Key Criteria for Evaluating Security Orchestration, Automation, and Response (SOAR) Solutions

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. SOAR Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Andrew Green

1. Summary

Depending on the size of an organization, security information and event management (SIEM) tools can produce tens of thousands of alarms per day—many of which are false positives. This deluge causes alert fatigue and a considerable backlog of unaddressed alerts. SIEM has thus fallen victim to its own success, forcing security operations (SecOps) teams to find a new way of handling alerts and improving overall response efficiency.

While SIEM solutions provide a central hub for monitoring security information and events, security orchestration, automation, and response (SOAR) solutions expand those capabilities by facilitating investigation and automating remediation. SOAR uses SIEM’s capabilities to receive alerts and data, and then equips security analysts with intelligence and cross-application orchestration to promote proactive incident response and threat hunting.

Even if SIEM has been one of the main drivers for adopting security automation, SecOps teams also have to handle other event and alert-generation tools, such as those for vulnerability management, identity and access management, and user and entity behavior analytics (UEBA). Today’s SOAR solutions can fulfill a much wider range of use cases than just mitigating SIEM alerts, which repositions them as multipurpose security tools.

To get an intuitive understanding of what SOAR stands for, let’s consider its components:

  • Orchestration coordinates actions across third-party applications such as firewalls or antivirus tools and interacts with analysts for approvals and additional data gathering.
  • Automation enables orchestration by running through multiple predefined workflows without human involvement.
  • Response uses playbooks to determine the way each threat should be managed depending on the nature of the attack and the target.

The bread and butter of SOAR solutions is their integration capabilities. The more integrations they have and the easier the orchestration of the integrated third-party tools, the more efficient the SOAR solution is. These integrations do not need to be exclusive to security appliances, such as proxies and antimalware, but should also include network functions and various business (email, file sharing) and operational (performance monitoring, inventory) support systems. To illustrate an example that includes non-security tools, let’s imagine the following scenario:

A malicious actor attempts to log in to an employee’s email account. Gathering information from the UEBA solution, the SOAR tool understands the attempt comes from an unusual device and location, so it sends a verification message to the user via Slack that can confirm whether they are the one attempting to log in.

In previous iterations of the report, we noted that SOAR tools are suitable mainly for large organizations that suffer from alert overload and are mature from a security standpoint. Today, we’re seeing vendors break away from this reactive approach. SOAR tools offer prepackaged content, onboarding services, and the ability to automate processes far beyond responding to SIEM alerts. SOARs are now multipurpose tools suitable for both large and small organizations, streamlining not only security processes but also HR, financial, regulatory, and compliance.

SOAR is a key component for enhancing an organization’s security posture by bringing control over its whole security estate together under the same roof.

This is the third year that GigaOm has reported on the SOAR space in the context of our Key Criteria and Radar reports. This report builds on our previous analyses and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective SOAR solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading SOAR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Full content available to GigaOm Subscribers.

Sign Up For Free