GigaOm Radar for Autonomous Security Operations Center (SOC) Solutionsv3.0

Table of Contents

  1. Executive Summary
  2. Market Categories and Deployment Types
  3. Decision Criteria Comparison
  4. GigaOm Radar
  5. Solution Insights
  6. Analyst’s Outlook
  7. About Andrew Green

1. Executive Summary

Autonomous security operations center (SOC) solutions shift security analysts’ focus from repetitive tasks to investigating only the most important incidents. These systems use correlation engines, customized alarms, automated workflows, and connections to both internal and external intelligence feeds, along with AI and machine learning. Autonomous SOCs give analysts a clear overview of threats and serve as a central hub for collecting information and resolving incidents.

The SOC will not—and should not—be fully autonomous. Instead, it should be given the autonomy only to deal with the biggest hindrance for analysts: volume of responses. Tackling volume-based problems without automation can be done only by hiring more security analysts. However, high-volume, low-complexity attack responses can often be fully automated, enabling businesses to dedicate analysts to truly important attacks, such as unknown or zero-day attacks.

The foundation of autonomous SOC solutions are technologies already in use today. These solutions are based on a core security information and event management (SIEM) architecture. On top of the information management base, autonomous SOC solutions offer native security orchestration, automation and response (SOAR) features, user and entity behavior anomaly detection (UEBA), endpoint detection and response (EDR), and other security capabilities.

Historically, a SIEM solution has been the center of operations for analysts, and it is still a viable and powerful tool today. Incremental developments mean that SIEM tools are still relevant, but the core SIEM function of collecting and sorting through logs can serve only so many use cases. Organizations today are increasingly opting for more comprehensive security operations products that decrease the amount of resources otherwise invested in deploying multiple solutions and integrating them, as well as the chair swiveling that follows.

We’ve previously described autonomous SOC solutions by looking at integrated SIEM and SOAR solutions, which were commonly a result of SIEM vendors acquiring SOAR tools. As these technologies are fully integrated, it is no longer relevant whether the capabilities were developed in-house or acquired.

We’re now expanding the scope of evaluation to include UEBA, EDR, and vulnerability management capabilities because the autonomous SOC strategy differs from vendor to vendor with regard to the type of modules they include in their product.

This is our third year evaluating the autonomous SOC space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 19 of the top autonomous SOC solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading autonomous SOC offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.