Key Criteria for Evaluating Security Orchestration, Automation, and Response Solutionsv2.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. SOAR Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Andrew Green

1. Summary

Depending on the size of an organization, security information and event management (SIEM) tools can produce tens of thousands of alarms per day—many of which are false positives. This deluge causes alert fatigue and a considerable backlog of unaddressed alerts. SIEM has thus fallen victim to its own success, forcing security operations (SecOps) teams to find a new way of handling alerts and improving overall response efficiency.

While SIEM provides a central hub for monitoring security information and events, security orchestration, automation, and response (SOAR) expands those capabilities by automating remediation and facilitating investigation. SOAR uses SIEM’s capabilities to receive alerts and data, and then equips security analysts with intelligence and cross-application orchestration to promote proactive incident response and threat hunting.

To get an intuitive understanding of what SOAR stands for, let’s consider its components:

  • Orchestration coordinates actions across third-party applications such as firewalls or antiviruses, and interacts with analysts for approvals and additional data gathering.
  • Automation enables orchestration by running through multiple predefined workflows without human involvement.
  • Response uses playbooks to determine how each threat should be managed depending on the nature of the attack and the target.

Because SOAR solutions came about as a response to SIEM’s shortcomings, a lot of vendors have been looking to address these challenges natively in SIEM. With the embedding of SOAR capabilities into the SIEM, a new type of security tool—automated security operations management (ASOM)—is emerging. This trend is led mainly by SIEM vendors who are expanding their capabilities by either developing automation and orchestration engines or acquiring and integrating point-solution SOAR tools.

The bread and butter of SOAR solutions is their integration capabilities. The more integrations they have and the easier the orchestration of the integrated third-party tools, the more efficient the SOAR solution is. These integrations do not need to be exclusive to security appliances such as proxies and antimalware, but should also include network functions and various business (email, file sharing) and operational (performance monitoring, inventory) support systems. To illustrate an example that includes non-security tools, let’s imagine the following scenario:

A malicious actor attempts to log into an employee’s email account. Gathering information from the user entity and behavior analysis (UEBA) solution, the SOAR tool understands the attempt comes from an unusual device and location, so it sends a verification message to the user via Slack that can confirm whether they are the one attempting to log in.

It’s worth noting that current SOAR tools are suitable mainly for large organizations that:

  • Suffer from alert overload: SOAR helps not only with automating manual processes, it also helps companies deal with lack of staff, too many alerts, the inability to report or generate metrics, and interacting with too many point solutions.
  • Are mature from a security standpoint: SOAR is suitable only for organizations with a mature security environment because response processes must be well defined before they can be integrated in playbooks.

SOAR is a key component for enhancing an organization’s security posture by bringing together control over its whole security estate under the same roof.

The GigaOm Key Criteria and Radar reports provide an overview of the SOAR market, identify capabilities (table stakes, key criteria, and emerging technology) and evaluation metrics for selecting a SOAR solution, and detail vendors and products that excel. These reports will give prospective buyers an overview of the top vendors in this sector and will help decision makers evaluate solutions and decide where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.