We interrupt our regular (SIEM, for now) programming to pre-announce our Q4 2017 (to spill over onto 2018) research on SOAR (which, by then, will likely stand for Security Orchestration, Automation and Response). Hurrah! Go SOAR! Well, go and SOAR
So, dear SOAR vendors (you know who you are, if I use examples here those NOT mentioned will get mad at me so none are mentioned), please schedule a briefing with us focused on some or all of the following:
- When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
- What budget item was used to purchase a SOAR tool by your clients?
- Most common SOAR use cases observed in your client base? For SOC? For CIRT? For threat intelligence?
- What do clients consider more valuable, a platform to integrate tools or content to guide their security operations processes? Or perhaps a workflow engine?
- Do most clients value the playbook content that comes with your SOAR tools? Or do most buyers have their own playbook content?
- What is your approach for dealing with tool integrations that become unsupported and/or break due to API changes? What do you suggest clients do when automation breaks?
- Most commonly integrated services and tools into your SOAR platform?
- Regarding the automation features, do most users utilize automation around enrichment and investigation or around automated mitigation actions?
- How long did it take to deploy at a typical client?
- Is SOAR the proverbial single pane of glass?
- If not, what the role of SOAR – being a glue to tie security products behind the scenes?
- What have you learned from deployment? What are the top challenges?
For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.” Hence our first question above focuses on the conditions for SOAR toolsets to be “aspirin, not vitamin.”
Go and share your SOAR stories, even if you are not a vendor. In fact, better if you are a SOAR user who loves his SOAR tools! Or, perhaps, hates them!
Vaguely related blog posts:
Read Complimentary Relevant Research
Security Monitoring and Operations Primer for 2017
Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...
View Relevant Webinars
Equip Your IAM Risk-Based Planning With a Comprehensive Risk Model
Assessment of more than 50 large IAM deployments have shown suboptimal IAM solutions with arbitrary priorities, missing time and budget...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.