We continue our journey through SOAR mysteries with this one: what is the relationship between case management (aka ticketing) and SOAR? So far, we have encountered these views (overdramatized for added hilarity!):
- “Are you dumb? SOAR and security case management are essentially the same thing; you cannot have a SOAR tool without incident case management, human workflow is the heart of SOAR for most clients.” [common]
- “Well, our SOAR has a bi-directional link to our IT case management, they are not the same system since IT uses ticketing, but security team uses SOAR, but they must link.” [common]
- “Wait…what? SOAR automates stuff so that we don’t have to open the stupid tickets. Our SOAR tool does not really have ticketing [or: it is weak] and we don’t really care much if integrates with external ticketing.” [rare]
- “Our SOAR includes ticketing, but also integrates with ticketing. Confused? Don’t be – this is security workflow vs IT workflow, we have to keep them separate, but we need both”
This is befuddling! It would be as if we’d have a debate on whether log collection is a central feature of SIEM or more of an add-on… So, is ticketing a central feature of SOAR or a nice-to-link adjacent technology? Is “O&A” the heart of SOAR or is that case management?
In all honesty, we are leaning towards the centrality or at least high relevance of case management as either part of SOAR or something very closely integrated. “SOAR as glue” (or middleware) just does not seem to have the mass appeal, we think.
What is your view of the ideal relationship between SOAR and ticketing?
Blog posts related to this topic:
- SOAR and “Curve-jumping” in Security Operations
- SOAR: Magic or Mundane?
- SOAR Research Coming … Brace for Impact!!
- SOAR research is coming! (by Augusto)
- Security: Automate And/Or Die?
- Security Without Security People: A [Sad] Way Forward?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.