Gartner’s 2020 SOAR Market Guide in a nutshell

Finally, to the delight of many SOAR enthusiasts, the highly anticipated Gartner SOAR Market Guide for 2020 is out.

Even though SOAR, as a relatively new security category, doesn’t have a Magic Quadrant, Gartner is already dedicating a market guide for Security Orchestration, Automation and Response solutions. And this year’s Gartner SOAR Market Guide will be gladly welcomed by security vendors and companies that are interested in purchasing a SOAR solution.

In this blog post, we will try to pin down the most relevant takeaways from the Gartner 2020 SOAR Market Guide and delve into the core of the guide, with a special emphasis on the latest market trends, market direction, and market recommendations. So, let’s cut to the chase and dive right in.

Gartner SOAR Market Guide 2020

Key takeaways

Given that Gartner’s 2020 Market Guide itself is broad and highly detailed, we will try to get to the point and focus on the most relevant highlights. Let’s get started with the key findings:

• According to Gartner, larger companies with established processes continue to make up the main buyer persona. SOAR is mainly used as a tool for improving efficiency, productivity, and consistency in SecOps.

• Orchestration and automation, case management, and threat intelligence are among the top features provided by SOAR that are leveraged by SOCs today.

• SOAR is still mostly used by organizations that have a dedicated SOC environment. And SOAR is becoming more pervasive in managed security and managed detection and response services.

• Gartner underlines that the main drivers of SOAR adoption are staff shortage, alert overload, and the complexity of cyber threats; and points out automation as the primary capability to resolve those problems. Threat Intelligence is becoming increasingly prevalent in SOAR solutions, but it’s still not the main driver for buyers.

• SOAR tools are mainly used for incident response and establishing workflows, improving the threat detection processes, and enhancing prioritization and efficiency.

• SOAR is a technology that complements SIEM for incident response. SIEM aggregates data from different sources, and SOAR uses the information gathered from SIEM to initiate responses and determine whether an alert should be qualified as an incident.

In its latest Market Guide, Gartner defines SOAR as a solution that combines incident response, orchestration and automation, and threat intelligence management capabilities in a single platform. SOAR resembles the convergence of three distinct technologies:

• Security Incident Response Platforms (SIRPs)

• Security Orchestration and Automation (SOA)

• Threat Intelligence Platforms (TIPs)

Gartner proceeds to explain the core of SOAR, and states that SOAR tools are also used to document and implement security processes via playbooks and workflows, and also claims that SOAR finds its use in machine-based assistance to security analysts and operators. Workflows can be orchestrated via integrations with third-party technologies, such as:

• Incident triage

• Incident response

• Compliance monitoring and management

• TI curation and management

The end result would be to automate the workflows with the goal of achieving these types of desired outcomes. SOAR provides the ability to select the best workflow to respond to a certain incident.

SOAR Market direction

Gartner points out that SOAR is becoming increasingly prevalent in the cyber industry and that the SOAR market is growing steadily, but it’s still most commonly adopted by mature organizations with larger security operations in their SOCs. On the other hand, less mature organizations are not showing the same level of interest in SOAR tools. This is because SOAR technologies offer utility-like functionalities that must be programmed by operators, and as a result, less mature organizations find SOAR to be too complicated and can’t reap the benefits of automation.

The demand for SOAR is increasing among security providers like MSSPs, as SOAR plays a crucial role in aiding MSSPs to provide remote response services. This growth in demand for SOAR is due to the fact that MSSP clients require security services that provide the ability to optimally contain a threat.

An interesting fact underlined by Gartner is that SIEM vendors are adopting SOAR solutions into their environments, mainly as premium tools to operate alongside SIEM. This means that Security Orchestration and Automation (SOA) is becoming a feature provided in other security technologies.

How organizations should evaluate SOAR solutions

Gartner advises that organizations looking to invest in a SOAR solution should be wary of the expansion of the SOAR market and must take precautionary measures to define the best type of SOAR solution for their needs. The most important thing is to start by evaluating SOAR solutions based on their technical capabilities, which should include the fundamentals of SOAR:

• Alert and Triage Prioritization

• Orchestration and Automation

• Case Management and Collaboration

• Dashboard and Reporting

• TI and Investigation

Furthermore, Gartner points out that SOC Optimization, Threat Monitoring, Investigation and Response, and TI Management among the most common use cases mentioned by Gartner customers.

Gartner SOAR Market Guide recommendations

Gartner reminds us that the core of SOAR revolves around four main pillars are:

• Workflow and collaboration

• Ticket and case management

• Orchestration and automation

• TI management

Moreover, Gartner continues to offer valuable insights to help SRM leaders choose ideal SOAR solutions based on clear characteristics, such as:

• Choosing a SOAR solution with a pricing model aligned with the needs of the organization

• Capability to optimize the collaboration of analysts

• Capability to easily code an organization’s existing playbooks

Overall, Gartner recommends that SRM leaders choose a SOAR solution that is compatible with the technologies already installed in the working SOC ecosystem.

SOAR vendors that provide further insight into the SOAR market

We should note that the Gartner 2020 SOAR Market Guide doesn’t rank or position vendors, yet it includes vendors that provide different offerings to the SOAR market in a beneficial manner. So, in the Gartner SOAR Market Guide 2020, Gartner specifically states that it commonly underlines the attributes of representative vendors that most closely illustrate the marketplace trends.

Regardless of that, we are happy that DFLabs (Now Sumo Logic) has once again been included in Gartner’s SOAR Market Guide, as our innovative Cloud SOAR solution continues to grow and play a pivotal role in the advancement of the SOAR technology and industry.