This GigaOm Research Reprint Expires Oct 31, 2024

GigaOm Radar for Autonomous Security Operations Center (SOC)v2.0

1. Summary

Autonomous security operations center (SOC) solutions reallocate security analysts’ processing power from conducting repetitive analysis and response tasks to only investigating incidents of significant interest and importance. Using correlation engines, calibrated alarms, workflow-based automation, integrations with internal and external intelligence feeds, and AI/ML-based operations, autonomous SOC solutions present analysts consolidated views of threats and act as a central management service for gathering information and resolving incidents.

The SOC will not—and should not—be fully autonomous. Instead, it should be given only the autonomy to deal with the biggest hindrance for analysts: volume. Tackling volume-based problems without automation can only be done linearly, by hiring more security analysts. However, high-volume, low complexity attack responses can often be fully automated, enabling businesses to dedicate analysts to truly important attacks, such as unknown or zero-day attacks.

The foundation of autonomous SOC solutions are technologies in use already today: security information and event management (SIEM) and security orchestration, automation and response (SOAR). Different vendor strategies leave many observers wondering “will they or won’t they?” on the question of whether the two solutions will remain distinct or merge. While this theme deserves further exploration, it is clear that a large selection of security players have successfully integrated these two sets of capabilities to form a solution that can help the SOC become more autonomous.

Historically, SIEM has been the center of operations for analysts, and it is still a viable and powerful tool today. Incremental developments mean that SIEM is still relevant, but its core architecture of collecting and sorting through logs is limited. Vendors of SOAR solutions have been trying to alleviate this issue; the initial approach has been to deploy a vendor-agnostic third-party SOAR solution that can intake a SIEM tool’s alerts and apply some sort of automation.

While this vendor-agnostic and standalone approach for SOAR has some distinguishing benefits, the opportunities unlocked by natively integrating SIEM and SOAR capabilities have been recognized by a wide range of security vendors. This unification is taking place through two methods:

  • SIEM vendors acquire SOAR solutions and integrate both solutions into a single platform.
  • SIEM vendors develop native SOAR capabilities within their solutions.

Security acquisitions make a lot of noise in the market, and SOAR acquisitions have been some of the loudest, which is why most practitioners in the space would expect the majority of vendors featured in this report to belong to the first category. However, if we filter out SIEM vendors that have acquired SOAR solutions but have not integrated them into a unified solution—such as Google, IBM, Fortinet, and Splunk, which we have removed—we quickly find that the majority of vendors featured in this report have developed their solutions in-house.

There’s also a third category of players that can enter the space, namely standalone SOAR vendors, whose event ingestion capabilities and integrations with security data lakes can deliver a comparable solution. This is a theme we expect to explore further in future iterations of the report.

To evaluate a solution in practical terms, we recommend parking the idea of “SIEM plus SOAR equals autonomous SOC” and thinking instead of the core capabilities that a solution needs to help relinquish repetitive tasks from security analysts.

This GigaOm Radar report highlights key autonomous SOC vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report, “Key Criteria for Evaluating Autonomous SOC Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our second year evaluating the autonomous SOC space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Multiple ingest streams
  • Tunable alarms
  • Third-party tool orchestration
  • Workflow automation
  • Flexible storage
  • Dashboards and visualization

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well autonomous SOC solutions are positioned to serve specific market segments and deployment models.

For this report, we recognize the following market segments:

  • Small-to-medium business (SMB): Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, advanced features may be less important than compliance and audit reporting and ease of use and deployment. Newer small enterprises may also rely heavily on cloud-based infrastructure, services, and apps, and favor cloud-based SIEM solutions.
  • Large enterprise: Large enterprises require high-performance SIEM solutions with the throughput and storage capacity to ingest huge volumes of data. Flexibility in deployment, scalability, and integration with existing infrastructure will be key differentiators.
  • Regulated industries: These typically include verticals such as finance, healthcare, and government, in which vendors need to adhere to strict rules and regulations as well as support on-premises deployments.
  • Managed security service provider (MSSP): MSSPs require multitenant architectures, flexibility, and scalability. They may also favor solutions with predictable pricing models.
  • Network service provider (NSP): NSPs have a large infrastructure footprint to monitor for both consumer and enterprise customers spanning wide geographical areas.
  • Cloud service provider (CSP): CSPs need to monitor the large number of tenants that use the provider’s underlying infrastructure, ensuring visibility across shared devices to prevent lateral movement and lower the risk inherited from each tenant.

We recognize five deployment models for solutions in this report:

  • Physical appliance: These are hardware solutions installed on the customer’s premises. Customers are responsible for operations and maintenance, though they may purchase support services through the vendor or a third-party service provider.
  • Virtual appliance: This is a software version of the solution that can be installed on a customer’s on-premises equipment or in private clouds.
  • Public cloud image: The solution can be purchased from a public cloud provider’s marketplace and run in the customer’s public cloud environment.
  • Hosted and managed by vendor: In this model, the customer purchases the solution and outsources its management to the SIEM vendor, who hosts and manages it on the customer’s behalf.
  • Software as a service (SaaS): Compared to cloud-hosted models, SaaS has a different licensing and consumption model in which customers often subscribe using a pay-as-you-go plan without purchasing the solution outright and paying separately for management.

Table 1. Vendor Positioning: Market Segment and Deployment Model

Market Segment

Deployment Model

SMB Large Enterprise Regulated Industries MSSP NSP CSP Physical Appliance Virtual Appliance Public Cloud Image Hosted & Managed by Vendor SaaS
Devo
Elastic
Exabeam
Hunters Security
Huntsman Security
LogPoint
LogRhythm
Logsign
ManageEngine
Microsoft
NetWitness
OpenText
Palo Alto Networks
Rapid7
Securonix
Sumo Logic
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

For this evaluation, we looked at deployment models in a binary way, rating vendors (++) if they support that deployment model and (-) if they do not.

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating Autonomous SOC Solutions,” Tables 2, 3, and 4 summarize how each vendor included in this research performs in the capabilities we consider differentiating and critical in this sector.

  • Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating an autonomous SOC solution.
  • Evaluation metrics provide insight into the non-functional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
  • Emerging technologies show how well each vendor takes advantage of technologies that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Alarm Calibration, Curation & Correlation Autonomous Operations Behavioral Analytics & Contextual Risk-Based Scoring Case Management & Collaboration Data & Threat Enrichment Monitoring Ephemeral Resources Retrospective Analysis & Threat Categorization Validation & Red Teaming Zero-Day Response
Devo 3 3 3 3 3 2 3 2 3
Elastic 2 2 2 3 2 3 2 1 2
Exabeam 2 2 3 2 3 1 3 2 1
Hunters Security 3 2 3 1 3 1 3 1 2
Huntsman Security 3 1 2 3 3 1 2 1 2
LogPoint 3 1 3 2 3 2 3 3 2
LogRhythm 3 1 2 2 3 2 2 0 1
Logsign 1 1 3 2 3 0 2 0 0
ManageEngine 2 1 2 1 3 0 3 0 1
Microsoft 3 0 2 1 2 1 2 1 1
NetWitness 2 2 2 3 3 2 2 3 2
OpenText 3 0 2 2 3 2 2 3 2
Palo Alto Networks 3 2 3 3 3 3 2 2 3
Rapid7 3 0 1 1 3 1 2 0 0
Securonix 3 2 3 3 3 3 3 2 2
Sumo Logic 3 2 3 2 3 3 2 1 0
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Scalability Extensibility Ease of Use Partner Ecosystem MTTR Improvement
Devo 3 2 3 2 3
Elastic 3 2 2 2 3
Exabeam 2 2 3 2 2
Hunters Security 3 2 3 2 3
Huntsman Security 2 3 2 2 2
LogPoint 2 2 2 2 2
LogRhythm 3 2 1 2 2
Logsign 2 2 2 2 2
ManageEngine 3 3 3 2 2
Microsoft 3 2 2 2 2
NetWitness 2 3 2 2 2
OpenText 3 2 2 2 2
Palo Alto Networks 2 3 2 3 3
Rapid7 3 2 3 2 2
Securonix 3 3 2 2 3
Sumo Logic 3 3 2 2 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 4. Emerging Technologies Comparison

Emerging Tech

Security Data Lakes Content Creation Using Generative AI & LLMs
Devo
Elastic
Exabeam
Hunters Security
Huntsman Security
LogPoint
LogRhythm
Logsign
ManageEngine
Microsoft
NetWitness
OpenText
Palo Alto Networks
Rapid7
Securonix
Sumo Logic
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Autonomous SOC Solutions

There have been a few changes in the vendors evaluated in this report compared to last year’s iteration. We have removed Fortinet, IBM, and Splunk because we have updated the table stakes to require native integration between a vendor’s SIEM and SOAR products, rather than deployment of two standalone solutions integrated via APIs. Moreover, we’ve added new names to the report: Devo, which entered the space following the acquisition and integration of LogicHub SOAR; Hunters’ SOC platform; Logsign, with its Unified Security Operations platform; and Palo Alto Networks, with its XSIAM product.

The vendors are separated on the horizontal axis based on whether their solution has native automation and response capabilities, in which case they are featured in the Innovation side, or whether the automation and response capabilities are inherited from a previously separate product, which puts them on the Maturity side. Split by the vertical axis, vendors on the Platform Play side meet every capability (or the vast majority of them) we describe in our key criteria, while those on the Feature Play side cater to only a selection of these criteria, making them applicable to fewer use cases.

As you can see in the Radar chart in Figure 1, in the top right quadrant are featured vendors such as Devo, Logpoint, OpenText, and Sumo Logic, which all initially offered a SIEM product and then integrated SOAR capabilities. In the Innovation/Platform Play quadrant are positioned vendors such as Elastic, Exabeam, Hunters, LogRhythm, NetWitness, Palo Alto Networks, and Securonix. These all have comprehensive capabilities across the board, and their automation and orchestration engines are natively built into their solution. Lastly, in the Innovation/Feature Play quadrant, Huntsman Security, Logsign, ManageEngine, Microsoft, and Rapid7’s autonomous SOC solutions have well-developed capabilities for select key criteria described in this report.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Devo

Devo is a well-established SIEM player, and with the recent acquisition and integration of LogicHub SOAR, Devo delivers comprehensive autonomous SOC capabilities. The Devo Platform is a cloud-native and SaaS-delivered solution with integrated SIEM, SOAR, user and entity behavior analytics (UEBA), and autonomous threat investigation and hunting.

The vendor scores high on a large number of criteria described in the report, including alarm calibration, curation, and correlation; autonomous operations; behavioral analytics and contextual risk-based scoring; case management and collaboration; data and threat enrichment; retrospective analysis and threats categorization; and zero-day response. A distinguishing feature is that Devo includes 400 days of hot data with the platform, which is a longer period than is offered by other vendors featured in the report.

For alarm calibration and curation, the solution can use prepackaged alarm rules available in Devo Exchange, the vendor’s app and content marketplace. AI-triggered alarms can be single-metric or multimetric time series anomaly detections that detect problems based on historical baselines. Devo Behavior Analytics, the vendor’s UEBA capability, is overlaid against alerts and cases to provide additional context and reduce false positive alarms.

For autonomous operations, Devo DeepTrace is an autonomous alert investigation and threat hunting capability that allows security analysts to autonomously perform full investigations on alerts or suspicious events. DeepTrace attack-tracing AI pieces together the activity of malicious users or external actors, enabling analysts to analyze and report results in the form of traces, which are artifacts that chronologically document each attack chain.

For contextual risk-based scoring, an entity analytics feature provides context for analysts, such as an “entity battlecard” that ties together valuable data points, like entity impact score and the alerts, investigations, and enrichments associated with the entity. It also provides visual representations that show the connectedness between entities and the outcomes of several machine-learning models.

For zero-day response, the solution can collect binaries, URLs, and files for sandboxing. Devo can perform volatile memory analysis at the time of the incident to detect threats hiding in RAM. Devo’s security research team, SciSec, offers its customers a proprietary threat intelligence feed, dubbed Collective Defense, for data collection and sharing and delivers early warnings for emerging threats through cross-customer threat hunting analysis and accelerated investigations using validated and enriched threat intel from all participating Devo customers.

Strengths: The Devo Platform offers comprehensive capabilities to support security teams automating their operations by providing mature features for curating alarms, automating threat hunting, and responding to threats within the context of the customer’s IT environment.

Challenges: Devo will implement the case management and collaboration capabilities inherited from the LogicHub SOAR acquisition to its wider platform. This means that the vendor needs to make adjustments to the case management system to also support SIEM-specific use cases.

Elastic

Elastic Security stands out from other security solutions because it is built on the open source Elasticsearch, Logstash, and Kibana (ELK) stack, which the company today continues to extend as the “open and transparent” Elastic Stack. It’s worth noting that other autonomous SOC vendors are using Elasticsearch as the underlying engine to query and extract information from their databases.

Since Elastic 8.4 was released, the solution began to offer native orchestration and response capabilities powered by Elastic Agent. It provides a terminal-like interface that lets practitioners view and invoke response actions quickly. In this way, Elastic offers an integrated autonomous SOC solution, with native SOAR capabilities featured in Elastic SIEM. Elastic also offers extended detection and response (XDR) and endpoint protection solutions.

