Blog post

SOAR: Magic or Mundane?

By Anton Chuvakin | October 06, 2017 | 2 Comments


When we think of Security Orchestration, Automation and Response (SOAR) nowadays (and we do think a lot about SOAR), we primarily think of this:

SOAR = security workflow + security orchestration + security automation [+ maybe knowledge management of playbooks and such]

(and, yes, a longer post that explains the above terms is coming too)

Now let me ask you this: is SOAR technology mostly about IMPROVED EFFICIENCY or is it about MAGIC [aka NEW CAPABILITIES]?

Clearly, a car is NOT an improved horse-drawn carriage, an iPhone is NOT an improved Blackberry – these technology advances delivered not just an improvement in some existing process (transportation, communication), but major new capabilities and even opened new realms of human endeavor and new areas of practice.

However, most of the examples of SOAR usage we’ve seen so far definitely fit into the improved efficiency bucket: process phishing emails faster, get malware sandboxing results into the incident case easier, etc. However, our analyst intuition tells us that the magic is there.

Where can we look for SOAR magic? – We will look for new security processes that are only possible with SOAR-style automation (or DIY or OSS tools of similar mission), we will look for useful security capabilities that are only achievable with SOAR, ways to do security operations differently because you have SOAR and other things of that sort. We hope some SOAR users and SOAR vendors will help too…

Finally, why do we look for magic here? This is why. Efficiency stuff just does not get adopted fast enough … and tends to linger in “1%-er land” for way too long.

Blog posts related to this topic:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Jen Andre says:

    Magic is the power of influencing the course of events by using mysterious or supernatural forces — but magic also refers to the Houdini ‘slight of hand’ that makes the ordinary appear effortless. 😉 While enhancing efficiencies is what sells executives, for most (perhaps, dare I say it, amongst the 99%) it really is MAGIC that is the draw.

    SOAR solutions should possess some key tricks in their repertoire, such as the ability to pre-fetch threat intel to support decision making…as you’re doing said decision making. Or perhaps it might be eliminating the need to code in order to simply get 2, 3, 4, or more of your tools working together. But magic might also be having the machines determine assignment and SLA, attach event context, and notify you in Slack that they are performing the appropriate escalation.

    Analogy aside, SOAR should spark our imaginations and get folks to say, “Wow…how did they do that?”

    • Jen, thanks a lot for the comment. Indeed, we want the type of use case / usage that ‘spark our imaginations and get folks to say, “Wow…how did they do that?”’

      On the other hand, I think “enhancing efficiencies is what sells executives” is worth discussing. I think it has some truth to it, but it also (IMHO) totally lacks URGENCY (see link to Rich’d post in mine). So, it will sell SOAR to people ***eventually***….