Gartner® Research recently published their 2022 Market Guide for Security Orchestration, Automation and Response solutions. Their analysis looks at SOAR, “as a pure-play technology, SOAR continues to mature, but remains a relatively niche market. It is being consumed into other markets such as SIEM, XDR and MDR.”
After reading the Market Guide for SOAR, three insights jumped out at me:
SOAR as it has historically been defined is niche and vendors are being acquired.
Some SOAR vendors have evolved to deliver low-code security automation that extends beyond security operations center (SOC) use cases.
The future of SOAR lies in security automation solutions that provide flexibility, and genuine vendor-neutrality. It will expand use cases beyond what SIEM or XDR can deliver.
To unpack these insights, it helps to understand the past, present, and future of the SOAR market.
How SOAR Began
The security industry started off with basic SOAR technologies for the explicit purpose of automating SOC workflows like phishing, alert enrichment, and alert triage. While these continue to be the most common security automation use cases today, traditional SOAR products tend to serve niche segments of the security market. That’s largely because SOAR has earned a reputation for rigid playbooks and requiring extensive development resources. These qualities are the reasons why SOAR adoption has primarily been limited to the largest and most mature security teams.
Over the years, founding vendors in the SOAR category have gone in one of two directions – they’ve innovated to address the needs for the future of security automation, or they’ve been acquired. Most recently, Google’s acquisition of Siemplify signaled the future value of security automation and extended Swimlane's lead as the world’s largest independent security automation provider.
What is Security Automation?
Many people assume that security automation is synonymous with SOAR, but in reality, there are some important differences between the two approaches to automation. In most circumstances SOAR is synonymous with a small number of use cases focused exclusively on the SOC Tier 1 analysts, use cases like triaging phishing alerts, or doing IOC reputation checks of SIEM alerts. While these use cases are valuable and save teams meaningful amounts of time in their day-to-day activities, they are limited in scope in who and how much they can help.
Security Automation by contrast brings together a diverse group of typically disconnected groups of people, processes and technology in order to drive more efficient, effective, and scalable security operations across a much broader portion of the security team and its objectives. It accomplishes this by using low-code technology to extend the applicability of automation, orchestration, and acting as a system of record beyond security operations center (SOC) use cases to enable a wide variety of stakeholders for DevOps, AppSec, threat hunting, privacy, audit, compliance and many others.
While common SOAR use cases like phishing and alert triage continue to be popular, security automation also adds value by solving problems around data overload and talent shortage for teams focused on fraud, vulnerability management, legal and compliance use cases. As per the report, “some clients are now using automation and orchestration capabilities in non-security-centric use cases, as there is some crossover with enterprise automation use cases typically delivered by low-code application platforms.”
The Next Generation of Security Automation
The third insight taken from the Gartner Market Guide was that the future of SOAR will deliver value beyond what SIEM and XDR can deliver by providing greater flexibility and an environment-agnostic approach. In our opinion, security automation vendors who accomplish this, and lead the security automation market of tomorrow, will do so by addressing three emerging trends.
Big Data requires Big Automation: Historically, SOAR technologies have not been evaluated on their throughput or processing power. This will change with the future class of security automation solutions because customers are beginning to require automation that ingests greater and harder to reach telemetry sources.
Integrate with Anything: As the attack surface continues to expand, security teams need to integrate with things that aren’t traditionally integrated with from a SecOps perspective – like cloud, IoT, and edge computing.
Democratized Automation: Security automation has the potential to solve a myriad of problems, but it will never reach its full potential if automation continues to be a capability that’s only accessible to the most highly skilled security professionals. Low-code security automation changes this, making security automation more approachable so that domain experts can become automators, without sacrificing power or performance.
To learn more about the next generation of low-code security automation solutions, read this product overview white paper to understand how Swimlane Turbine does it.
Gartner, Market Guide for Security Orchestration, Automation and Response Solutions,
By Craig Lawson, Al Price, 13 June 2022
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.