Security orchestration, automation, and response (SOAR) will continue to evolve. But, are you zeroing in on the platform with the right SOAR capabilities? With more than a dozen SOAR solutions available today in the market, it’s important to know the right SOAR capabilities that can solve your automation and response needs while setting your security operations for scale.
The adoption of SOAR platforms improves monitoring, analysis, and rapid response capabilities, enabling security teams to enhance their overall efficiency and success rates. This approach has resulted in significant benefits for organizations by helping them minimize risk exposure, better protect enterprise assets, and reduce costs.
Takeaway 1: Both SOA and TIP features are required to deliver SOAR capabilities
Gartner defines SOAR as “solutions that combine incident response, orchestration and automation, and threat intelligence platform management capabilities in a single solution.” This capability can be achieved only when security teams have security orchestration and automation technology combined with threat intelligence platform technology that helps enrich, correlate, and analyze threat data.
Gartner observes that security orchestration and automation (SOA) tools have not been adding meaningful threat intelligence platform (TIP) features, and it is often the case that more advanced clients need both an SOA and a TIP to achieve Gartner’s full definition of SOAR.
Takeaway 2: Your SOAR must integrate
When selecting a SOAR solution, we believe security teams must favor the solutions that can integrate with the existing products deployed in their organization’s environment. They should look for SOAR that has the capability to “support a broad range of security tools across multiple existing point solutions such as SIEM, firewalls, endpoint systems, intrusion detection and prevention systems (IDPS), secure email gateways, security service edge (SSE), and vulnerability assessment technologies.”
Gartner further adds that “Also, it is important that security teams identify SOAR solutions that support bidirectional integrations with IT operations solutions (ticketing systems for case management) and collaboration tools (messaging applications) for enhanced real-time communications.”
Moreover, security and risk management leaders should keep in mind that operational security metrics such as mean time to detect and mean time to respond can be significantly improved with SOAR tools that integrate with detection, analysis, and response technologies.
Takeaway 3: The shift to low-code-like functionality
Some organizations have started leveraging automation and orchestration capabilities in non-security-centric use cases, as there is some crossover with enterprise automation use cases typically delivered by low-code application platforms. With the development of low-code capability, Gartner is seeing some clients use SOAR solutions for more IT-based workflows, as well as in other areas like low-code solutions.
“SOAR technologies have offered low-code-like functionality since their inception. This makes programming and workflow improvements made by the operations team more accessible.” Low-code SOAR platforms allow both security and IT teams to create automated workflows tailored to their needs using the pre-built playbooks.
Takeaway 4: Ability to perform correlation and aggregation
Gartner strongly recommends that when selecting a SOAR solution, an organization must look for a SOAR solution that supports the ability to do event correlation and aggregation for the purpose of improving security operations processes and alerting with better event enrichment. A key way to do this is through the implementation of low-code “playbooks,” which allow for the codification of processes where automation can be applied to improve consistency and time savings. Besides connecting disparate solutions, SOAR helps automate a variety of repeatable security processes such as “phishing response automation” and IOC blocking in prevention devices.
Takeaway 5: Next-gen SOAR can be deployed anywhere
Next-gen SOAR should have the ability to be deployed either on-premise or on the cloud like a SaaS solution.
When selecting a solution, security and risk management leaders should favor SOAR solutions that offer flexibility in the deployment and hosting of the solution — either in the cloud, on-premises, or as a hybrid of these. Deployment should accommodate the organization’s security policies and privacy considerations, or its cloud-first initiatives.
Takeaway 6: Must support threat intel ingestion from a wide variety of sources and formats
Gartner recommends that SOAR solutions should support data ingestion from a wide variety of sources and in multiple formats. In its list of recommendations for selecting a SOAR platform, Gartner says that “One of the strongly recommended requirements to consider when selecting a SOAR solution is that it should support the ingestion of a wide variety of sources and formats of threat intelligence from third-party sources, supporting open-source, industry and government—information sharing and analysis centers (ISACs) and computer emergency response teams (CERTs)—and commercial providers.”
Takeaway 7: Threat data should be shared with different audiences
From a SOC manager to a SOC analyst to CISO, everyone in a SOC should be aware of the status and historical context of incident response processes and performance results, and dashboards and reporting prove to be essential in providing an understanding of the SOC environment. Dashboard and reporting provide the ability to aggregate security telemetry and threat visibility to provide a broad overview of the SOC security controls and activities and present statistical charts, reports, and graphs to highlight overall company involvement in response to incidents.
SOAR Away with Cyware
Deciding on what kind of SOAR solution to implement can be surely challenging. But if you understand your security teams’ needs, the job gets much easier. We believe Cyware ticks all the boxes of next-gen SOAR recommendations made by Gartner in its 2022 Market Guide for SOAR Solutions.
- offers decoupled security orchestration and automation (SOA), case management, and TIP features
- integrates with over 300+ Cyber, IT, and DevOps technologies
- is an easy-to-use, low-code security automation platform
- provides advanced data aggregation, correlation, and analysis capabilities
- can be deployed anywhere in the cloud, on-premise, or hybrid environments
- supports data ingestion from a wide variety of sources and formats
- comes with advanced dashboards and reporting capabilities
To learn more about Cyware’s low-code SOAR solution, book a free demo.
Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, Craig Lawson, Al Price, 13 June 2022
Gartner is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designations. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.