Elastic Security provides a superior user experience (UX) and an intuitive, dynamic, and highly responsive interface. Its seamless design, rapid search, and level of detail contribute to a high score on the threat hunting key criterion as well as on the evaluation metrics for capability and usability. Furthermore, the platform features graphical views of events and timelines, which equip security analysts with the right tools to investigate long-term threats in a context-rich environment.

A distinguishing capability of Elastic Security is its self-healing, an automated remediation feature that erases attack artifacts from a system. When malicious activity is identified on a host, self-cleaning automatically returns the host to its pre-attack state by reversing changes implemented during the attack.

The anomaly detection modules enable the platform to identify operating system (OS) processes that do not usually use the network but have unexpected network activity as well as to search for a number of indicators such as unusual listening ports, unusual web URL requests from hosts, rare processes running on multiple hosts in an entire fleet or network, activity from users who are not normally active, and many other potential risk indicators.

Elastic Security supports excellent communication among security analysts by allowing annotations and comments on most functions, accompanied by full audit trails that ensure visibility across all the actions undertaken on the platform.

With the latest release, 8.9, Elastic offers experimental features for risk scoring, which includes host and user risk scoring that uses scripted metric aggregation to calculate host risk scores based on alerts that were generated within the past five days.

For zero-day response, Elastic’s research team can offer threat research briefs with targeted searches, automated protections, and enforcement of existing attack-agnostic protections with threat-specific detections. Elastic’s red teaming and validation capabilities are inherited from its 2019 acquisition of Endgame, the vendor offering red team automation scripts that simulate threat behaviors. However, the vendor does not currently offer sandbox environments or playbook debuggers.

The recently released Elasticsearch Relevance Engine (ESRE) delivers new capabilities for creating highly relevant AI search applications. ESRE provides developers a full suite of sophisticated retrieval algorithms and the ability to integrate with large language models (LLMs).

Strengths: Elastic Security ranks high on several key criteria and evaluation metrics described in the report, such as case management and collaboration, and monitoring ephemeral resources. Elastic has been consistently developing and releasing new features since GigaOm started observing these categories of security solutions.

Challenges: Elastic Security does not support a physical appliance deployment model, making the solution unsuitable for customers who need to deploy SIEM as a physical appliance on their premises. The solution can also further develop its validation and red teaming capabilities.

Exabeam

Exabeam Fusion unifies SIEM with XDR for a cloud-delivered solution that uses ML and automation for threat detection, analysis, and response, natively offering SOAR-like capabilities. Exabeam Fusion can be integrated with existing security stacks through many prebuilt integrations with technologies like endpoint protection systems, business support systems, network modules, and cloud environments. These integrations span the full threat detection and response lifecycle, from data ingestion and normalization to response automation.

Exabeam Fusion ranks high on ease of use because it leverages prescriptive, threat-centered use case packages that provide repeatable workflows and prepackaged content that spans the entire threat detection and incident response (TDIR) lifecycle. These use cases provide a standardized way to quickly achieve effective, repeatable security outcomes for specific threat types. They include all of the content necessary to operationalize that use case, including prescribed data sources, parsers, detection rules and models, investigation and response checklists, and automated playbooks.

A mature feature in the Fusion solution is the machine-built timelines that automatically gather evidence and assemble it into a cohesive step-by-step representation of an attack that can be used to perform an initial investigation.

The automated incident diagnosis behavior analytics module analyzes abnormal user activity and classifies incidents by threat-centric use cases automatically, helping to diagnose threats. It classifies them by use case to guide investigations with tailored checklists that prescribe the appropriate steps for resolving specific threat types. The behavior-based detection module is a UEBA tool that detects threats, including credential-based attacks, insider threats, and ransomware.

For the case management and collaboration key criterion, the platform supports automatic ticket creation based on third-party alerts, risk scoring, and email ingestion. It enables analysts to organize and track investigations in a centralized system designed for security. Case management is natively integrated with a UEBA module, which aggregates additional suspicious activity details for earlier threat detection and investigation. The platform generates an intuitive user timeline that automatically assembles user activity across disparate data sources and current events without the analysts writing queries.

Exabeam can detect suspicious behavior such as compromise of credentials, lateral movement, escalating and abusing privileges, attempts to evade detection, manipulating accounts, tampering or deleting audit logs, disabling recovery mode, and destroying or exfiltrating data.

Strengths: Exabeam Fusion is a comprehensive solution that scores well on key criteria such as behavioral analytics and contextual risk-based scoring, data and threat enrichment, and retrospective analysis and threat categorization.

Challenges: Fusion is a cloud-delivered solution, so customers who require on-premises deployments via either physical or virtual appliances will not find the solution suitable. Moreover, capabilities for monitoring ephemeral resources and zero-day response are limited.

Hunters Security

Hunters is a multitenant SaaS-delivered SOC solution that ingests, normalizes, and analyzes data from all security and IT sources so that security teams are connected to organizational data without having to deploy and maintain ingestion pipelines. The platform delivers built-in and regularly updated detection capabilities, based on the MITRE ATT&CK framework that does not require analysts to regularly build and maintain detection rules.

Hunters’ distinguishing capabilities for alert calibration, curation, and correlation stem from its prebuilt and continuously validated library of detection and investigation capabilities that automatically manages content at scale. The detectors are preverified on real-world customer data to remove any false positives and excessive alerting, then deployed directly to all customer tenants without requiring any action or tweaking. The threat coverage of the organization is automatically mapped onto the MITRE ATT&CK framework. Some of Hunters’ detectors rely on AI/ML models, and customers can customize and build their own to address their bespoke use cases.

By coupling ingestion, detection, investigation, correlation, and response with out-of-the-box content, Hunters can deliver an automated experience for analysts who can now focus on making decisions based on already contextualized threats. Hunters is capable of automatically investigating, correlating, prioritizing, and clustering threats. Alerts across entities and attack surfaces are clustered using a proprietary threat similarity logic. They are automatically correlated on a graph and packaged as “attack stories,” giving a contextual view of the full incident. These attack stories run periodically and look for subgraphs taking into account relationships between entities and suspicious behaviors, and they use correlation logic that relies on MITRE information and threat intelligence.

Every alert is automatically enriched with information from various sources and displayed to the analyst for faster triage and investigation as well as advanced detection and scoring purposes.

The solution continuously examines the risk level of each alert, assigning both a risk and confidence score. For instance, alerts involving sensitive assets are prioritized, and risk for known benign behaviors is lowered. Other than detectors and automatic investigation models for each use case, the Hunters research team constantly builds scoring functions that are mapped to entity types and different detectors. Each scoring function can make a decision based on the data extracted in the detection phase, investigation phase, and static context like asset sensitivity.

