Table of Contents
- Summary
- Market Categories and Deployment Types
- Key Criteria Comparison
- GigaOm Radar
- Vendor Insights
- Analyst’s Take
- Methodology
- About Andrew Green
- About GigaOm
- Copyright
1. Summary
Security information and event management (SIEM) solutions have been the main monitoring tools for security operations centers (SOCs). As they observe more complex infrastructure and deal with an increased number of security events, SIEM solutions have evolved to cope with the increased demand. At the same time, security analysts have been dealing with increasingly complex processes for alert tuning systems, investigation, and threat hunting. Responding to that complexity, security orchestration, automation, and response (SOAR) tools have been deployed to complement SIEM solutions and help analysts manage events more efficiently.
This two-solution deployment of standalone SIEM and standalone SOAR worked well in the second half of the 2010s. However, in the early 2020s, we’ve seen SIEM continue to evolve, now natively including SOAR-like capabilities. This change has taken place through two main avenues:
- SIEM vendors have acquired standalone SOAR tools—a large number of acquisitions in the space brings point solution SOAR under the same umbrella as SIEM tools. Emergent solutions work on integrating the two tools more closely, either as a combined solution or by offering SOAR access at no extra cost.
- SIEM vendors are natively developing orchestration and automation capabilities—this is a natural evolution of SIEM tools, and their feature expansion involves slowly taking on SOAR capabilities.
As these two markets are blending, it will be increasingly difficult to talk about SIEM without talking about SOAR, and vice versa. As it currently stands, there is still a market for each individual tool, but we expect further convergence to favor end-to-end tooling for managing security operations.
Thus, a combined SIEM and SOAR solution will make up most of an SOC analyst’s daily toolset. GigaOm defines this new category as automated security operations management (ASOM), an advanced tool that will parallel the SIEM solutions of the 2000s.
The GigaOm ASOM Radar report assesses vendors on the key criteria and evaluation metrics defined in the 2022 SIEM and 2022 SOAR Key Criteria reports. Similar key criteria from the SIEM and SOAR reports are aggregated into a single key criterion for ASOM. For example, SIEM’s data enrichment and SOAR’s threat enrichment key criteria are evaluated jointly in ASOM as data and threat enrichment. Key criteria that do not overlap, such as SIEM’s monitoring ephemeral resources and SOAR’s red teaming and validation, are assessed as in the original SIEM and SOAR Key Criteria reports.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.