Gartner Blog Network


SOAR: Magic or Mundane?

by Anton Chuvakin  |  October 6, 2017  |  2 Comments

When we think of Security Orchestration, Automation and Response (SOAR) nowadays (and we do think a lot about SOAR), we primarily think of this:

SOAR = security workflow + security orchestration + security automation [+ maybe knowledge management of playbooks and such]

(and, yes, a longer post that explains the above terms is coming too)

Now let me ask you this: is SOAR technology mostly about IMPROVED EFFICIENCY or is it about MAGIC [aka NEW CAPABILITIES]?

Clearly, a car is NOT an improved horse-drawn carriage, an iPhone is NOT an improved Blackberry – these technology advances delivered not just an improvement in some existing process (transportation, communication), but major new capabilities and even opened new realms of human endeavor and new areas of practice.

However, most of the examples of SOAR usage we’ve seen so far definitely fit into the improved efficiency bucket: process phishing emails faster, get malware sandboxing results into the incident case easier, etc. However, our analyst intuition tells us that the magic is there.

Where can we look for SOAR magic? – We will look for new security processes that are only possible with SOAR-style automation (or DIY or OSS tools of similar mission), we will look for useful security capabilities that are only achievable with SOAR, ways to do security operations differently because you have SOAR and other things of that sort. We hope some SOAR users and SOAR vendors will help too…

Finally, why do we look for magic here? This is why. Efficiency stuff just does not get adopted fast enough … and tends to linger in “1%-er land” for way too long.

Blog posts related to this topic:

Category: orchestration  security  soar  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on SOAR: Magic or Mundane?


  1. Jen Andre says:

    Magic is the power of influencing the course of events by using mysterious or supernatural forces — but magic also refers to the Houdini ‘slight of hand’ that makes the ordinary appear effortless. 😉 While enhancing efficiencies is what sells executives, for most (perhaps, dare I say it, amongst the 99%) it really is MAGIC that is the draw.

    SOAR solutions should possess some key tricks in their repertoire, such as the ability to pre-fetch threat intel to support decision making…as you’re doing said decision making. Or perhaps it might be eliminating the need to code in order to simply get 2, 3, 4, or more of your tools working together. But magic might also be having the machines determine assignment and SLA, attach event context, and notify you in Slack that they are performing the appropriate escalation.

    Analogy aside, SOAR should spark our imaginations and get folks to say, “Wow…how did they do that?”

    • Jen, thanks a lot for the comment. Indeed, we want the type of use case / usage that ‘spark our imaginations and get folks to say, “Wow…how did they do that?”’

      On the other hand, I think “enhancing efficiencies is what sells executives” is worth discussing. I think it has some truth to it, but it also (IMHO) totally lacks URGENCY (see link to Rich’d post in mine). So, it will sell SOAR to people ***eventually***….



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.