Hunters’ detection mechanism is capable of backfilling and new detection capabilities are always researched and run against historical data. This capability works for tactics, techniques, and procedures detectors but also for indicators of compromise (IoC) detectors based on unique architecture that allows users to efficiently run new IoCs on historical data and match seen IoCs against updated feeds.

Compared to other solutions featured in the report, Hunters has limited native case management and collaboration features, offering these capabilities via integrations with third-party tools such as ServiceNow and Jira. For monitoring ephemeral resources, the solution can monitor anomalies in cloud environments and integrate with cloud security posture management (CSPM) tools, but native capabilities for monitoring containers or microservices are currently on the development roadmap.

Strengths: Hunters’ autonomous SOC solution is a compelling SIEM replacement solution that scores well on the key criteria of behavioral analytics and contextual risk-based scoring and retrospective analysis and threats categorization as well as on the report’s emerging technologies.

Challenges: Hunters can further develop its capabilities for key criteria such as case management and collaboration, monitoring ephemeral resources, and validation and red teaming.

Huntsman Security

Huntsman Security is an Australian company with a strong presence in the UK market and clients in private and public sectors, including defense, intelligence, and law enforcement. Its next-generation SIEM enterprise and SIEM MSSP solutions offer built-in SOAR and behavior anomaly detection, resulting in a solution that can automate a large number of SOC activities. The optional scorecard module gives details about a system’s patch status and software versions in addition to misconfigurations and other vulnerabilities.

The automation and orchestration features of Huntsman’s Next Gen SIEM solution include automated collection of security artifacts, analysis of threat information, threat verification, automated threat resolution, threat analysis templates, and case file creation with all relevant information.

Huntsman’s SIEM solution is a single product delivered as software, deployable on-premises or in public and private cloud environments, but not currently available in a SaaS option. Its SIEM MSSP product supports multitenancy to manage business units as separate siloes or as federated units managed by a single team that can share threat intelligence across multiple end customers.

Huntsman provides strong security controls for its SIEM solution through fine-grained role-based access control (RBAC) and a full-access record and audit trail of SIEM and SOC operations. It supports multiple classification networks for government clients and compliance monitoring and reporting for GDPR, ISO 27001, and other standards. The solution’s MITRE ATT&CK heat map leverages the power of the Mitre Matrix to more efficiently identify and graphically present the priority of an attack across an enterprise.

Huntsman Security’s patented Behavior Anomaly Detection (BAD2) engine is integrated into its SIEM solution to provide real-time ML capabilities to detect unknown threats. BAD2 supports use cases such as higher or unusual volumes of network session or user traffic on a per-user or per-host basis, volumes of events such as file accesses or other activity on hosts/workstations, changes in the usage profile of application servers, or query operations on databases and changes in the frequency or prevalence of operations. The detection engine adapts to changes and trends over time, either adjusting and relearning “normal” values or using fixed, preset baselines, depending on the nature of the environment and risk.

Strengths: The vendor ranks high on the alarm calibration, curation, and correlation criterion and is a strong choice for customers working in regulated industries and for MSSPs.

Challenges: Huntsman has been focused primarily on Australian and UK compliance requirements and public sector customers. The vendor can further improve its capabilities around monitoring ephemeral resources and validation and red teaming.

Logpoint

With the company headquartered in Copenhagen, Denmark, the Logpoint Converged SIEM is a solid autonomous SOC solution with exceptional security and privacy controls. Its distinguishing feature is the high level of compliance supported, as evidenced by the awarding of the Common Criteria EAL3+ certification in 2015 and 2020. To get and maintain that EAL3+ certification, the on-premises solution is built on a hardened OS maintained by Logpoint. This makes the Logpoint SIEM extremely suitable for deployment in highly regulated industries, including national governments and international agencies.

Logpoint’s latest developments include the addition of endpoint detection and response capabilities with AgentX as well as convergence of SOAR and UEBA capabilities into a single end-to-end security operations platform. Supported by case management and threat intelligence features, Logpoint ensures a converged experience with both on-premises and cloud-hosted deployments.

Logpoint has taken a modular approach to security monitoring and analytics. The Logpoint SIEM, which can be deployed as a single physical appliance or as software spread across multiple physical or virtual servers, provides basic log management, incident detection, and investigation capabilities. The Logpoint Director module provides multitenancy capabilities for MSSPs or large enterprise deployments.

Logpoint also ranks high on the threat hunting key criterion, offering security analysts a wide range of features for searching vast amounts of information and creating macros, which are a series of instructions grouped as a single command. It also leverages ML-enabled UEBA capabilities and integrates the MITRE ATT&CK framework as visualizations and predefined alerts mapped to the techniques.

Logpoint offers predictable pricing based on the number of devices sending logs to the SIEM rather than on data volume or endpoint security (EPS). It also uses a tiered storage model to provide more economical storage for compliance data while maintaining ready access to data needed for analytics.

In addition to the solution being compliant across many industries and regulations, another distinguishing feature is business integrity monitoring, which detects fraud and financial and value-chain anomalies. This helps analysts eliminate financial and reputational losses by spotting flaws and deviations from standards in organizational business processes that are vulnerable to fraud.

The platform can also automatically assign cases to security analysts according to their expertise based on the triggering incident. All incident alerts get a priority that is automatically updated later by running playbooks and the case they are potentially associated with. The tool assigns alert status and severity and updates it based on playbook and case activity as well as service-level agreement (SLA) status.

Strengths: Logpoint is a good choice for companies looking for an autonomous SOC solution with excellent support for privacy and well-developed capabilities for alarm calibration, curation, and correlation, data and threat enrichment, retrospective analysis and threats categorization, and validation and red teaming.

Challenges: While Logpoint natively offers SOAR capabilities, the vendor can further develop its capabilities for the autonomous operations criterion as well as the use of security data lakes.

LogRhythm

LogRhythm’s autonomous SOC solution is fundamentally a SIEM product that delivers comprehensive security analytics, UEBA, network traffic analysis, and SOAR modules within a single, integrated platform. The LogRhythm SIEM can be deployed on-premises, as a virtual appliance, or as a SaaS solution.

LogRhythm’s SOAR module can be integrated in the LogRhythm SIEM solution. This streamlines security workflows by coordinating and automating multiple steps in the response playbooks. It helps SOC teams to collaborate, qualify, and manage incidents, providing drill-down, search pivoting, context enrichment, and other investigative capabilities.

