SIEM and SOAR – Will They or Won’t They?

A considerable percentage of SIEM vendors share a vision for how to help security operations centers deal with the high volume and complexity of security attacks. These vendors are integrating acquired SOAR solutions or natively developing SOAR capabilities to create a unified platform for security analysts.

A combined SIEM and SOAR solution will make up most of the SOC analyst’s daily toolset and reallocate their brain power from conducting repetitive analysis and response tasks, to only investigating incidents of significant interest and importance. 

The core of this offering therefore enables the SOC to address the biggest hindrance for analysts: volume. Instead of dealing with high-volume, low-complexity attacks, businesses can dedicate analysts to truly important attacks, such as unknown unknowns or zero-day attacks. 

We can define this combined toolset of SIEM and SOAR as “autonomous SOC solutions”  as, with adequate configurations, the number of analysts will no longer be the only way a business can scale up its security operations to deal with more threats. I’ve been covering this in the coming Key Criteria report.

I previously wrote about the positive outlook for standalone SOAR, so I want to preface this by saying that I’m not one to make broad predictions. My role as an industry analyst is to observe vendors’ strategic decisions and their responses to customer demands, this being one such trend. We’ve got a large sample size of SIEM vendors, having identified roughly 40 solutions. Out of these, as many as 16 vendors have entered the autonomous SOC arena.

Between the 16 vendors we identified to deliver these autonomous SOC solutions and the remaining 20+ pure-play SIEM vendors, I can only classify this as a “will-they-won’t-they” situation on whether SIEM and SOAR will remain distinct or merge. 

Quiet developments over noisy acquisitions

Security acquisitions make a lot of noise in the market, and SOAR acquisitions have been some of the loudest. Google acquired Siemplify, Devo acquired LogicHub, Fortinet acquired CyberSponse, Palo Alto Networks acquired Demisto, Splunk acquired Phantom and was acquired by Cisco, Sumo Logic acquired DFLabs, and Micro Focus acquired Atar Labs, which, in turn, was acquired by OpenText. 

With this in mind, most observers would expect the majority of vendors delivering autonomous SOC solutions to have acquired and integrated a SOAR solution. However, if we filter out SIEM vendors who’ve acquired SOAR solutions but have not integrated them into a unified solution—the likes of Google, IBM, Fortinet, and Splunk — we quickly find that the majority of vendors featured in the Radar report for Autonomous SOC solutions have actually developed their solutions in-house. 

So, in the acquire-then-integrate bucket, we have Devo, LogPoint, Sumo Logic, and OpenText.

In the developing-SOAR-in-house category, we have a threefold increase in the number of vendors, including Elastic, Exabeam, Hunters, Huntsman, Logrhythm, NetWitness, Palo Alto Networks, Securonix, Logsign, ManageEngine, Microsoft, and Rapid7.

Coexisting solutions

SIEM has so far stood the test of time, so organizations are unlikely to swap out their existing solutions unless there’s a compelling reason to do so. SIEM is also an important checkbox for many regulations. As my esteemed colleague Chris Ray points out, as long as security standards have the acronym SIEM on the requirements list, the solution and its name will remain a constant, regardless of how much it evolves from a technical point of view. SOAR also has a strong mandate for existing as a standalone solution, which we further explore here.

So, as much as we like to put things in boxes, the reality is that SIEM, SOAR, and solutions combining the two will coexist for the foreseeable future. The only force that will validate the autonomous SOC market is whether customers are willing to invest money in combined solutions, replacing or augmenting the individual parts of incumbent tools. 

However, it would be disadvantageous for vendors with a combined solution to position themselves in the same space with pure-play SIEM competitors. Simply reframing them as a ‘next-generation SIEM’ doesn’t capture the extensive difference between a SIEM and an autonomous SOC solution. So, even if we need to use SIEM as a requirement for compliance, these vendors need to distinguish their solutions in a very crowded SIEM market.