero trust, SASE, and XDR.

Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, By Craig Lawson, Al Price, 13 June 2022

Gartner, Magic Quadrant for Security Information and Event Management, By Pete Shoard, Andrew Davies, Mitchell Schneider, 10 October 2022

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Social Icon
Severin Collins

Severin Collins is passionate about cybersecurity and loves what he does. His experience includes enterprise security management/monitoring, technical pre-sales, risk assessment and analysis, technical training and support, as well as leadership and team management. As D3 Security’s Director of Sales Engineering for Europe he is responsible for pre-sales activities that solve real customer problems and improve SOC effectiveness. Severin has over 20 years of experience in Information Security working for global brands such as McAfee International, Palo Alto Networks, NTT Security, and LogRhythm Inc. to name a few, mainly covering Germany, Austria, and Switzerland (D/A/CH), and the Nordics, as well as the UK where he is based.