For behavioral analytics and contextual risk-based scoring, the solution offers comprehensive ML models in UEBA and network detection and response (NDR), and a wide variety of out-of-the-box deterministic rules in the AI Engine modules. It provides event progression rule alerting and creates the base architecture for indicators of compromise-based AI engine rules to be auto-deployed within the organization’s environment. The solution can also integrate pretuned AI engine rules for any environment, offering dynamic ranking for emerging threat severity.

For alert calibration and curation, LogRhythm’s false positive probability feature is used in risk-based priority (RBP) calculation for AI Engine rules. It estimates how likely the rule is to generate a false positive response. A low value indicates the pattern the rule matches is almost always a true positive. A high value, however, indicates the pattern the rule matches is very likely to be a false positive.

LogRhythm’s financial fraud detection module is intended to assist financial institutions collecting transactional data with LogRhythm in identifying and preventing fraudulent activity on their customers’ accounts. The network detection and response (NDR) module detects unusual or malicious user activity occurring within a customer’s organization networks by using deep forensic visibility into network traffic to catch a wide variety of advanced threats.

The solution also has the ability to monitor ephemeral resources, protect containers against crypto-mining malware, alert on malicious keywords to locate unapproved containers, and discover the point of origin where the attack initiated.

Strengths: LogRhythm ranks high on several key criteria described in the report, including alarm calibration, curation, and correlation and data and threat enrichment. The AI Engine feature is also noteworthy with respect to behavioral analytics and contextual risk-based scoring.

Challenges: The solution doesn’t currently support validation and red teaming. Also, autonomous operations and zero-day response are limited and the vendor could further develop these capabilities.

Logsign

The Logsign Unified Security Operations solution is a comprehensive security tool that enables customers to investigate threats and vulnerabilities, analyze risks, and respond to threats automatically. The platform’s automation and orchestration capabilities come natively integrated and are involved in every stage of the detection, investigation, and response processes. Logsign’s autonomous SOC solution is a result of multiple feature sets converging in a single tool, namely SIEM, SOAR, UEBA, and TDIR.

The Logsign solution integrates with a range of third-party security tools through its extensive library of more than 500 predefined integrations, free plugin services, and custom parsing capabilities.

The solution can surface high-risk alerts and prioritize low and slow threats, and it can prioritize high-risk threats with identity-centric behavior analytics that maps to the MITRE ATT&CK framework. The UEBA module is a new addition to the platform that can be used to detect inside attacks and stop data exfiltration and to detect risky users and watch their behaviors to prevent the spread of infections. The analytics module provides information as to why a user behavior is suspicious, using 500 predefined behaviors, and indicates how this behavior is expected to progress. For example, it monitors multiple failed login attempts in a specific time period to identify brute force attacks.

For incident and case management, the solution provides a detailed page for analysts where they can collaborate, take the necessary actions, and conduct investigations. Logsign provides detailed incidents in case management with timelines, visual cards for investigations, an incidents summary with detailed views, and lifecycle management according to the least-similar incident. Lifecycle stages are possible and using the magic button can produce automated or semi-automated responses for some detections.

For threat hunting, analysts can pull relevant threat information without pivoting using the magic button, which brings up the response integrations. Analysts can, for example, check the confidence score of the IP address or connect to the virus total to get IP reputation. From there, analysts can respond to and contain threats, undertaking actions such as rebooting the affected asset, killing processes, or terminating connections. Following the remediation stage, the solution enables analysts to update firewall rules or endpoint agents. Threat hunting can also be conducted with respect to the MITRE ATT&CK framework.

For alarm fidelity, the Logsign SIEM platform leverages over 500 predefined correlation rules and associated use cases, uses risk-based scoring based on behavior analytics, and filters security signals easily according to severity level or MITRE ATT&CK technique.

Strengths: Logsign’s autonomous SOC solution offers very good core functionality, scoring high on criteria such as data and threat enrichment. The recent addition of the UEBA module also earns the vendor good scores for behavioral analytics and contextual risk-based scoring.

Challenges: Logsign currently lacks capabilities for criteria such as monitoring ephemeral resources, validation and red teaming, and zero-day response.

ManageEngine

ManageEngine’s suite of security products is the Swiss Army knife of autonomous SOCs. Its modular approach revolves around its main SIEM platform, Log360, which can then natively call upon several other capabilities for SOAR and UEBA.

Log360 has good automation capabilities and supports the creation of workflows that automate common procedures carried out by security analysts. The solution also features an analytics system, which classifies events in trend reports and system events that help security practitioners with analysis and response. It features out-of-the-box correlation rules, including for common ransomware attacks. The custom correlation rule builder allows analysts to correlate seemingly unrelated events across the network to detect attacks.

The automation engine can be used for use cases such as integrations with threat intelligence feeds like Webroot to help stop threats at the source, integration with firewalls to help analysts manage security from one console, incident management automation to group alerts and events into larger incidents, and integration with help desk tools such as ManageEngine ServiceDesk Plus, BMC, ServiceNow, and Jira.

The log management component of Log360, the EventLog analyzer, supports a variety of use cases, including event log correlation, auditing of network devices, servers, and applications, and compliance management.

Log360’s UEBA add-on is powered by ML and can detect anomalies by recognizing subtle shifts in user or entity activity. It helps identify, qualify, and investigate threats that might otherwise go unnoticed by extracting more information from logs to give better context. Administrators can identify the network’s count, time, and pattern anomalies based on users and their peer groups. Out-of-the-box analytics are provided for use cases such as insider threats, account compromise, and data exfiltration. Risk scores are calculated for each user and entity based on deviations from their baseline behavior.

ManageEngine’s autonomous SOC solution does not currently support validation and red teaming or monitoring ephemeral resources. While Log360 offers native case management and collaboration capabilities, this feature does not offer more advanced functionalities such as war rooms or cross-department collaboration.

Strengths: ManageEngine’s modular approach to SIEM is the foundation for an autonomous SOC. The platform supports a robust range of features and capabilities and has ongoing ML-related developments at a competitive price. The vendor scores high on data and threat enrichment, retrospective analysis, and threat categorization.

Challenges: Functionality for collaboration and case management, autonomous operations, and zero-day response is limited. The vendor doesn’t offer capabilities for monitoring ephemeral resources and validation and red teaming.

Microsoft

Microsoft Sentinel is a cloud-native SIEM solution with integrated SOAR capabilities that form an autonomous SOC solution that uses built-in AI to help analyze large volumes of data. Microsoft Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud. Microsoft Sentinel is built on the Azure platform. It provides a fully integrated experience in the Azure portal that seamlessly integrates with existing services such as Microsoft Defender for Cloud and Azure Machine Learning.

