The 2020 Gartner Market Guide for SOAR Solutions is now available. Sorry, there is still no SOAR Magic Quadrant, but the annual Market Guide does provide a bounty of useful information and insights to glean from. These Market Guides give us a chance to see what Gartner’s analysts are hearing from their clients and partners and what the market trends look like for both vendors and buyers.
Security Orchestration, Automation, and Response (SOAR) is still a younger category compared to some but has continued to grow in interest, popularity, and adoption. Let’s take a look at some of the key takeaways from the Gartner SOAR Market Guide and look towards the future of SOAR as well.
SOAR - Gartner Definition
Gartner makes it very clear early on in the Market Guide that they define SOAR as a solution that combines incident response, orchestration and automation, and threat intelligence management in a single solution. This convergence of three separate technologies: security incident response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs) is a key point as many in the industry still lump SOA platforms into the SOAR conversation, even when these are missing some of the key capabilities. Something to focus on here is not only the idea of having all three of these security technologies in one place but also the concept that they are working together to provide a better, more holistic approach. A true SOAR solution will not only combine these aspects for convenience but also because there are elements of each that improve security operations as a whole when they are integrated such as improving speed, efficiency, and accuracy.
MSSPs and MDR Adopting SOAR
Gartner has identified the main buyers of SOAR as large enterprises and security service providers (MSSPs and MDR). SOAR has always been seen as something that was a great fit for bigger security teams looking to add automation and orchestration to streamline operations and infuse more threat intelligence in response workflows. The notion that Gartner specifically called out MSSPs and MDR as an area that is seeing increased adoption is noteworthy but shouldn’t come as a surprise.
Security service providers have been providing alerting and monitoring solutions for clients that have become insufficient in recent years. Customers of MSSPs and MDR are looking to not only be alerted of potential threats but to also have these service providers be able to respond to and mitigate any attacks that have been identified. SOAR solutions provide the capabilities to handle all of this for service providers and make it easier to provide a broader solution to fulfill their clients’ needs. To provide services that include remote response, multitenancy, and a large library of integrations, have become must-haves for SOAR solutions when being considered by MSSPs and MDR providers.
Vendor-Agnostic (aka Broad-Based) SOAR
A notable addition to this year’s Gartner SOAR Market Guide was that they called out the difference between vendors that provide product-level SOAR and what they are calling broad-based SOAR. Vendors that provide product-level SOAR are able to add some SOAR capabilities, usually orchestration and automation, along with their core product offering, which is typically a SIEM or TIP. The issue here is that it limits a customer to having to use the core product of that vendor and be limited to the integrations and use-cases available for that same core product.
Broad-based SOAR, on the other hand, offers the flexibility to use any other product that the customer chooses and provides maximum interoperability for customers to pick and choose and the tools and vendors that fit their needs. We refer to this as vendor-agnostic SOAR and believe that is a crucial component of any SOAR solution to truly offer the flexibility and value that customers are seeking. Gartner echoes this sentiment in the Market Guide, saying “SOAR products must be vendor-agnostic to maintain value due to integration.”
What’s Next for SOAR
As SOAR continues to evolve, we are seeing a few key trends that can give us some insight into what the future holds. These trends include SOAR solutions seeing:
- An increase in native threat intelligence management functionality
- The benefits of integration flexibility (vendor-agnostic)
- Market demand for varying deployment options (on-prem, cloud, and hybrid)
- Growing interest in use-cases beyond incident response automation
All of this sounds a lot like the solutions that we have been building here at Cyware and we believe these trends signal an evolution towards cyber fusion. Cyber fusion combines threat intelligence with various security functions such as incident response, threat hunting, and security automation and orchestration among others into a single connected unit to comprehensively identify, manage, and respond to all security threats. This level of unprecedented visibility and collaboration across all security units for identifying, managing, and responding to threats provides security teams with an advanced level of resilience and control. By combining our solutions for threat intelligence sharing and analysis (CSAP and CTIX), with threat response (CFTR) and security orchestration (CSOL), Cyware offers not only a complete SOAR solution but the future-focused technology required to build a virtual cyber fusion center for your organization.