Gartner Blog Network


SOAR Research Coming … Brace for Impact!!

by Anton Chuvakin  |  September 13, 2017  |  9 Comments

We interrupt our regular (SIEM, for now) programming to pre-announce our Q4 2017 (to spill over onto 2018) research on SOAR (which, by then, will likely stand for Security Orchestration, Automation and Response). Hurrah! Go SOAR! Well, go and SOAR :-)

Given that both Augusto and myself are so popular and have fairly long Vendor Briefing lead times, we wanted to issue our SOAR CALL TO ACTION now, before we actually start the research in October.

So, dear SOAR vendors (you know who you are, if I use examples here those NOT mentioned will get mad at me so none are mentioned), please schedule a briefing with us focused on some or all of the following:

  1. When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
  2. What budget item was used to purchase a SOAR tool by your clients?
  3. Most common SOAR use cases observed in your client base? For SOC? For CIRT? For threat intelligence?
  4. What do clients consider more valuable, a platform to integrate tools or content to guide their security operations processes? Or perhaps a workflow engine?
  5. Do most clients value the playbook content that comes with your SOAR tools? Or do most buyers have their own playbook content?
  6. What is your approach for dealing with tool integrations that become unsupported and/or break due to API changes? What do you suggest clients do when automation breaks?
  7. Most commonly integrated services and tools into your SOAR platform?
  8. Regarding the automation features, do most users utilize automation around enrichment and investigation or around automated mitigation actions?
  9. How long did it take to deploy at a typical client?
  10. Is SOAR the proverbial single pane of glass?
  11. If not, what the role of SOAR – being a glue to tie security products behind the scenes?
  12. What have you learned from deployment? What are the top challenges?

For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.” Hence our first question above focuses on the conditions for SOAR toolsets to be “aspirin, not vitamin.”

Go and share your SOAR stories, even if you are not a vendor. In fact, better if you are a SOAR user who loves his SOAR tools! Or, perhaps, hates them!

Vaguely related blog posts:

Category: orchestration  security  soar  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on SOAR Research Coming … Brace for Impact!!


  1. Andre Gironda says:

    SOAR is more about SOMP than just TIP (e.g., Yeti-platform, MISP), case management (e.g., TheHive), and Security Operations Automation (e.g., Rundeck). SOMP is for decision making, for resource allocation all-around.

    Cyentia Institute just published their Cyber Balance Sheet 2017 report. It’s prescient.

    We must, as an industry, move completely away from Use Cases — https://my.socprime.com/en/ucl/ — and towards Hubbard AIE control effectiveness. Is there a control deficiency? Which controls are effective and to what degree? We must measure that risk and uncertainty using Hubbard AIE — there is no other method that works on business-to cyber and cyber-to business outcomes. Yes, it will require NACD structures, but allow that Exceedance-Probability curve to show the statistics: to show the math; to show our work. Stop leveraging use cases in decision-making processes!

    SOMP is a must-have technology. Is SOAR a piece of SOMP? Probably, but the outcomes matter, the structure matters — so much much more.

  2. SOAR is indeed way, way more about workflow and orch than TIP, full agreement here.

    Thanks for the mention of rundeck — so far, I never heard of anybody using it for security but will add it to our list of tool to check for.

    Hmmm…use cases -> control effectiveness. This I need to ponder, but my first reaction is “Huh? Why not both?”

    Re: SOMP — My impression is that your SOMP = our SOAR exactly.

    • Andre Gironda says:

      @ Anton — SOAR is more than TIP + SIRP. Is TIP even a part of SOAR? In MISP and threat_note, yes, because they integrate to Cuckoo. In the commercial offerings, I’m not so sure. They have separate integrations for TIP and SIRP (especially AMA — Automated Malware Analysis) that don’t connect up. For SOMP, you need to see — https://www.rooksecurity.com/soar-sirp-soap-tip-x/

      Use cases pollute and confuse the crux of the issues with control effectiveness. They do not apply to managing cyber risk (although one could argue that there is ROI out of productivity improvements, but that’s not the goal with control effectiveness, just more-general resource allocation). Managing cyber risk needs a way to measure risk and uncertainty — Hubbard AIE does that and it precludes use-case analysis. You can’t have both. In fact, I’d argue that the reason why we still have huge breaches in cyber, even (or especially) in financials, services, industrial, and gov orgs is because leaders keep trying these hybrid qual/quant methods. Just stick to the quants! Quants-only!!

      To me, use cases in cyber are akin to arguing with a civil engineer about what types of concrete are best for building skyscrapers. They know which ones: the ones that worked for the past century — THOSE ONES!! You don’t change it up. You don’t add new requirements every quarter to improve quality.

      We’ve had methods for formulating the outcomes of adversary-against victim under the uncertainty of geopolitics and the fog-of war for over 3 or 4 decades. You don’t implement SIEM features. You canvass a panel of experts and use statistical techniques on their expertise statements based on calibrated-confidence intervals. You use Hubbard AIE. Period.

  3. […] Anton anticipated on this post, we’ll be writing about SOAR – Security Orchestration, Automation and Response – […]

  4. Malte Wirz says:

    Dear Anton, I think that your papers on all SOC topics are really well researched and easy to read. Since I am responsible at Computacenter for the topic of SOAR/SIRP, I am really looking forward to ýour SOAR research :)

  5. […] If they had people, they could have used open source tools. If they had tools with more automation (SOAR perhaps), they could have managed with fewer people. But having neither of the above AND having security […]

  6. […] SOAR Research Coming … Brace for Impact!! […]

  7. […] it relates to SOAR and SOC/CIRT automation, this reduces the discussion to the following: should I implement manual […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.