The solution’s automation and response primary purpose is to automate any recurring and predictable enrichment, response, and remediation tasks that are usually carried out by security analysts. Automation takes a few different forms in Microsoft Sentinel, from rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions and provide powerful and flexible advanced automation of threat response tasks.

The solution has a mature querying function that can be written to extract data before, during, and after a compromise. Before an incident occurs, analysts can take proactive action by running any threat-hunting queries related to the data they’re ingesting to provide early insight into events that may confirm that a compromise is in progress. During a compromise, analysts can use livestream to run a specific query constantly, presenting results as they come in. After a compromise, analysts can improve coverage and insight to prevent similar incidents in the future.

To help reduce noise and minimize the number of alerts generated, Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that indicate an actionable possible threat you can investigate and resolve. Microsoft Sentinel also provides ML rules to determine baseline network behavior and look for anomalies.

The solution has good automation capabilities enabled by a playbook engine that integrates with Azure services and existing tools. To build playbooks with Azure Logic Apps, users can choose from a set of prebuilt playbooks, such as ticketing integrations with ServiceNow.

Microsoft Sentinel supports Jupyter notebooks in Azure Machine Learning workspaces, including full libraries for ML, visualization, and data analysis. They can be used to extend the scope of what you can do with Microsoft Sentinel data, such as performing analytics that aren’t built into Microsoft Sentinel, creating bespoke data visualizations, and integrating data sources outside of Microsoft Sentinel.

Microsoft’s ML capabilities can deliver good alarm fidelity by identifying suspicious behavior and presenting a condensed list of the most probable attacks or vulnerabilities to a human cybersecurity worker. Following that, the model takes in feedback and actions carried out by the security analysts for updating itself and the rules system to better identify threats.

Strengths: Microsoft Sentinel has well-developed capabilities for alarm calibration, curation, and correlation. Sentinel supports data scientists with Jupyter notebook integrations and bring-your-own ML models.

Challenges: As a cloud-native Azure-based solution with no option for deploying the solution on-premises, Sentinel may not be suitable for organizations that require a non-Azure deployment model. Additionally, functionality for case management and collaboration, monitoring ephemeral resources, validation and red teaming, and zero-day response is limited.

NetWitness

NetWitness’ autonomous SOC solution is a result of the vendor’s multiple-module XDR platform, which includes components for threat management across network, endpoint, and logs. The SIEM component, which includes an integrated SOAR tool, can be deployed as a standalone solution or as part of the XDR platform. The solution can be installed in customers’ on-premises or cloud environments, deployed as cloud-hosted solutions on either dedicated or shared infrastructure, or provided via SaaS models.

The NetWitness SIEM component collects security, compliance, OS, resource access, and administrative events and parses events to further enrich the data with relevant threat, priority, and business context. The SOAR components provide automation and control with orchestration that is completely integrated with a unified datastore and data architecture. They also provide a single seamless interface to look across all types of data, allowing security analysts to see the entirety of any security situation.

For zero-day response, NetWitness’s FirstWatch threat intelligence research and threat content production team offers detection techniques including behavioral analysis for novel threat detection.

A distinguishing feature of NetWitness is its integration of a fully featured network traffic analysis/network detection and response (NTA/NDR) solution. This combination of packet and metadata capture, static file analysis, threat intelligence, and orchestration workflows enables analysts to perform thorough investigations and identify threats that are not detectable with logs alone. These capabilities are further backed by NetWitness Detect AI, a cloud-based behavior analytics solution powered by AWS that applies unsupervised ML to data captured by the NetWitness platform to rapidly detect unknown threats.

For data enrichment, NetWitness can add business context to threat analysis, so organizations can prioritize threats based on potential impact to their businesses. In addition, intelligence gathered from industry research and crowdsourced from its customer base and the organization’s own data is fully aggregated and operationalized at ingestion.

NetWitness supports various deployment models, including on-premises, private and public cloud, and hybrid where required. However, NetWitness does not currently offer a complete SaaS model—although the solution does offer several SaaS-based components, including a cloud-based SIEM tool for logs. While RSA NetWitness is suitable for MSSPs, as well as small and large organizations, its capabilities for NSPs and CSPs require improvement.

For case management and collaboration, the solution centralizes incident information, including what actions were performed. This helps in understanding what has been accomplished and determining the next logical step in resolving issues. The case management functionality then uses broad embedded intelligence to analyze and enrich the extracted evidence with broader context.

The solution has good red teaming and validation and autonomous operations capabilities because it automatically collects and memorializes key evidence during investigations. It can also provide proactive playbook failure notifications, highlighting playbook failures without status checks, and ensure that playbooks are running when and where they are needed. Playbooks can be deployed in a testing environment to show how they will operate before production.

Strengths: The NetWitness autonomous SOC solution ranks high on several key criteria including case management and collaboration, data and threat enrichment, and validation and red teaming.

Challenges: As the NetWitness SIEM and SOAR products are an integrated part of the XDR platform, buyers need to consider the implications of choosing the wider XDR platform or standalone SIEM solution with respect to pricing, licensing, and integrations.

OpenText

OpenText ArcSight is a well-known name within the security space, having been developed over more than 20 years. ArcSight’s autonomous SOC solution offers a complete end-to-end SecOps experience that consists of SIEM, UEBA, SOAR, and big data threat hunting. These features reside on a unified platform that includes common storage, a shared data platform, and a unified interface.

OpenText’s SOAR capabilities were inherited after the acquisition of ATAR Labs in 2020. Since then, the company has been integrating the SOAR solution tightly and strategically with the rest of its security portfolio. Currently, ArcSight ships with a fully integrated SOAR solution within the SIEM platform at no additional cost.

ArcSight supports all the deployment models described in the report, such as physical appliances, cloud-hosted, and SaaS. The SaaS deployment is hosted by the OpenText cybersecurity operations team, with the underlying hosting components provided by AWS. The solution ranks high on a number of key criteria, including alarm calibration, curation, and correlation, data and threat enrichment, and validation and red teaming.

The platform’s layered analytics is a distinguishing feature that detects unknown and elusive threats through behavioral analysis backed by unsupervised ML, which helps detect attacks such as advanced persistent threats and insider incidents. OpenText also delivers big data threat hunting backed by supervised ML and a security-centric data lake.

For data and threat enrichment, ArcSight SOAR leverages both open source and commercial threat intelligence feeds and databases. During incident response activities, the platform automatically enriches the case artifacts and uses the reputation scores at playbook decision points. The solution also ranks high on case management and collaboration, allowing SOC analysts, IT admins, and end users to work on incidents collaboratively. It supports the creation of incidents via SIEM alerts, emails, threat intelligence feeds, a REST API, and manual activities by SOC analysts. It ingests events and messages from those sources and automatically creates case tickets with a rule-based consolidation engine.

