GigaOm Key Criteria for Evaluating Security Orchestration, Automation, and Response (SOAR) Solutionsv4.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Executive Summary
  2. SOAR Sector Brief
  3. Decision Criteria Analysis
  4. Analyst’s Outlook
  5. About Andrew Green

1. Executive Summary

Depending on the size of an organization, security information and event management (SIEM) tools can produce tens of thousands of alarms per day—many of which are false positives. This deluge causes alert fatigue and a considerable backlog of unaddressed alerts. SIEM has thus fallen victim to its own success, forcing security operations (SecOps) teams to find a new way of handling alerts and improving overall response efficiency.

While SIEM solutions provide a central hub for monitoring security information and events, security orchestration, automation, and response (SOAR) solutions expand those capabilities by facilitating investigation and automating remediation. SOAR solutions use capabilities of SIEM tools to receive alerts and data, then equip security analysts with intelligence and cross-application orchestration to promote proactive incident response and threat hunting.

Even if SIEM tools have been one of the main drivers for adopting security automation, SecOps teams also must handle other event and alert-generation tools, such as those for vulnerability management, identity and access management, and user and entity behavior analytics (UEBA). Today’s SOAR solutions can fulfill a much wider range of use cases than just mitigating SIEM alerts, which repositions them as multipurpose security tools.

To get an intuitive understanding of what SOAR stands for and how solutions are used (to resolve cyberattacks), let’s consider its components:

  • Security orchestration coordinates actions across third-party applications such as firewalls or antivirus tools and interacts with analysts for approvals and additional data gathering.
  • Automation enables orchestration by running through multiple predefined workflows without human involvement.
  • Response uses playbooks to determine the way each threat should be managed depending on the nature of the attack and the target.

The bread and butter of SOAR solutions is their integration capabilities. The more integrations they have and the easier the orchestration of the integrated third-party tools, the more efficient the SOAR solution is. These integrations need not be exclusive to security appliances, such as proxies and antimalware, but should also include network functions and various business (email, file sharing) and operational (performance monitoring, inventory) support systems.

To illustrate an example that includes non-security tools, let’s imagine the following scenario: A malicious actor attempts to log into an employee’s email account. Gathering information from the UEBA tool, the SOAR solution understands the attempt comes from an unusual device and location, so it sends a verification message to the user via Slack, which can confirm whether they are the one attempting to log in.

In previous iterations of the report, we noted that SOAR tools are suitable mainly for large organizations that suffer from alert overload and are mature from a security standpoint. Today, we’re seeing vendors break away from this reactive approach. SOAR tools offer pre-packaged content, onboarding services, and the ability to automate processes far beyond responding to SIEM alerts. SOAR solutions are now multipurpose tools suitable for both large and small organizations, streamlining not only security processes but also HR, financial, regulatory, and compliance processes.

A large number of security vendors, especially SIEM providers, have started offering SOAR capabilities as integrated features of a wider solution, which is creating some overlap within security markets. Thus, to avoid our own overlap with existing reports in these areas, this evaluation will focus on vendors that offer a standalone SOAR solution, which can be purchased separately and integrated with any third-party SIEM solution. So, we exclude SIEM and extended detection and response (XDR) tools with native SOAR capabilities that cannot be integrated with third-party SIEM solutions.

Business Imperative
A SOAR solution provides a key component for enhancing an organization’s security posture by bringing control over its whole security estate together under the same roof.

The most obvious use case for SOAR tools is helping security analysts address high-volume, low-complexity attacks and use cases for which threat neutralization is straightforward, such as isolating an entity or revoking access. Once configured, SOAR tools allow security analysts to spend their time investigating and responding to more complex incidents, while these simpler attacks are handled automatically.

SOAR tools occupy a strong and unique position in automation and orchestration capabilities. They are designed to handle security workloads and workflows that often have more extensive requirements than non-security workloads. These capabilities are now carried over to non-security use cases and can be deployed in other organizational workflows such as finance and HR. SOAR tools can now be used as a centralized automation and orchestration platform for security, non-security, and a blend of both use cases. Modern no-code and LLM-based approaches help users without a technical background to adopt SOAR solutions in their business units.

Sector Adoption Score
To help executives and decision-makers assess the potential impact and value of a SOAR solution deployment to the business, this GigaOm Key Criteria report provides a structured assessment of the sector across five factors: benefit, maturity, urgency, impact, and effort. By scoring each factor based on how strongly it compels or deters adoption of a SOAR solution, we provide an overall Sector Adoption Score (Figure 1) of 4.2 out of 5, with 5 indicating the strongest possible recommendation to adopt. This indicates that a SOAR solution is a credible candidate for deployment and worthy of thoughtful consideration.

The factors contributing to the Sector Adoption Score for SOAR solutions are explained in more detail in the Sector Brief section that follows.

Key Criteria for Evaluating SOAR Solutions

Sector Adoption Score

1.0

Deters
Adoption

Discourages
Adoption

Merits
Consideration

Encourages
Adoption

Compels
Adoption

Figure 1. Sector Adoption Score for SOAR

This is the fourth year that GigaOm has reported on the SOAR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) for selecting an effective SOAR solution. The companion GigaOm Radar report identifies vendors and products that excel in those decision criteria. Together, these reports provide an overview of the market, identify leading SOAR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.