Strengths: OpenText has a well-defined strategy that combines multiple security products, including ArcSight SIEM, into a unified platform. The vendor ranks high on enrichment, automation, and convergence.

Challenges: Currently, the OpenText SIEM solution is not oriented toward serving NSPs, whose requirements include geographically distributed infrastructure serving enterprise customers and consumers. It also doesn’t provide autonomous operations capabilities.

Palo Alto Networks

Cortex Extended Security Intelligence and Automation Management (XSIAM) is Palo Alto Networks’ autonomous SOC solution that unifies security functions such as XDR, SOAR, ASM, UEBA, threat intelligence platform (TIP), and SIEM into a single solution. Cortex XSIAM centralizes all security data and uses ML data models designed specifically for security, and it can be deployed as SaaS.

Cortex XSIAM collects and ingests endpoint, network, cloud, identity data, and threat intelligence data, in addition to logs and alerts, to drive ML for natively autonomous response actions, such as cross-correlation of alerts and data, detection of highly sophisticated threats, and automated remediation based on native threat intelligence and attack surface data.

The Causality Analysis Engine correlates activity from all detection sensors to establish causality chains that identify the root cause of every alert. The Causality Analysis Engine also identifies a complete forensic timeline of events that helps analysts determine the scope and damage of an attack and provide an immediate response. The Causality Analysis Engine determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident. When a malicious file, behavior, or technique is detected, Cortex XSIAM correlates available data across detection sensors to display the sequence of activity that led to the alert. This sequence of events is called the causality chain and is built from processes, events, insights, and alerts associated with the activity.

Cortex XSIAM automates the health monitoring of data sources by establishing baseline profiles and alarming when those sources fall outside of historical bounds. Cortex XSIAM’s autonomous operations also include the ability to interact with analytics profiles to answer questions around prevalence, unlocking investigative workflows that required human analysts to determine the answer to questions like, “Is this activity normal?” in cases where activity was otherwise marked as benign by other sources or other logic branches. This gives rise to new possibilities for automating investigations.

Cortex XSIAM leverages multiple data sources in its SmartScore feature, which aids analysts by dynamically scoring incidents based on the context of the incident and involved entities. Cortex XSIAM scores users as well as compute resources according to the behavior exhibited over time. Each user is continuously baselined, but the evaluation is done in comparison to the historical baseline for that user as well as baselines for other users and administrative users where applicable.

For monitoring ephemeral resources, Cortex XSIAM can be deployed via a daemonset agent on pods to provide visibility into container execution and can monitor for malicious activity such as privilege escalation or malicious code. Additionally, Cortex XSIAM can utilize an agentless approach for monitoring resources by mapping them against Center for Internet Security (CIS) benchmarks to help ensure that configuration issues or risks are not present.

One of Cortex XSIAM’s distinguishing features for validation and red teaming is a playbook debugger that allows for the testing of a playbook outside of a formal flow as well as testing before implementation. Testing can be done against existing alerts or incidents or using populated variables. The “playground” is a non-production environment where users can safely develop and test scripts, APIs, commands, and more. It is an investigation space that is not connected to a live (active) investigation.

Strengths: As a solution built from the ground up with lessons learned from a suite of leading security products, XSIAM delivers a comprehensive autonomous SOC solution that scores high on a wide range of key criteria.

Challenges: While the solution offers average autonomous operations capabilities, these can be further developed to include automatically defining and calibrating alarms, identifying playbook inefficiencies, or offering guided playbook builders.

Rapid7

Rapid7’s InsightIDR is a cloud-native, integrated SIEM and XDR solution. InsightIDR supports automation workflows and offers an extensive library of third-party integrations to supplement its out-of-the-box endpoint, network, cloud, and user coverage. While InsightIDR natively offers all features for an autonomous SOC solution, Rapid7 also offers InsightConnect, a standalone SOAR solution that provides comprehensive automation and orchestration capabilities.

The InsightDR solution’s native network traffic analysis feature provides network visibility and detection coverage alongside data from the rest of the environment. InsightIDR’s enhanced network traffic analysis feature leverages proprietary packet capture to access additional network metadata that enables understanding of the full scope of activity.

For data enrichment, InsightIDR leverages external threat intelligence from Rapid7’s open source community, advanced attack surface mapping, Rapid7’s threat intelligence service (Threat Command), and proprietary ML. Detections are constantly curated by Rapid7’s threat intelligence and detections engineering team. The solution auto-enriches every log line with user and asset details and correlates events across different data sources displaying visual investigation timelines.

The solution also includes a UEBA module, which continuously baselines normal user activity to identify anomalies. Correlated user data also offers rich context for other attacker alerts to help speed your investigations and response. Besides UEBA, InsightDR also has an attacker behavior analytics (ABA) module, which identifies how attackers gain persistence on an asset and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior.

The UEBA and ABA detection rules are flexible, giving analysts the ability to modify out-of-the-box rules, create custom alerts, and subscribe or contribute to community threats. In addition, the firing of these rules can directly trigger automation workflows that are either custom developed or pulled from the Rapid7 workflow library.

A new release from Rapid7 includes the InsightIDR and Threat Command integrations for XDR features, which offers an improved external and internal attack surface view within Rapid7. Customers can view Threat Command alerts alongside their broader detection set in InsightIDR to prioritize and investigate these alerts by using InsightIDR’s investigation management capabilities, then seamlessly pivot back and forth between the two products. Threat Command detection rules can be tuned directly in InsightIDR with respect to the rule actions, rule priorities, and exceptions.

InsightIDR’s capabilities around monitoring ephemeral resources and automation can be supported natively at a basic level, but more advanced functions require using InsightCloudSec for cloud posture management. Similarly, InsightIDR can integrate with third-party case management systems, but the solution should further develop its native case management and collaboration capabilities.

Strengths: Rapid7’s InsightDR ranks high on key criteria such as alarm calibration, curation, and correlation, and data and threat enrichment. The vendor also scores well on the scalability and ease of use evaluation metrics.

Challenges: Functionality for behavior analytics and contextual risk-based scoring, case management and collaboration, and monitoring ephemeral resources is limited.

Securonix

Securonix ranks high on a number of key criteria and evaluation metrics, which is a testament to the company’s strategy for creating an autonomous SOC solution that’s well-integrated, comprehensive, and a true end-to-end security analytics and operations platform. Securonix SIEM ships with native SOAR capabilities to support automation and orchestration use cases. Securonix differs from other vendors of similar solutions in its approach to the cloud. It is one of only a few vendors that provide a native and robust SaaS deployment model and has even implemented a bring-your-own-cloud model.

Another feature that makes Securonix’s SIEM solution distinctive is the Securonix Threat Labs, which continuously monitors emerging threats and develops detection content that customers can apply in production. In addition, Securonix offers prepackaged content that can be deployed using its automated content dispenser. The content includes use cases such as insider threat detection, fraud analytics, threat hunting, compliance reporting, and identity and access analytics.

One of Securonix’s latest services is its Autonomous Threat Sweeper (ATS), which automatically performs threat hunting retroactively, using historical logs to scan customer environments for threats that have only been recently discovered. Leveraging the latest research and threat content from Securonix Threat Labs, ATS runs in the background without any user intervention, looking for signs of compromise in historical customer data, whereas intelligence about certain threats usually becomes available only after the organization was hit.

Securonix is also implementing generative AI capabilities to empower various roles to efficiently utilize ChatGPT during investigations, such as prompting for instructions on searching specific indicators of compromise, seeking assistance to understand unfamiliar technologies, or interpreting encoded PowerShell commands directly from the Securonix Investigate window.

While other SIEM vendors implement ML capabilities to enhance existing features, Securonix took a different approach, putting ML at the platform’s core. It leverages both supervised and unsupervised ML to achieve capabilities such as behavior pattern and rare event detection, as well as automated phishing and spam identification.

The vendor scores high on several key criteria, including alarm calibration and curation, data enrichment, and retrospective analysis. Buyers interested in Securonix’s SIEM need to consider the high learning curve and the amount of available documentation, as these considerations will heavily impact the UX. These factors will be essential to ensuring that the platform’s capabilities can be used as intended and that the platform’s complexity will not be a hindrance for security analysts.

Strengths: Securonix ranks high on a number of key criteria and evaluation metrics and supports most use cases, deployment models, and verticals. It is a well-developed platform that distinguishes itself by putting ML at the core of the solution, which may secure Securonix’s position as a Leader in the autonomous SOC space.

Challenges: To support security analysts in using Securonix’s comprehensive solution, it’s important to consider the learning curve and overall UX so as to address challenges related to the platform’s time to value and disruptions caused by security analyst churn.

Sumo Logic

Sumo Logic Cloud SIEM is a SaaS-delivered solution built from the ground up as a multitenant, microservices architecture that scales elastically and supports large volumes of data ingestion. Sumo Logic expanded its portfolio to include Cloud SOAR by acquiring DFLabs. The two products are tightly integrated in the back end, currently presenting two UIs for each product.

The Global Intelligence for Security Insights engine provides a crowd-sourced and ML-predicted global confidence score that offers security analysts validated and fully contextualized events. Insights with a higher confidence score signify that an insight is more likely to be a true positive based on the actions from other Sumo Logic Cloud SIEM customers as well as previous actions taken on similar signals by that customer.

Sumo Logic’s Cloud SIEM is one of a few solutions featured in this report that ranks high on the monitoring ephemeral resources key criterion. The solution allows visibility into Kubernetes clusters and provides integrations with Falco, an open source runtime security tool that monitors for privilege escalation using privileged containers, unexpected network connections or socket mutations, and read-writes to well-known directories.

Cloud SIEM’s Insight Engine pulls together alert signals from multiple sources into a single insight tied to specific entities. It reduces triage and investigation time by automatically correlating related activities and potential threats. It also provides a powerful view back in time, evaluating all signals associated with an entity up to the last 30 days. The insights include AI/ML-based confidence scores, which help analysts prioritize their work based on the likelihood that the insight is a true event. To triage and filter alerts, Cloud SOAR analyzes incoming alerts with its ML-based automated responder knowledge (ARK) feature, which learns from past incidents to recognize real threats, conduct deduplication, flag potentially false positives, and merge incidents with similar characteristics.

An entity criticality feature provides the control to adjust the severity of signals for specific entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so signals related to that entity should have a higher severity. To allow for this, you define a criticality, which is a single arithmetic expression used to adjust the severity of signals on entities the criticality is assigned to.

Sumo Logic’s Cloud SIEM includes automated enrichment and supports ingestion of threat intelligence data that is automatically merged with entities (like IP addresses) detected in insights. For threat enrichment, the solutions integrate with industry-standard TIPs, both commercial and open source intelligence (OSINT) as well as with custom threat-intelligence applications, external databases, and any service equipped with APIs or web services. This feature populates alerts and incidents with details about the threat, such as identity context, asset information, access privileges, vulnerability scans, and network maps.

Strengths: Sumo Logic’s Cloud SIEM ranks high on multiple key criteria including alarm calibration, curation, and correlation, behavioral analytics and contextual risk-based scoring, data and threat enrichment, and monitoring ephemeral resources.

Challenges: The vendor could add zero-day response capabilities and better develop its validation and red teaming features to help analysts easily determine whether newly created playbooks perform as intended. Also, with the current level of integration, an SOC analyst would still be required to pivot between SIEM and SOAR platforms.

6. Analyst’s Take

There’s no way around automation to cope with today’s demands, and most security providers share a vision for how a security operations center will work in the future. Tasks that have been manually performed for up to 20 years are well documented and ripe for automation, with vendors now abstracting the process and exposing only the output to analysts.

For low-complexity attacks, organizations can either define their own logic or leverage prepackaged content and lessons learned from large volumes of similar threats, so that an autonomous SOC solution resolves it independently. We don’t need or want analysts to manually determine whether an email is phishing or not. However, for higher complexity incidents, we always want humans in the loop.

These tools should preserve human agency and augment analysts to operate at higher levels of abstraction. Today’s autonomous SOC features are the core infrastructure for ingesting, processing, and presenting data, while the user interface will tend more to natural language rather than clicking through menus.

The relationship between tools and analysts will be one of interdependency, where both parties calibrate each other’s performance for optimal results, rather than a one-way street where analysts always dictate and define how the tool should behave. AI and ML are the core enablers here because extracting information and patterns from petabytes of data is something that humans can’t and shouldn’t try to do.

“This playbook you defined isn’t behaving as you intended,” an autonomous SOC solution will respectfully say to an analyst, while also providing supporting evidence. “I see,” the analyst might reply. “In these specific circumstances, we want to exclude these entities from triggering the playbook.”

Ultimately, success with this new generation of tooling will depend on the ability of those in front of the screen (security analysts) to make the best use of it. As this human-machine relationship develops, the best incident responders will be computer-assisted analysts, just like in chess, where computer-assisted humans are the best players.

7. Methodology

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Andrew Green

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today’s technology landscape, and his research covers networking and security.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Autonomous Security Operations Center (SOC)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.